WordPress 2.8.6 And Your Responcibilities
- Image by misterbisson via Flickr
Before I begin this post I have to make a statement to avoid any misunderstandings – I love WordPress! I strongly believe it to be one of the most versatile platforms for publishing on the web and also one of the most supported. My hat goes off to its developers and community who constantly work on enhancing, improving and what is more important – Securing WordPress!
And while with each major release it becomes simpler and easier to upgrade I know from my experience and from talking to many business customers that sometimes it feels as if decision to use WordPress puts you into constant upgrade cycle….
Upgrade cycle forced by a need to stay secure and one step ahead of “crackers”. Upgrade cycle, urgency of which can be greatly reduced if using some common “Best Practices” and it is exactly what I want to share today…
WordPress 2.8.6 is a security release that addresses 2 vulnerabilities that can only be exploited by active “registered, logged in users who have posting privileges”.
I highlighted that quote for a reason.
My personal quick investigation showed a few more security releases of WordPress that share common problem – vulnerabilities that can be exploited by registered users on your blog or on blogs that have open registration:
- WordPress 2.8.3 – fixes elevation of privilege escalation
- WordPress 2.8.1 – small security issue that allows regular user see admin pages for plugins they shouldn’t have access
- WordPress 2.6.2 – this one is actually an issue with PHP functionality, not the WP itself but it address a problem where “With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.” Not as much of a security issue as it is major annoyance but still…
- WordPress 2.5.1 – this one fixes a more severe issue identified by CVE-2008-1930 that actually allows remote users to create account on your blog with administrative privileges.
I’m not going to go any farther into releases history as I think I have sufficiently proven my point that leads to a Best Practice I want to share:
Users And Roles Best Practice for WordPress Security
1. Roles for users on your blog is a great mechanism top help you control who and what can do on your blog. If need users, other than your own account on your blog – always follow principle of least required access privileges.
With development of community style blogs, guest bloggers and popularity of outsourcing it is an important to not give a person more access than they need to complete task. Refer to document I linked to above!
2. Disable Open Registration on your blog unless you absolutely must have it and allow unregistered users to comment on your blog. This practice will apply to 99% of the blogs I know and will help you avoid the rush of upgrading to latest version of WordPress that addresses elevation of privileges security problem.
3. If you simply must have open registration, for whatever reason you might have, be sure to pay attention to security releases and upgrade as soon as possible! It is YOUR responsibility to stay secure!
There are a few more ways to make sure your blog will stay secure by implementing a strategy concept I have called “Triple P Of WordPress Security” and if you carry out even part of what I share – you can sleep a lot better at night, I promise!
Stay Safe! Be Responsible! Enjoy the great blogging platform we have!
Oh, and don’t forget to comment and tell me what you think!
{SIDE-NOTE} – WordPress 2.8.6 is a simple and safe upgrade in my experience and I implemented it on all my blogs with no issues.
Related articles by Zemanta
- WordPress 2.8.5 Released (howtospoter.com)
More Options Print This Page! Subscribe With RSS Reader Subscribe by EmailFiled under WordPress |
Related posts: |
About The Blog Author
Alex Sysoef is an IT Consultant, Internet Marketer and ProBlogger who shares his passion and knowledge of WordPress, SEO, Social Media and traffic strategies on his blog WordPress Howto Spotter. Connect on Twitter or Facebook
I too find that the constant upgrade status of WordPress can seem to cumbersome at times. I understand the importance of what they have to do and I am appreciative of it but it still seems to be a pain. Hopefully they will continue to improve and maybe not need to do constant upgrades.
Thanks Alex, for your review of the latest upgrade. I often get tired of having to upgrade so often fearing that something could go wrong and my entire site would be rendered useless. However, your reviews usually give me the courage to upgrade.
Now that I’ve read your review, I’m off to upgrade my blogs.
.-= Felicia´s last blog ..Oh No, Not Another Blogging 101 =-.
