If you are not running the latest version of WordPress and you get hacked, don’t go to the WordPress forum and tell the world. Odds are you invited the disaster yourself.
When WordPress 2.5 came out I was disappointed to find that the old version 2.3.x was basically abandoned. There would be no more planned patches for 2.3.x just the current 2.5. The 2.0.x branch would continue to be supported as part of the commitment to the Debian version model.
So as of right now versions 2.0.11 and 2.5.1 are supported. If you are running 2.2.x, 2.3.x, 2.5(.0), or any other version then you run the risk of being exploited.
So why do users continue to use the old versions? Everyday there are posts in the support forum that (so far) always deals with someone’s blog getting hacked and they are not using the current 2.5.1 version (as of this writing). Eventually someone writes “I’ve been hacked” and some other user writes “Is this a vulnerability of insert current version HERE?!? Why are the developers not doing SOMETHING?!”.
It’s like there is some axe to grind and the first one to find the axe gets 1000 gold points. The moderators usually show great patience; I’d get ticked if I were them. These users seriously should just avail themselves of WordPress.com and stop trying to self host a blog.
The freely available WordPress from WordPress.ORG is not commercially supported, and commercial support if often not that good anyway. So for anyone who is thinking about using WordPress.org’s software, they should be able to do the following by themselves.
You need to be able to make backups.
Read this Codex article for backing up your WordPress installation.
WordPress uses two components. The easy one is the file system and backing that up should be trivial. I use a shell script that creates a tar.gz archive every night. Another cron job deletes backups that are older than 30 days. Why fill up my disk? The backups are not for historical use, just to get me back to the state I was 24 hours ago if need be. 30 days is too much but hey, disk space is cheap.
The mysql database is the other component. The same backup script also creates a text dump of my entire WordPress database. This copy gets gzipped and added to my file backup. The mysqldump command is your friend and should be used.
You need to be able to know how to restore those backups.
The Codex has a good article on how to restore your blog database here.
Making the best backups is pointless if you don’t know what to do with them when the “Bad Thing” happens. Take your backup and restore it to a WAMP or LAMP installation on your own PC. If you need a Windows Apache Mysql Php setup, use Google and install the one you feel comfortable with. In Linux just add the packages (See this link for Ubuntu).
Once you have the Apache web server, Mysql, and PHP running locally on your PC then start playing. Install WordPress locally, restore your backup and just change the name of your installation in wp-config.php to localhost and test. To adjust your local installation to run on your PC just add these two lines to the copy of the wp-config.php on your PC:
define('WP_SITEURL', 'http://localhost'); define('WP_HOME', 'http://localhost');
Then on your PC point your browser to http://localhost/ and test it. Beat it up; it’s a local copy on your PC. Go nuts on it and confirm that your posts, categories, tags, comments, etc. are all there. Anything on your PC that you mess up in WAMP or LAMP should be no big deal. Just start over if you get lost.
Play with it until you understand what you are doing, because when you DO lose your blog you’ll need to do this for real.
Practice performing an upgrade on your PC’s local copy.
That sounds like a plan right? Some plugins don’t work with the latest and greatest version. If the version you are running is vulnerable to an exploit then you don’t need that plug in.
Security updates are the number one driver for minor number version releases such as 2.5 to 2.5.1. Yes, there are bugs but they usually are tolerable. Exploitable code is serious business and usually gets fixed quickly.
Once you are comfortable with upgrading and testing your local installation, upgrade your real blog. I personally keep good backups and know how to restore them so I never bother with this step.
If you know how to backup and restore your blog, then even if the upgrade is bad, you will be able to put it back the way it was before the upgrade.
Bryan - After5PC says:
You’re right. You should do a test upgrade via your local PC before making any changes to your live site online. This will save you from headaches, if you find the upgrade incompatible with some of your existing plugins or tweaks.
June 26, 2008 — 2:59 pm
Jan Dembowski says:
What’s funny is that I have the backup and restore down pat. I have been doing this since 1.5.2 and only once had to restore my backup once (there was some really bad things in my PHP4 setup).
A local install upgrade for practice is harmless and could identify plugin/theme issues easily.
June 26, 2008 — 4:11 pm
Bryan - After5PC says:
I installed xampplite on my local PC, and that’s what I use now to test any scripts prior to uploading them unto my server.
It’s useful. It allows your local PC to act as a server.
June 26, 2008 — 5:02 pm