Remind HN: Update your wordpress sites

41 pointsspocked10y ago35 comments

Wordpress released version 4.2.2 a week ago with some important security updates. As someone who owns multiple WP installs, it is critical for me to get these updated asap. I am sure there are quite a few members on HN that fall in this category too.

35 comments

rob10y ago

And if you manage multiple WordPress websites, try something like InfiniteWP. It takes care of updating core, plugins, and themes. We use it to manage about 23 WordPress websites and being able to update all of your websites with a couple of clicks is an incredible timesaver. We still do manually review everything though (like changelogs, making sure the site still loads and isn't a WSOD, etc.)

We like InfiniteWP because it's free and we can host it ourselves (we've had no need for their paid addons), but there's also other solutions like MainWP, ManageWP, WP Remote, iControlWP, CMS Commander, etc. I think most (if not all) of those are hosted and paid / free trial.

liotier10y ago

Or let your Linux distribution handle the multi-site Wordpress hosting for you... Thank you Debian !

ozh10y ago

As someone who owns multiple WP installs, I have added "define( 'WP_AUTO_UPDATE_CORE', true );" to all my wp-config.php files so that all my installs automatically self update with ALL future updates, minor & major

Fradow10y ago

It is great in theory. In practice, the last auto-update caused a WSOD on my site without any helpful debug log (both on WP and server log) until I manually disabled a (popular) plugin by editing its php file.

I wonder how a less tech-savy person would have resolved that. Even being tech-savy, I had to ask someone for help.

Updates of core and plugins are always very scary to me.

Mojah10y ago

It's a system that's based on trust, but the auto-update that is active in WordPress has saved millions of sites of getting hacked in the last few weeks: https://ma.ttias.be/in-defence-of-wordpress/

As soon as something major breaks by those auto-updates, the trust is over and a lot of users will disable it. That would be a shame indeed, because besides a couple of WSOD's some users may experience, it's an extremely powerful feature.

federicobond10y ago

There is also "define( 'WP_AUTO_UPDATE_CORE', 'minor' );" which should break a lot less.

makeitsuckless10y ago

As someone who hasn't bothered with WP in a long while, is there any way to do this safely whilst still using 3rd party plugins and themes?

girvo10y ago

Depends on the themes and the plugins. Basically: not really, but if you've used a small subset of themes and plugins you should be okay.

mobiplayer10y ago

How does it check for new versions? Could it be MITM'd? :-)

I've personally no idea, but I hope you asked yourself those questions.

joeyspn10y ago

I'm not a big fan of wordpress but it is undoubtedly a great tool to have in your toolbox, specially when your customers need user-friendly blogging tools or a quick CMS. I've installed for some of my clients Django blogs (with Django-CMS), rails-based blogs, and even a couple of Ghost installs. Nothing has beaten wordpress so far, clients love its versatility...

What I do to fly under the radar of many of the bots and automated scripts targeting wordpress sites is using a modern wp framework: roots bedrock[0]. This gives you a convenient time windows to update wp when you have the time (although with bedrock it is really easy with a couple of commands)

[0] https://roots.io/bedrock/

runarb10y ago

For the first time I got an email from my Wordpress installation yesterday, asking me to update. Have not seen that before. A nice detail I appreciate, so I don't have to keep up with what i the latest release of Wordpress at all times.

aram10y ago

Interesting, AFAIK it's not something in the core. Which security plugin are you using?

runarb10y ago

I am not running any security plugins. I just had a look on the email headers, and it was sent from my server, so this must have come from Wordpress somehow. It is also the first one I have gotten.

The email seed:

Subject: [{my website} Wordpress MU] WordPress 4.2.2 is available. Please update!

Please update your site at http://{my websites url}.com to WordPress 4.2.2.

Updating is easy and only takes a few moments: http://{my websites url}.com/wp-admin/network/update-core.php

If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help. https://wordpress.org/support/

Keeping your site updated is important for security. It also makes the internet a safer place for you and your readers.

The WordPress Team

I have the following plugins installed: All In One SEO Pack, FeedWordPress, Github Ribbon, Hello Dolly, Revision Control, Unfiltered MU, WordPress Importer and WP-Polls.

Maybe it originated from one of them?

1 more reply

listic10y ago

Does Wordpress release security update for those who stick to older versions?

infinitelurker10y ago

Yes, currently back to 3.7.x

https://codex.wordpress.org/WordPress_Versions

onion2k10y ago

Wordpress only has one track, which is the only one that gets updates. Once a new major release is available all support for the previous release ends. If you want the most secure version you need to be on the latest (4.2.2).

toxican10y ago

Um, no? They do security updates for the last couple of versions of Wordpress. They even extend that to the last couple versions of their stock theme when they require an update.

fletchowns10y ago

How come you stick to older versions?

gesman10y ago

I usually skip N.N.0 but update everything when N.N.2+ comes out.

falcolas10y ago

4.2 and 4.2.1 contained a lot of vulnerability fixes from 4.1.n - when it comes to an operating system, err, blogging platform, it's not a bad idea to keep on top of your updates.

gauravnews1210y ago

if i am not update. Get any problem on my website??

spockedOP10y ago

https://wordpress.org/news/2015/05/wordpress-4-2-2/

This is a critical security release. The cross-site scripting vulnerability lets a commenter compromise your website.

