back to article Wordpress issues second urgent patch in two weeks

Weary Wordpress worker-bees are being asked to hit the "Update" button again. Just a couple of weeks after an XSS vulnerability forced a July 24th call to upgrade to Wordpress 4.2.3, a handy collection of vulns mean it's time to run in version 4.2.4. At least Wordpress has an easy upgrade mechanism. The new vulnerabilities …

  1. Richard Lloyd

    At least WordPress' updating system is good...

    One of the big selling points for me about WordPress is that it is *very* easy to update (though I'd like to see more thought put into easy rollback other than "restore the Web/DB dumps you took before the updates"). The recent 4.2.3 and 4.2.4 security releases actually got applied "automatically", generating an e-mail to the site admin to inform them of this. 4.2.3 broke the Types/Views plugins for a lot of sites (and it took about a week before Toolset released a fix, though it was possible to workaround the issue or indeed manually rollback, which is why I think easy rollback would be a nice WP feature to add).

    Perhaps the weakest issue with WordPress updates is that there is usually no way to specify an auto-update for all your plugins and themes (or indeed for a major WP core release either), though you can homebrew something up with the WP-CLI tool.

    Easy updating, to me, is a *major* selling point - some CMS'es I've seen are utterly appalling when it comes to updates, often requiring days (I'm not kidding) of work to upgrade them.

    1. Ben Tasker

      Re: At least WordPress' updating system is good...

      Easy updating, to me, is a *major* selling point - some CMS'es I've seen are utterly appalling when it comes to updates, often requiring days (I'm not kidding) of work to upgrade them.

      Unfortunately, even amongst those (like Wordpress and Joomla) with a decent update solution it's not always that cut and dried. There are 'web developers' out there who think nothing of hacking away at the core code in order to achieve their end result - happy client pays out for their new site and then finds the whole think breaks when they next update (or worse, are advised not to update because it'll break the site).

      Obviously that's less of a risk if your build your own site, or use someone decent, but it happens often enough I figured it was worth mentioning. Some of the core hacks I've seen have been horrible, most have also been pointless in that it would have been no extra work to do them properly (i.e. without touching core code), the developer obviously just didn't know how.

      The worst was a change to Joomla's authentication pages, it took me < 10 minutes to create an authentication plugin to achieve the same end, and without rendering 'protected' areas public at the next update. There's little worse than tidying up someone else's mess.

      1. Richard Lloyd

        Re: At least WordPress' updating system is good...

        > There are 'web developers' out there who think nothing of hacking away at the core code in order to achieve their end result

        Which is why any homebrew solution (yes, I've cooked one up using bash calling WP-CLI where necessary) needs to do the following:

        * Use curl to request the home page and check it comes back with a 200 success code - if it doesn't, don't do any updates (any errors like this need to be e-mailed to someone obviously).

        * Run WP-CLI's "core verify-checksums" to confirm no-one's hacked core code - if it fails the checksums, don't do the updates.

        * Check some hasn't set up home page redirection in a manner that breaks WP-CLI (yes, it's possible to do that) - again, no updates if there's redirection.

        * Check you can find the WP version with WP-CLI and that it's >= 3.5.2 (WP-CLI doesn't work with older) - again, abort if no version or too old.

        * Backup the Web tree (I exclude wp-content/uploads since core/plugins/themes updates don't touch those) and DB if updates are to be applied.

        * Do your updates (calls to WP-CLI) and re-check the site with curl again for a 200 success code. If it fails, rollback using the Web/DB backups.

        Other tips include removing inactive plugins/themes - if you leave them installed, they *do* still have to be updated! Also add this wp-config.php to turn off WP's own core auto-updates:

        define('WP_AUTO_UPDATE_CORE',false);

        The steps above are why tweaking WP settings to auto-update much or everything like another poster said without pre and post update checks aren't a good idea.

    2. tacitust

      Re: At least WordPress' updating system is good...

      Don't know that offering auto updates of plugins (or to a lesser extent, themes) is a good idea. The majority of plugins are written and maintained by a single programmer without the time or resources (or inclination, sometimes) to perform proper regression tests or provide a safe and secure upgrade path.

      I suspect that plugin auto-updates would cause more problems than they prevent. With the exception of major security issues, I always recommend that WordPress users delay upgrading their plugins for a few days, at least. That way, you allow other, keener (less savvy?) users to test the updated plugin and report problems back to the developer. Then if anything did break, it should be fixed by the time you install it.

      1. Richard Lloyd

        Re: At least WordPress' updating system is good...

        Obviously, you should have a staggered update policy - dev updates first, then UAT updates next (perhaps a day or two later) and then live last (again another day or two gap). You can't leave the live updates too long - plugin security issues are far more common than core WP issues and if a site has a fair number of plugins, chances are you'll see a security update on one or more of them at least weekly.

  2. Anonymous Coward
    Anonymous Coward

    No need for upgrade buttons..

    Weary Wordpress worker-bees are being asked to hit the "Update" button again.

    Nah - if you have a limited set of decent plugins and have set up the site nice and tight you can automate whatever you want. I know of a WP upgrade because a bunch of sites email me a notice that they have upgraded, but naturally I have site backups running every night (just in case someone does screw up).

  3. Anonymous Coward
    Coat

    "Easy"

    @Richard Lloyd - That's basically what I was going to say, with some added sarcasm. I haven't automated the process, as I only run a handful of WP sites doing things WP was never meant to do. They're more vulnerable to updates than hacks.

    Yeah, I'm frustrated with WP. The very reasons clients want to use it (to move fast and use lots of plugins) are detrimental to good practices. Most don't even use it as a CMS, so these end up being mostly static sites with the complexity/performance/security headaches of a blog/CMS as a "bonus". And, it's harder to find good developers than one would imagine, because they tend to quit WP once they understand it, if they ever touch it at all.

    So yeah, I'm pushing other solutions. But dammit, everyone wants WP.

    1. Stumpy Pepys

      Re: "Easy"

      Yeah, I'm frustrated with WP. The very reasons clients want to use it (to move fast and use lots of plugins) are detrimental to good practices.

      I understand where you're coming from but what are the realistic alternatives? I fell foul of the mass Drupal hack at the end of last year and never really recovered (I had something like five hours to update the software). The auto-update feature is certainly attractive, even if the security of some of the plugins isn't.

      My company is running its website on a CMS that hasn't been updated for five years. Fortunately it's so obscure (Typo3) that seemingly no one can be arsed trying to attack it.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Easy"

        If hackers ever target your company in particular, they'll have an easy time finding holes in Typo3. But that's ok if the worst they can do is vandalize the site, and it's not part of your main revenue stream...

        I definitely wouldn't switch from WP to Drupal, Joomla, or PHP-anything. (BTW, the WP 4.2.3 security fix consisted of a fuckton of regex crap, not unlike that which ushered in the Drupocalypse.) Django is decent but it does get a few XSS patches every year; anything with web-based admin has a questionable future.

        My strategy for smaller sites where I have enough control:

        - Static HTML build process whenever possible

        - Simple PHP header/footer templates (if a build process is impractical)

        - Compartmentalize the hell out of dynamic features (search, comments, user logins, admin logins, etc) so that a hole in some seemingly low-risk feature doesn't yield full control

        Long range plan: bail out of webdev

  4. Mike G

    Wordpress? Turdpress.

    The adobe flash of web applications, a festering and steaming pile of hack attraction.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon