Everyone who runs a site on the WordPress CMS platform hopefully noticed that WordPress 3.1 (also known as Reinhardt) is now available. Now your probably asking yourself how soon do I need to upgrade to keep my WordPress site secure?
My typical practice is to wait about 2 weeks after an update to apply it to my important sites. I make exceptions if I notice some high priority security vulnerabilities mentioned in the WordPress version upgrade description detail. Looking at the v3.1 upgrade information gave me the impression that this upgrade is primarily an appearance and functionality enhancement versus an upgrade that must be applied rapidly to ensure security.
Some small security changes I see referenced in WordPress v3.1 include streamlining the email reset process to make it more efficient although this affects user experience (which is important) and is not a direct security improvement per se. Another change I noticed was there have been more granular controls added to the administrative sections to help sites with multiple administrators restrict and refine who accesses what part of WordPress administration. Specifically the Super Admin menus and related pages have been moved out of the regular wp-admin/ path and now reside in the wp-admin/network/ path.
When should you upgrade to WordPress 3.1?
Recent WordPress upgrades have been so smooth many administrators forget that things can go wrong causing site downtime during this process and upgrade right away. This is a reasonable approach if you ensure you have a working backup before proceeding (which you should always do) and have sufficient time to troubleshoot if something goes wrong. I plan on waiting 2-3 weeks before upgrading to WordPress version 3.1 and predict that a new update will be available before I upgrade because so many functionality enhancements have been implemented.
Caption provided by http://www.flickr.com/photos/ell-r-brown/
Newton’s Law or some distant relative of his smacked me in the face today when I logged into my site administration panel and saw that WordPress version 3.0.2 was now available for install. After all I just finished my post about WordPress Security Plugins and 3.0.1 compatibility and now we have a new version to deal with. Such is life, but now we have a working example to apply some information security principles regarding upgrades.
You are probably asking yourself when should I upgrade to WordPress version 3.0.2?
I have looked at the WordPress security vulnerabilities addressed in the upgrade from 3.0.1 to 3.0.2 and none appear urgent enough to require an immediate upgrade. I recommend waiting two weeks to perform the upgrade unless news of 3.0.1 exploits in the wild causes the need for a quicker upgrade timeframe. That means I will be looking to update my site around 12/15 which should leave plenty of time for any high impact bugs to be discovered and resolved.
Things to do before you upgrade to WordPress version 3.0.2
- Perform a full backup of your WordPress Database. If you are using an automated backup plugin and have tested it you are good to go otherwise you may want to read more about WordPress official backup guidance.
- The WordPress documentation recommends disabling plugins prior to upgrading to a new version to prevent an incompatible plugin from making your site inaccessible. This is prudent advice but adds to your administrative burden so my advice is to be aware that it is a risk and be ready to manually disable the plugin via your web account should the need arise. This is a practical risk mitigation step that avoids the extra working of disabling a lot of plugins.
- You are now ready to update your site and for most of you that will mean using the automatic update feature. If by chance you are doing a manual update be sure to cleanup the maintenance file as WordPress recommends.
You are now ready to test your site and validate that it is operating as expected. If you have a caching plugin enabled be sure to clear the cache so you are working with the current version WordPress and do not become confused. High value sites with large audiences might also want to consider testing the upgrade on a test site that mirrors their production site and installing the upgrade during off hrs (defined by their particular audience geography) to minimize potential disruption.