Aral Balkan

How unsexy are Wordpress security updates? I have the horrible habit of doing everything else first before attempting one (which, of course, is absolutely the worst thing you can do, as the recent spam hack on the SWX blog demonstrated so well). I used to dread doing the updates mainly because I just knew something would break. At least that's how I used to feel.

When I last upgraded Wordpress, a little over a week ago to version 2.3.1, I made a slightly delayed New Year's resolution that I wouldn't hack the blog. Instead, I decided to do everything using plugins and widgets (which are plugins that display on your sidebar). And -- wonder of wonders -- I actually stuck to it! That being the case, upgrading is no longer a nightmare.

In fact, when you have an unhacked Wordpress installation, all you have to do to upgrade to 2.3.2 is:

1. Download 2.3.2.
2. Delete the wp-content folder and the sample wp-config file from the distribution.
3. Test it locally on your development machine (skip this step at your own peril; the last thing you want is all your readers discovering your "Doh!" moment mistake at the same time as you do!)
4. Upload the new files to your server.

That's it. All in all, it took me under ten minutes to do. As there were no database changes between the two versions, I didn't even have to run the upgrade script (which I realized after running it on my local installation and seeing the resulting message.)

The moral of the story is that if you don't hack your blog but use plugins for everything, upgrading no longer needs to be a nightmare. Using a plugin-based architecture (which in Wordpress shares similarities with aspects and the Template pattern in object/aspect-oriented programming) gives you flexibility in customizing something without altering the original, thereby making updates to the original possible without breaking your customization.

The same moral holds true for development when you're using third-party libraries. Instead of hacking them, see if you can't extend their capabilities either via inheritance, or, even better (because it's more flexible), through composition (say via the Decorator pattern or by using interceptors). That way, unless the public API of the library changes, you won't be afraid to update the library to its latest version. (And, if you're designing an API, see if you can't include some hooks or filters in there to make it easier for people to extend it without too much trouble.)

To cut a long story short, the blog's now running Wordpress 2.3.2 and all is well. It's also a real pleasure to actually find myself looking forward to the next Wordpress update rather than dreading it! :)

Comments

• Hi Aral, I run my blog(s) on SVN working copies of the SVN tag corresponding with the latest version. Once there's a new version, I just run a simple svn switch statement -- that's it. Of course you need a server with shell access and an installed svn client to do that, I don't know how you're set up in that regard. H.

  by Hendrik on 2008-01-13 21:40:13

• I have been visiting this site a lot lately, so i thought it is a good idea to show my appreciation with a comment. Thanks, Jim Mirkalami PS: I am a single dad. ;)

  by Jim Mirkalami on 2008-02-10 04:41:27

• “The moral of the story is that if you don’t hack your blog but use plugins for everything, upgrading no longer needs to be a nightmare.” "This is sadly just partially true." Seconded! Somehow the v2.3.2 upgrade decides to delete the wp_post2cat table from the database which is used by some plugins! Glad I did a db backup!

  by sascha/hdrs on 2008-01-14 05:07:02

• @Keith you go now it takes as long as uploading thsoe folders and files Aral mentioned ;) Did 2 logs in under 10 minutes ;)

  by Folkert on 2008-01-13 20:06:39

• Yes - I love WordPress but it is difficult not to hack stuff :)

  by Jim Priest on 2008-01-13 19:48:35

• The Wordpress site has additional information on this here.

  by Hendrik on 2008-01-14 13:16:20

• I like your blog theme. I want to use it on my blog. Can you please tell me from where I can download these theme? Many thanks -------------------------------------------------------------------------------- Dan owner of the future gadgets blog future gadgets and inventions

  by Dan (future gadgets blog) on 2008-02-29 15:19:37

• I have been a frequent visitor of this blog for some time now, so I thought it would be a good idea to leave you with my thanks. Regards, Jim Mirkalami

  by Jim Mirkalami on 2008-02-06 22:37:20

• @Hendrik: Nice one. Updating from SVN tags definitely sounds easy but how do you handle your customized wp-content folder? Do you have a symbolic link to a separate folder or something?

