I’ve finally upgraded to WP2, so if you notice any slight differences in the way things work (or perhaps don’t work), that’s why. Well, actually there’s another change that I’ll talk about more later, after it’s finished.
My theme is pretty much just copied straight over from 1.5, but eventually I’m going to go through and rebuild it based on a 2.0 original, since I’ve already caught a couple things that I had to adjust for the difference.
Please comment here if you run into any issues.
8 Comments
For a security guy, why did it take you so long?
What do you mean?
I think Dan believes that the 2.0 version of WordPress has added security that the 1.5 version doesn’t. I don’t follow WordPress development but I’d hope the developers are still applying security patches to the 1.5 tree even with the 2.0 released. On the flip side a new major version usually indicates a big change in features and for me is a red flag for security problems. I’d assume a feature stable 1.5.???? is more secure than a brand new 2.0, but I guess it depends on the what the developers are doing.
I’m not sure about that. I don’t think there are any major security vulnerabilities in the 1.5.x release, but (from what I’ve seen) the developers don’t do much ongoing maintenance on older releases either.
The WP team itself I don’t think is that big, so they probably don’t have a lot of time to work on patching old versions, and I’m pretty sure most of the work is only put into the next release version. This is understandable, however, since 99% of blog users only even think about changing their wordpress installation when they’re upgrading; I don’t think many would apply security patches on their current version even if they were available. It’s certainly a “best practice” idea, but for it to really be used, I think they’d have to make it pretty much automatic, like a package update or a pretty much completely automatic process to replace the files (which they could do).
Anyway, that said, I figured that’s probably what was being hinted at. While I think there are probably some “security” fixes in post-1.5 versions of WordPress, I’ve lived without them for this long and I probably would continue to, as long as I didn’t want to move to WP2.
“Security issues” in a web app like WordPress are not really as severe as security issues in operating systems or services actually running on the servers (like sshd, apache, etc.) All WordPress really is is a bunch of PHP files running against a MySQL database. As long as your installation of MySQL and the PHP modules in Apache are up to date, you’re pretty safe. The only thing that could happen would be errors in the WP code causing your WP data to become vulnerable to attack or loss, in which case you just restore from a database backup and move on. I don’t think it’s possible for a WP “security error” to expose your system to any significant degree of vulnerability beyond WP itself. If it were possible, that would be a flaw in one of the underlying components (PHP, MySQL, etc.) which should be kept patched and up to date.
there’s always the chance of someone finding away to trigger actions or throw errors using melicious code in comment fields. just trying to think of a way that a web app’s code could leave the underlying system open for corruption. you could theoretically get the system to throw an error that would show you a sql statement which would display the db’s password.
Yeah, that’s the kind of thing I’m talking about that isn’t really dangerous to anything beyond the WP data itself (like I mentioned at the end of that last comment). It could definitely happen, but then you just restore from a backup and your actual system itself is not compromised, just the wordpress data.
And, of course, any security minded person uses a unique, non-admin level user account for Wordpress to access only the particular database it needs access to, so if that account were ever compromised it would not be able to affect anything other than the WP database. If it was using a database account with more permissions than it should, then such a compromise of the only password WP would know about would be more serious, but that’s not the case for me, so I’m not worried about it.
I was just trying to say that it’s not the same kind of serious issue that keeping your OS and services up to date and patched is.
So you backup nightly?
Yep