If you're admin of a number of WordPress implementations, I hope you didn't plan anything. Just because, you know, neither did WordPress. Yesterday, version 2.8.4 of the software came out, and it's another security fix.
In itself this isn't all that dramatic. The vulnerability allows anyone to reset the password of the first user in the database (which will usually be the administrator). The only result is that a new password will get mailed to the administrator; it's mostly very annoying, not (in most cases) a real problem.
And in general, the fact that security issues and bugs in WordPress are discovered and patched quickly is a testament to the agility of its community. This is partly because it's open source, so it's easy to find and fix bugs (no security by obscurity here); and also due to the fact that so many people use the software.
Last but not least, in recent versions the software introduced an "auto-upgrade" feature, which means that for many implementations, this will be a relatively painless one click upgrade.
That's the positive side of things. The nagging bits are that, first of all, exactly because WordPress is so popular and so open, leaks are often discovered and massively exploited by black hats even faster than they can be fixed. I've seen plenty of hijacked WordPress blogs. This isn't helped by the fact that the codebase horrifies many PHP developers (anyone who has built templates for WordPress will probably already have a sense of that).
Secondly, yes, in the admin UI there's a simple link to click that will automatically upgrade you to the newest version, but whether it works can be touch and go: much depends on having set all the permissions correctly on your webserver. Because WP is so easy to use, paradoxically, this is often a bit too specialized for most WordPress admins to get right in the first place. Do you really want to chmod all your files to 0755? Could you explain why? (Bonus question for those who do: what do you do if your hosting provider runs HTTPD and FTP as different users or groups?) So in many cases, the feature either doesn't work, or permissions have had to be set less secure than ideal (which opens the door to hackers once again). At any rate, it'd be smart to backup the database first. Easily done using phpMyAdmin's SQL export feature, but I'd love to see a poll of what percentage of WordPress users have ever even heard of that.
Assuming that you, or your admin, are quite knowledgeable, there's still the Sword of Damocles of the next update hanging over you. It could come out tomorrow. Or next week. Likely, quite soon -- but always when you least expect it. A short history:
Most of these have release notes highlighting "security release," "security release, upgrading is highly recommended," or "XSS vulnerability." One of my favorites is the jump from 2.6.3 to 2.6.5, "to avoid confusion with a fake 2.6.4 release that made the rounds" -- something which has actually happened before.
Now I, myself, am certainly not one of those knowledgeable WordPress admins, but I help out a couple of people with their personal blogs and they really like the software. Unfortunately, I don't think this is a hobby I can afford to keep much longer. I may have to replace it with something a little less time consuming, like, say, playing World of Warcraft.
All of this is unfortunate, since our research indicates that most WordPress users are content with the interface, usability and general intelligibility of the software. I wish this wouldn't be such a rare trait among the products I review, but WP really stands out in that respect. So much so, that people using it for a blog have started to use it as a more general purpose web content management system. There are some rather annoying limitations when using it as such (which is why I wouldn't recommend using it for a site larger than a couple of dozen of pages), and addressing those limitations would probably mean UI sprawl (and with it, loosing the unique selling point). But still, I can see why they'd want to.
Right now, though, WordPress is threatened by a fickle release cycle; you'll probably need more experienced helping hands than you'd expect with software this user friendly. Making it easier to upgrade is symptomatic treatment; if you want to use it for something slightly more mission-critical than the occasional blogging, it needs to stop mollifying admin's headaches with Tylenol.
Web Content Management Evaluation Stream looks at... Staying on Top of WordPress Releases
"In practice, this means that you should be prepared to upgrade regularly. Because WordPress powers so many blogs, it's an interesting target, and if you're behind, you're vulnerable. Don't expect to be able to plan this ahead, as updates are rarely scheduled. While the software is very easy to install and start using, you should get expert admin assistance to..."
Learn the real strengths and weaknesses of major vendors from around the world, in our evaluation research stream.
"I was really excited to preview RSG's Digital Marketing Technology evaluations. It's great to have a resource that explains what vendors really do, rather than what they say they do."
Gino Bona, Digital Marketing Consultant
Get the Real Story bi-weekly.
USA & Canada
+1 800 325 6190
+44 (0) 20 3318 1911
+1 617 340 6464
All Other Inquiries
All analyst firms claim to be independent or vendor-neutral. We're different.
Get the real story on commercial and open source tools from a firm that works only for you, the technology customer.
Thank you for signing up for The Real Story Group Newsletter. You will receive our monthly newsletter, plus updates with new information on the technology streams you have expressed interest in below.