Remind HN: Update your wordpress sites
Wordpress released version 4.2.2 a week ago with some important security updates. As someone who owns multiple WP installs, it is critical for me to get these updated asap. I am sure there are quite a few members on HN that fall in this category too. And if you manage multiple WordPress websites, try something like InfiniteWP. It takes care of updating core, plugins, and themes. We use it to manage about 23 WordPress websites and being able to update all of your websites with a couple of clicks is an incredible timesaver. We still do manually review everything though (like changelogs, making sure the site still loads and isn't a WSOD, etc.) We like InfiniteWP because it's free and we can host it ourselves (we've had no need for their paid addons), but there's also other solutions like MainWP, ManageWP, WP Remote, iControlWP, CMS Commander, etc. I think most (if not all) of those are hosted and paid / free trial. Or let your Linux distribution handle the multi-site Wordpress hosting for you... Thank you Debian ! As someone who owns multiple WP installs, I have added "define( 'WP_AUTO_UPDATE_CORE', true );" to all my wp-config.php files so that all my installs automatically self update with ALL future updates, minor & major It is great in theory. In practice, the last auto-update caused a WSOD on my site without any helpful debug log (both on WP and server log) until I manually disabled a (popular) plugin by editing its php file. I wonder how a less tech-savy person would have resolved that. Even being tech-savy, I had to ask someone for help. Updates of core and plugins are always very scary to me. It's a system that's based on trust, but the auto-update that is active in WordPress has saved millions of sites of getting hacked in the last few weeks: https://ma.ttias.be/in-defence-of-wordpress/ As soon as something major breaks by those auto-updates, the trust is over and a lot of users will disable it. That would be a shame indeed, because besides a couple of WSOD's some users may experience, it's an extremely powerful feature. There is also "define( 'WP_AUTO_UPDATE_CORE', 'minor' );" which should break a lot less. As someone who hasn't bothered with WP in a long while, is there any way to do this safely whilst still using 3rd party plugins and themes? Depends on the themes and the plugins. Basically: not really, but if you've used a small subset of themes and plugins you should be okay. How does it check for new versions? Could it be MITM'd? :-) I've personally no idea, but I hope you asked yourself those questions. I'm not a big fan of wordpress but it is undoubtedly a great tool to have in your toolbox, specially when your customers need user-friendly blogging tools or a quick CMS. I've installed for some of my clients Django blogs (with Django-CMS), rails-based blogs, and even a couple of Ghost installs. Nothing has beaten wordpress so far, clients love its versatility... What I do to fly under the radar of many of the bots and automated scripts targeting wordpress sites is using a modern wp framework: roots bedrock[0]. This gives you a convenient time windows to update wp when you have the time (although with bedrock it is really easy with a couple of commands) For the first time I got an email from my Wordpress installation yesterday, asking me to update. Have not seen that before. A nice detail I appreciate, so I don't have to keep up with what i the latest release of Wordpress at all times. Interesting, AFAIK it's not something in the core. Which security plugin are you using? I am not running any security plugins. I just had a look on the email headers, and it was sent from my server, so this must have come from Wordpress somehow. It is also the first one I have gotten. The email seed: Subject: [{my website} Wordpress MU] WordPress 4.2.2 is available. Please update! Please update your site at http://{my websites url}.com to WordPress 4.2.2. Updating is easy and only takes a few moments:
http://{my websites url}.com/wp-admin/network/update-core.php If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help.
https://wordpress.org/support/ Keeping your site updated is important for security. It also makes the internet a safer place for you and your readers. The WordPress Team I have the following plugins installed: All In One SEO Pack, FeedWordPress, Github Ribbon, Hello Dolly, Revision Control, Unfiltered MU, WordPress Importer and WP-Polls. Maybe it originated from one of them? I got this email too. I'm pretty sure I didn't seek out and install any plugins. I don't remember getting any of those you've listed. I nuked the install completely so I can't say for sure. Does Wordpress release security update for those who stick to older versions? Yes, currently back to 3.7.x Wordpress only has one track, which is the only one that gets updates. Once a new major release is available all support for the previous release ends. If you want the most secure version you need to be on the latest (4.2.2). Um, no? They do security updates for the last couple of versions of Wordpress. They even extend that to the last couple versions of their stock theme when they require an update. How come you stick to older versions? I usually skip N.N.0 but update everything when N.N.2+ comes out. 4.2 and 4.2.1 contained a lot of vulnerability fixes from 4.1.n - when it comes to an operating system, err, blogging platform, it's not a bad idea to keep on top of your updates. if i am not update. Get any problem on my website?? https://wordpress.org/news/2015/05/wordpress-4-2-2/ This is a critical security release. The cross-site scripting vulnerability lets a commenter compromise your website. The exploit is described and demonstrated in a video on the site of the discoverer: http://klikki.fi/adv/wordpress2.html or just remove wordpress and use something secure, not bloated and easier to develop with. Would you mind elaborating on what you mean by "bloated," and could you give an example of something "easier to develop with?", explaining why it is "easier" to use? They usually mean some blog engine that was just released a few weeks ago that doesn't do anything. My definition of bloated: any web platform which includes its own cron system. A lot of people who run Wordpress have clients who need a nice, easy user interface to be able to update their site. Do you have any suggestions for software that fulfills that need and is "secure, not bloated and easier to develop with". > A lot of people who run Wordpress have clients who need a nice, easy user interface to be able to update their site. This is clearly opinion, and should be taken as such, but I absolutely loathe Wordpress' admin interface. I'm sure at some point it was a nice, easy user interface but those days have passed. Anytime I have the misfortune of being thrown into a Wordpress backend I have no idea how to get anything done. The WordPress admin interface hasn't changed all that much over the years. Unless the change to a darker admin theme tripped you up, I'm not sure where anyone that has any experience using anything on the internet would have much problem getting anything done with it. When all you need to do is write a post, clicking on 'Posts' is a good start. Not for everyone, but I rageported my wordpress site over to pelican one too many instances of it running slowly for no apparent reason. It's great if you're willing to author content in markdown or restructured text. Mezzanine. And it is a joy to work with. That. After the second Drupal flaw in two weeks that enabled anybody to log on my server, I've decided to remove anything wrote in PHP from it. I'm not here to babysit software. As a bonus, if you want anything too fancy in Mezzanine, you can just escape away to Django. Beats being thrown away in PHP by miles.