ghubbard10y ago

The exploit is described and demonstrated in a video on the site of the discoverer: http://klikki.fi/adv/wordpress2.html

NewsReader4210y ago

or just remove wordpress and use something secure, not bloated and easier to develop with.

arsenide10y ago

Would you mind elaborating on what you mean by "bloated," and could you give an example of something "easier to develop with?", explaining why it is "easier" to use?

ereckers10y ago

They usually mean some blog engine that was just released a few weeks ago that doesn't do anything.

falcolas10y ago

My definition of bloated: any web platform which includes its own cron system.

adam7410y ago

A lot of people who run Wordpress have clients who need a nice, easy user interface to be able to update their site. Do you have any suggestions for software that fulfills that need and is "secure, not bloated and easier to develop with".

jon-wood10y ago

> A lot of people who run Wordpress have clients who need a nice, easy user interface to be able to update their site.

This is clearly opinion, and should be taken as such, but I absolutely loathe Wordpress' admin interface. I'm sure at some point it was a nice, easy user interface but those days have passed. Anytime I have the misfortune of being thrown into a Wordpress backend I have no idea how to get anything done.

2 more replies

ryan-c10y ago

Not for everyone, but I rageported my wordpress site over to pelican one too many instances of it running slowly for no apparent reason. It's great if you're willing to author content in markdown or restructured text.

jqm10y ago

Mezzanine. And it is a joy to work with.

1 more reply

j / k navigate · click thread line to collapse

35 comments

rob10y ago

liotier10y ago

Or let your Linux distribution handle the multi-site Wordpress hosting for you... Thank you Debian !

ozh10y ago

Fradow10y ago

I wonder how a less tech-savy person would have resolved that. Even being tech-savy, I had to ask someone for help.

Updates of core and plugins are always very scary to me.

Mojah10y ago

It's a system that's based on trust, but the auto-update that is active in WordPress has saved millions of sites of getting hacked in the last few weeks: https://ma.ttias.be/in-defence-of-wordpress/

federicobond10y ago

There is also "define( 'WP_AUTO_UPDATE_CORE', 'minor' );" which should break a lot less.

makeitsuckless10y ago

As someone who hasn't bothered with WP in a long while, is there any way to do this safely whilst still using 3rd party plugins and themes?

girvo10y ago

Depends on the themes and the plugins. Basically: not really, but if you've used a small subset of themes and plugins you should be okay.

mobiplayer10y ago

How does it check for new versions? Could it be MITM'd? :-)

I've personally no idea, but I hope you asked yourself those questions.

joeyspn10y ago

[0] https://roots.io/bedrock/

runarb10y ago

aram10y ago

Interesting, AFAIK it's not something in the core. Which security plugin are you using?

runarb10y ago

I am not running any security plugins. I just had a look on the email headers, and it was sent from my server, so this must have come from Wordpress somehow. It is also the first one I have gotten.

The email seed:

Subject: [{my website} Wordpress MU] WordPress 4.2.2 is available. Please update!

Please update your site at http://{my websites url}.com to WordPress 4.2.2.

Updating is easy and only takes a few moments: http://{my websites url}.com/wp-admin/network/update-core.php

If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help. https://wordpress.org/support/

Keeping your site updated is important for security. It also makes the internet a safer place for you and your readers.

The WordPress Team

I have the following plugins installed: All In One SEO Pack, FeedWordPress, Github Ribbon, Hello Dolly, Revision Control, Unfiltered MU, WordPress Importer and WP-Polls.

Maybe it originated from one of them?

1 more reply

listic10y ago

Does Wordpress release security update for those who stick to older versions?

infinitelurker10y ago

Yes, currently back to 3.7.x

https://codex.wordpress.org/WordPress_Versions

onion2k10y ago

toxican10y ago

Um, no? They do security updates for the last couple of versions of Wordpress. They even extend that to the last couple versions of their stock theme when they require an update.

fletchowns10y ago

How come you stick to older versions?

gesman10y ago

I usually skip N.N.0 but update everything when N.N.2+ comes out.

falcolas10y ago

4.2 and 4.2.1 contained a lot of vulnerability fixes from 4.1.n - when it comes to an operating system, err, blogging platform, it's not a bad idea to keep on top of your updates.

gauravnews1210y ago

if i am not update. Get any problem on my website??

spockedOP10y ago

https://wordpress.org/news/2015/05/wordpress-4-2-2/

This is a critical security release. The cross-site scripting vulnerability lets a commenter compromise your website.

ghubbard10y ago

The exploit is described and demonstrated in a video on the site of the discoverer: http://klikki.fi/adv/wordpress2.html

NewsReader4210y ago

or just remove wordpress and use something secure, not bloated and easier to develop with.

arsenide10y ago

Would you mind elaborating on what you mean by "bloated," and could you give an example of something "easier to develop with?", explaining why it is "easier" to use?

ereckers10y ago

They usually mean some blog engine that was just released a few weeks ago that doesn't do anything.

falcolas10y ago

My definition of bloated: any web platform which includes its own cron system.

adam7410y ago

jon-wood10y ago

> A lot of people who run Wordpress have clients who need a nice, easy user interface to be able to update their site.

2 more replies

ryan-c10y ago

jqm10y ago

Mezzanine. And it is a joy to work with.

1 more reply

j / k navigate · click thread line to collapse