  If you make changes to files controlled through SVN, it will try to merge them with the upstream changes when you do an svn update or svn switch. New files are simply ignored by SVN (it doesn't touch them). The very worst thing that can happen is that there is a merge conflict that needs to be resolved manually, but the chances for that are slim as long as you haven't been messing with the WP core code (or something like the bundled Akismet plugin) too much. ;-)

  by Hendrik on 2008-01-14 13:14:34

• "Sounds like they did a quick and dirty patch. " Yeah, exactly. I understand why they had to act quickly to close open security holes, but yeah, hope they do a propper solution for a next update. " Do you know if they’re planning on implementing a better solution in a future update? Have you taken this up with them?" I don´t know if they´re working on a better implementation. When first noticing what´s up with 2.3.2 i searched on wordpress.org and found this topic there: http://wordpress.org/support/topic/149522?replies=4 and wrote a reply, well, let´s see.

  by tomsamson on 2008-01-14 14:34:18

• Well, having recently been hacked myself, you'd think I'd be all over the latest update. But I just upgraded to 2.3.1 a few weeks ago, and almost immediately saw 2.3.2 was available. So I've been dragging my feet a bit, but maybe I'll just go ahead and do it now that you made it sound so painless. :)

  by Keith Peters on 2008-01-13 19:51:11

• I've recently run into this as well. I got tired of mucking with the theme templates to put the Google Analytics tracking code in the page, so I finally wrote a plugin to handle it.

  by Ryan Kennedy on 2008-01-13 20:08:41

• Just used WordPress for the blog, installed smoothly, installed custom theme the same. @Ryan i ran into this same problem, i ended up installing Ultimate Google Analitics plugin from here http://www.oratransplant.nl/uga/. Works perfectly. Adrian

  by Adrian Aioanei on 2008-01-13 21:31:14

• I recently just did my first WordPress install, I used to just let my hosting provider do the auto install, and I found it to be pretty easy. Don't know what I was afraid of. Anyway if you're looking for some awesome plugins I compiled a list of the best.

  by J.F.H. on 2008-01-13 21:34:10

• "The moral of the story is that if you don't hack your blog but use plugins for everything, upgrading no longer needs to be a nightmare." This is sadly just partially true. True in so far that nothing should break on your end due to changes you made. Updates can of course still break many things if the side releasing the update (wordpress) has changed things in unexpected manner. In case of wordpress 2.3.2 they did some security fixes. Good by itself, but the way they did it is partially strange. For example before there was the issue that one could abuse xmlrpc to see private posts and drafts when logged in in subscriber role (so a security issue). Now instead of fixing that issue in a way that when using getRecentPosts method and only beeing logged in as subscriber it only returns public online posts, they changed it so that when one isn´t logged in in admin role getRecentPosts doesn´t work at all anymore, so one can´t see public online posts anymore either. This is quite a bummer for people who use xmlrpc in some custom blogging software (XMLRPC is meant to be a public api for use in such systems). So yeah, regarding that its not all shiny with the new update.

  by tomsamson on 2008-01-13 21:55:23

• @Keith: Hope your upgrade went smoothly! @Folkert: Glad to hear yours did :) @Ryan: It definitely is more of a hassle to write a plugin but well worth it. I found the hardest part to be finding information about writing plugins. There's great information out there, it's just not all in one place. @Adrian: Thanks for the link. Reminds me that I need to re-enable Google Analytics. I'll probably use it :) @J.F.H: Cool, thanks for the sharing the links. I'll check them out. (Have I become a plugin junkie too?) @Hendrik: Nice one. Updating from SVN tags definitely sounds easy but how do you handle your customized wp-content folder? Do you have a symbolic link to a separate folder or something? @tomsamson: Sounds like they did a quick and dirty patch. Do you know if they're planning on implementing a better solution in a future update? Have you taken this up with them? @sascha/hdrs: I'm assuming that you were upgrading from a slightly older version of Wordpress? I had this happen when upgrading from 2.0.x to 2.3.1. It initially broke the version of K2 I was using. However, the latest version of K2 works well. I also haven't had any issues with any of my plugins. Have you had a chance to see if the plugins you're using have been updated for 2.3.x?

  by Aral on 2008-01-14 09:37:58

• ARAL! (or other readers) a) thanks for writing this article b)please help. I just upgraded my blog to 2.3.2. And no problems BUT, I noticed in the database there is no longer a wp_categories file. Is this correct? I noticed this on a friends blog after upgrading as well. The reason this even came up is because I originally was going to import my old posts onto a new blog not realizing its actually quite easy to repoint your wordpress blog to a differnt url. So when I originally imported the posts they worked fine but the categories didn't. Where does 2.3.2 file the categories now? Thanks again. ace http://www.joshventura.com http://www.breakdancedvd.com

  by josh ventura on 2008-01-15 09:52:01