Yet another WordPress release

  • 13-Aug-2009

If you're admin of a number of WordPress implementations, I hope you didn't plan anything. Just because, you know, neither did WordPress. Yesterday, version 2.8.4 of the software came out, and it's another security fix.

In itself this isn't all that dramatic. The vulnerability allows anyone to reset the password of the first user in the database (which will usually be the administrator). The only result is that a new password will get mailed to the administrator; it's mostly very annoying, not (in most cases) a real problem.

And in general, the fact that security issues and bugs in WordPress are discovered and patched quickly is a testament to the agility of its community. This is partly because it's open source, so it's easy to find and fix bugs (no security by obscurity here); and also due to the fact that so many people use the software.

Last but not least, in recent versions the software introduced an "auto-upgrade" feature, which means that for many implementations, this will be a relatively painless one click upgrade.

That's the positive side of things. The nagging bits are that, first of all, exactly because WordPress is so popular and so open, leaks are often discovered and massively exploited by black hats even faster than they can be fixed. I've seen plenty of hijacked WordPress blogs. This isn't helped by the fact that the codebase horrifies many PHP developers (anyone who has built templates for WordPress will probably already have a sense of that).

Secondly, yes, in the admin UI there's a simple link to click that will automatically upgrade you to the newest version, but whether it works can be touch and go: much depends on having set all the permissions correctly on your webserver. Because WP is so easy to use, paradoxically, this is often a bit too specialized for most WordPress admins to get right in the first place. Do you really want to chmod all your files to 0755? Could you explain why? (Bonus question for those who do: what do you do if your hosting provider runs HTTPD and FTP as different users or groups?) So in many cases, the feature either doesn't work, or permissions have had to be set less secure than ideal (which opens the door to hackers once again). At any rate, it'd be smart to backup the database first. Easily done using phpMyAdmin's SQL export feature, but I'd love to see a poll of what percentage of WordPress users have ever even heard of that.

Assuming that you, or your admin, are quite knowledgeable, there's still the Sword of Damocles of the next update hanging over you. It could come out tomorrow. Or next week. Likely, quite soon -- but always when you least expect it. A short history:

  • August 2009: 2.8.4
  • August 2009: 2.8.3
  • July 2009: 2.8.2
  • July 2009: 2.8.1
  • June 2009: 2.8
  • February 2009: 2.7.1
  • December 2008: 2.7
  • November 2008: 2.6.5
  • October 2008: 2.6.3

Most of these have release notes highlighting "security release," "security release, upgrading is highly recommended," or "XSS vulnerability." One of my favorites is the jump from 2.6.3 to 2.6.5, "to avoid confusion with a fake 2.6.4 release that made the rounds" -- something which has actually happened before.

Now I, myself, am certainly not one of those knowledgeable WordPress admins, but I help out a couple of people with their personal blogs and they really like the software. Unfortunately, I don't think this is a hobby I can afford to keep much longer. I may have to replace it with something a little less time consuming, like, say, playing World of Warcraft.

All of this is unfortunate, since our research indicates that most WordPress users are content with the interface, usability and general intelligibility of the software. I wish this wouldn't be such a rare trait among the products I review, but WP really stands out in that respect. So much so, that people using it for a blog have started to use it as a more general purpose web content management system. There are some rather annoying limitations when using it as such (which is why I wouldn't recommend using it for a site larger than a couple of dozen of pages), and addressing those limitations would probably mean UI sprawl (and with it, loosing the unique selling point). But still, I can see why they'd want to.

Right now, though, WordPress is threatened by a fickle release cycle; you'll probably need more experienced helping hands than you'd expect with software this user friendly. Making it easier to upgrade is symptomatic treatment; if you want to use it for something slightly more mission-critical than the occasional blogging, it needs to stop mollifying admin's headaches with Tylenol.