Thursday, April 17, 2014

All WordPress releases, great and small

On April 14th WordPress released WordPress version 3.8.3 maintenance release, which fixed a "small and unfortunate bug" in version 3.8.2, a security release that was published 6 days prior. The bug in v3.8.2 had to do with how WordPress auto-saves drafts in the admin dashboard:

The "Quick Draft" tool on the dashboard screen was broken in the 3.8.2 update. If you tried to use it, your draft would disappear and it wouldn't save.

Then on April 16th version 3.9 was released. Confused as to what's what, and which version to safely upgrade to?  It's easy, once you know how WordPress versions and updates work.

WordPress Minor Releases: Maintenance and Security

Any time you see 3 numbers in the WordPress version (i.e. - 3.8.2, 3.8.3), that signifies a minor version update. These are always either a maintenance update (a critical bug fix) or security update (in response to a security issue disclosed/discovered).

Minor versions are released as needed, and the update should be applied immediately.

WordPress Major Releases: A Version With New Features Introduced

When there are just 2 numbers in the WordPress version (i.e- 3.7, 3.8, 3.9), that's a major release. A major release introduces new features which may be very cool, but the update is not time sensitive or critical.

It may also take a few days, a week, or sometimes longer for your theme and all of your plugins to be made compatible. Check with each one of your plugins to verify they are compatible before upgrading a major version.

Major versions are released every 4-5 months, and updating can wait until you've had a chance to until you've had time to read about all the new features and possible changes, and verify compatibility.

 You can read more about the WordPress version release cycle from the WordPress website.

Automatic Updates Make Life Easier

As well as your WordPress blog more secure. Starting in version 3.7 automatic updates for minor releases were enabled by default in the WordPress core. In addition if you're one of our hosting customers the Auto-Installers we offer can be enabled to automatically update plugins in themes, as well as major releases.

Andrew Nacin, a WordPress Developer, wrote this guide in October 2013 when version 3.7 came out and introduced automatic minor version updates. Despite the title of the article, it gives every reason why enabling automatic updates are a GOOD thing. A few quotes from the article:

Background updates are incredibly, incredibly safe.

Minor releases don't break things.

WordPress has prompted users to install updates for years. I don't know how many declined as much as didn't pay attention or consider it a priority. Your phone buzzes in your pocket; it's something you can choose right then to act on. If you don't use your phone for a while, it's probably not a big deal if you wait for an update.

But running a site on the Internet carries some responsibility, and they don't buzz in your pocket. (Out of sight, out of mind.) For the betterment of the web, we made a conscious decision to avoid a UI option. You'd be out of your mind to consciously avoid updating to fix a critical bug or security issue. We think the vast majority of users (many who don't even know what PHP is) will celebrate this as a win in usability and security.

Which options should you choose? We recommend the following settings:

WordPress Minor Release: automatic updates enabled

WordPress Major Release: manual updates only. Take a backup of your database first in case there are any problems.

Themes: manual update only, unless you're using a WordPress default theme (twentyfourteen). Themes should definitely be updated, but I recommend giving it a week, and check the support forum of your theme to see if anyone else is reporting bugs that could affect your blog's display.

Don't blindly update your theme on the first day an update is released... unless it's a security release! Which does happen, however rarely, with WordPress themes. Take a backup of your theme directory before updating as a precaution, and if you customize a theme, always make a child theme so your customizations won't get overwritten.

Plugins: It depends on which plugins you use, if you trust the companies who develop them, and how often you access your blog.

If you login daily, then I'd recommend checking for updates yourself, and updating the plugins one at a time, so that if an update breaks anything, you'll know who the culprit is. On the other hand, if you login infrequently (once a week or less), then it's better to turn on automatic plugin updates and risk an update breaking something than having your blog/website hacked from a plugin security issue. Most WordPress compromises are done through a plugin, not the WordPress core itself.

Security risks are frequently found in WordPress plugins, you really need to stay on top of updating them when an update is released.

  And While We're Talking WordPress...

JetPack: On April 10th Jetpack release version 2.9.3, a Critical Security Update

During an internal security audit, we found a bug that allows an attacker to bypass a site's access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.

This is a bad bug, and JetPack is one of the most widely used plugins in the WordPress world. Don't hesitate, update! (Thank you, thank you, I'll be here all sure to tip your servers and bartenders!)

Akismet: Version 3.0.0 of the Akismet plugin for WordPress is now available.This is a major rewrite of the plugin code. It includes many small improvements and some new features. In particular:

    An easier signup and activation process
    An even easier activation process for Jetpack users
    A redesigned configuration tab
    New stats charts (example shown below)
    A new discard feature for outright blocking of the worst spam

Hackers trick 162,000 unsuspecting WordPress sites into launching DDoS attack. As reported by IT security researcher Graham Cluley,
The attack relied upon Pingbacks – a feature of WordPress that allows a site running WordPress to inform other sites when you write a blog post linking to them. But the WordPress sites were not hacked or compromised. Instead, through use of a simple UNIX command line, a remote hacker could tell one website to send an HTTP request to the target site, via the Pingback feature.

It is strongly recommended that you disable pingbacks. Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.

As detailed in the Securi blog (they specialize in Internet security), in the course of just a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk. From Securi's blog post:

 Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.
You can use Securi's WordPress DDOS Scanner to check if your site is DDOS'ing other websites.