Thanks guys!
Glad I could make your life easier
keeping up with security updates is always a pain but we have to do it, although we can take action to avoid the rush of implementation and that is exactly the idea I tried to convey in this post.
Thanks Alex,
I agree with you. If I have 1 complaint about WordPress, it is that it is updated too often. I run several blogs and I looked for a decent way to try and run these off of one installation to make upgrades easier, but I have not found a decent way to do that. I tried WPMU, but so many plugins will not work properly using that.
I appreciate the fact that you explain why the upgrades have been done to make it easier on your readers to decide if it is needed.
I also want to let your readers know, I have opened a blog directory for anyone who is interested. It is located at:
http://yourblogsource.com and it is free to register with a reciprocal link.
Jim Clary
.-= Jim Clary´s last blog ..The Importance Of Consumer Reviews =-.
It used to be a headache to upgrade WordPress when automatic upgrade option was not there. Especially WordPress 2.6 sub-versions got released pretty frequently & sometimes made me a bit annoyed.
By the way, there was still a plugin for automatic upgrade. But I like to use as few plugins as possible.
.-= aniroy1986´s last blog ..DreamHost Have Added cPanel Importer to Their Web Panel =-.
I’ll go as I have been and wait for 2.9; rapidly approaching supposedly. After all, I’m on 2.7 now
.
I ONLY upgrade the .1 .2 .3 .4 garbage when it is a life or death situation, which to my knowledge has been once since I started blogging with 2.0.4 LOL
.-= Dennis Edell´s last blog ..He/She Has Unsubscribed – Should You Ask Why? =-.
Dennis,
You are probably correct, except I have to test the upgrades so I could share with my customers.
Ah brave man indeed! I assume you don’t use this blog to do it, yes?
.-= Dennis Edell´s last blog ..Are You Thankful For Your Blogging Community? =-.
Actually – I always do
If this blog is safe to upgrade – most of others will be as well.
Hi Alex,
Perfect timing on your articles. Since reading your first few articles about security I have implemented many of the strategies you have suggested plus passed on the information for my readers to come here and read.
I am only new to this blogging world and I didn’t realize the security problem until I got hacked! My computer was hacked as well as I did find malicious code connected to my site which has now been fixed.
Thank you so much for sharing this information and for caring about the security of others. I am an avid reader of your website and as far as I know a few of my readers are now avid readers of also.
See you back here soon!
Kind Regards
Jacinta
P.S I was honoured you visited my site the other day!
.-= Jacinta Dean´s last blog ..Two Awesome Articles On Learning How To Blog! =-.
I think WP should release patches instead of new versions, because that’s what they are: patches to fix bugs and security issues. That being said, they could be an automatic process, like a virus database update. Leave the good stuff to be an upgrade, so that people upgrade for the good reasons: they want to have a better version of the product, not because they’re scared their blog will collapse.
I just wish the upgrade process was easier and there was a good quality, easy to follow, video presentation showing the whole upgrade process from start to finish.
I have upgraded my WP blogs once, and found the whole thing very cumbersome because of the backing up process. Even today, although I did eventually figure out how to back the blog up, I don’t remember how I would reinstall it if there was ever a time that an upgrade went wrong! So that in and of itself has put me right off of upgrading at each new version. If I stuff it up, I don’t know how to reinstate the blog!
I agree with John G’s comment above. Use patches like Microsoft does (it seems with unfailing regularity lol) to fix their bugs and issues. Have these patches install very easily remembering that users use blogs because they are supposed to be easy to use!
.-= Gareth C Thomas´s last blog ..Pricedout Londoners turn to empty homes =-.
@ Gareth C Thomas
Know how that feels!
.-= James Mangosteen Dean´s last blog ..Mangosteen Juice Helping With A Testicular Lump, Testimonial # 1 =-.
I know, however if you set up your blog correctly then you can do automatic upgrades with little problems.