WordPress Ideas » Topic: Security Patches for Earlier Versions

Jen Mylo on "Security Patches for Earlier Versions"

Jen Mylo — Mon, 22 Mar 2010 04:06:43 +0000

If you were using 2.5 a year ago, you were already several versions behind. Everything got easier with 2.7, and more so with 2.8 and 2.9. You should just upgrade.

Simon Dickson on "Security Patches for Earlier Versions"

Simon Dickson — Mon, 05 May 2008 11:07:54 +0000

I wholeheartedly agree with StrangeAttractor here. I do a lot of work with large corporations, building complex WordPress-based websites which tend to rely heavily on plugins. But often there's no guarantee that a given plugin will ever be updated, and a new WP release could therefore completely undermine a site's core functionality. I simply can't say to clients: 'go ahead and upgrade, nothing can possibly go wrong.'

The perfect model, surely, is Ubuntu's LTS (long term support): a commitment to keep certain releases patched for an extended period of time (3-5 years).

It means you can guarantee clients that they can keep patching their installations for security, without the risk of breaking key functions. At the moment, we just can't say that.

v2.5 is a landmark release. This would be the ideal time to designate it as LTS. It's the one weak link in the WordPress proposition, and it would be easily closed.

I've written a bit more about this on my own blog:
http://puffbox.com/?p=138

Anatis on "Security Patches for Earlier Versions"

Anatis — Fri, 02 May 2008 18:55:26 +0000

As I am going back to 2.3.3 (I hate 2.5's admin area too much to keep it running!) I vote for security releases for previous versions.

If the admin area doesn't change... then I'm staying on 2.3.3 and sorry, but when one day this version is too outdated to get anything to work... I'll likely install a current version... and if it's no good, I'll be looking for new blog software.

StrangeAttractor on "Security Patches for Earlier Versions"

StrangeAttractor — Wed, 16 Apr 2008 18:14:16 +0000

There's an interesting discussion of security and updates on Matt's most recent entry on his blog:

http://ma.tt/2008/04/securityfocus-sql-injection-bogus/

StrangeAttractor on "Security Patches for Earlier Versions"

StrangeAttractor — Wed, 02 Apr 2008 04:10:02 +0000

Yeah, that's what I've been doing. Actually, mostly sticking with 2.2.3.

dangrey on "Security Patches for Earlier Versions"

dangrey — Fri, 28 Mar 2008 10:54:57 +0000

Use version 2.0 LTS

StrangeAttractor on "Security Patches for Earlier Versions"

StrangeAttractor — Thu, 27 Mar 2008 16:52:53 +0000

One thing that drives me crazy about WordPress are the frequent version upgrades. (I'm glad, of course, that WP continues to evolve.) It can be a real pain to upgrade when you have a lot of customizations and plugins -- and after all, one of the great things about WP is that it is so customizable.

I'm not eager to upgrade some of the sites I've built with older versions of WP -- why fix it if it works?

However, there is the issue of site security, and this is the main motivation to upgrade to a later version. Holes in security are often addressed by the next version.

What I would like is to have the option to simply install a security patch, or a few core files that address the security issues, without upgrading the entire version of an installation.

It seems to me that this is in everyone's interest because many people don't upgrade their installations, and thus are vulnerable to security issues -- which can give WordPress a reputation of being insecure.

Maybe there's already a way to do this (and if so, please post the relevant info), but it certainly isn't obvious.