[Security] Outdated WordPress Installs
Saturday, August 30th, 2008 - Security
This past week I conducted a preliminary check on all of the servers for outdated WordPress installations. I found quite a few that were old and outdated. Keeping any script on your account that is outdated is a security risk. Most of the time developers release a new version of a script or application to address a known security risk. This is not always the case and in most cases the security issue is very minor, but a minor security issue is still a security issue and should be dealt with. If you are not keeping your scripts up-to-date, then you could be open to some type of vulnerability which can lead to problems such as website defacement or information compromise where someone steals information you have stored on your website.
I think one thing that is forgotten when users install a script or application on their website is that the management of that script or application is just starting. On the Internet software has to be maintained and kept up-to-date because it is continually accessible by the outside world. If you have Microsoft Office installed on your home computer and a new exploit for Microsoft Office is discovered, you can always just turn off your home computer and it will be impossible for that exploit to do damage on your home computer. On the Internet, its not easy to turn off a server. If the web server is turned off, then your website won’t work at all. This is why the only real option on the Internet is to continually check and make sure that all of your scripts and applications are up-to-date.
I have singled out WordPress in this particular security check. It will be impossible for me to check each and every account for up-to-date script software. This is because every piece of software is different and finding out what version is installed on each account can be difficult. There could also be thousands of different scripts and applications installed on all of our hosting servers. Each script and application would require their own system-wide version checker. WordPress is just a very popular blogging script and with it being so popular it is important to keep it up-to-date.
I am working on getting a full list of the accounts that have outdated WordPress installs. I am hoping to send out a notice to those accounts that have outdated WordPress installs sometime next week. However if you know that you have WordPress installed on your account and you have not updated it, you should consider updating the install. To download the latest version of WordPress you can visit their website. The latest version of WordPress is version 2.6.1. In the mean time you should make sure that your contact information is up-to-date with us. You can update your contact information by visiting our Account Management page and clicking the Update your Contact Information link.
I am also working on an update guide for updating WordPress. I will need to complete this before I will send out notices about the outdated installations. I am also working on an experimental WordPress updater which I can run on the server to update your WordPress installation.
So if you have a WordPress installation and you have not updated and you feel comfortable updating the installation on your own, you should consider doing this as soon as possible. Otherwise, you can wait for our official notice concerning outdated WordPress installs and our guide for upgrading.
Scott