My post about my experience upgrading to WordPress 2.0.x has generated some interesting comments. Some folks are considering sticking with 1.5.2 indefinitely.
There is one simple reason why you should upgrade: security.
The 1.5 branch of WordPress isn’t getting the security patches that the current development branch is1. And even if someone were vigilantly applying patches to the 1.5 branch, that might not even be enough. Security vulnerabilities are reported to Matt and the team directly. If a vulnerability is not present in the latest version, the person maintaining the 1.5 branch might not hear about an issue until after it’s already in the wild.
I understand why people don’t feel the need to upgrade to 2.0.x when they don’t feel they need the new features added in this release. I don’t necessarily agree with all the choices that were made during the 2.0 development cycle either. I’m not here to play apologist for the active WordPress developers - and they certainly don’t need me to.
While I didn’t need any of the new features/changes/etc. that were added in 2.02, I do need my web sites to be secure.
I trust Matt, Ryan and the rest of the team to be diligent guardians and custodians of WordPress3.
- As far as I can tell. [back]
- Especially those I’ve spent a day and a half working around. [back]
- The latest version, at least. [back]
Popularity: 12% [?]
Christiaan adds this Comment:
I started using Wordpress v1.5 on the premise that the features now in v2 would eventuate. If people are fine with 1.5 then good on them, just don’t go trying to put the breaks on the developers for those of us who would like Wordpress to be further developed.
March 13th, 2006 at 1:39 pm
Robert Deaton adds this Comment:
Actually, 1.5 has recieved all security updates except one patch, which is pending the subversion repository for WordPress being back at work. Check out branches 1.5, and look for either an official release, or Mark Jaquith and I releasing our own rolled up 1.5.3 within the next day or two.
March 13th, 2006 at 1:42 pm
Alex adds this Comment:
Christiaan - I’m afraid I don’t have a clue what you’re talking about…
Robert - that’s good to hear. The “this vulnerability is already fixed in 2.x” sort of thing is the main thing I’m concerned with. I hope that you and Mark get all the security notifications that the “official” team gets.
March 13th, 2006 at 1:51 pm
It’s Equal but It’s Different » Blog Archive » Alguns links não-tão-aleatórios… adds this Pingback:
[…] Why You Should Upgrade Your WordPress Install, Ch-ch-ch-changes in WordPress 2.0.x e Upgrading WordPress; […]
March 13th, 2006 at 3:01 pm
Surronded adds this Comment:
My 2.0.2 works perfectly, no problem here.
March 13th, 2006 at 3:36 pm
Alex adds this Comment:
I’m not saying that 2.0.2 doesn’t work, I’m saying that it works differently in ways that broke things I’d done in 1.5.x and versions prior.
March 13th, 2006 at 4:57 pm
Matt Keegan adds this Comment:
One reason I am sticking with 1.52 with one site is that my upgrade to 2.01 and today to 2.02 has been nasty. Specifically, the flipping “Write Post” function is screwed up. I can only center my documents, the italicized icon is missing, I can only insert a picture with img tag, not the icon, etc. A real pain in the butt and it still doesn’t work.
So, please don’t be so hard on those of us who are holding back. We love WP, but not the quirks with the updates.
March 13th, 2006 at 5:50 pm
Alex adds this Comment:
Go into your Options - Write and turn off the rich text editor, that was the first thing I did.
March 13th, 2006 at 5:52 pm
Matt Keegan adds this Comment:
Woohoo! Many thanks to Alex King for the tip!!! It works…
Now I no longer am gnashing my teeth everytime I create a thread. Looks like I’ll be updating my two other WP blogs too.
Thanks again!
March 13th, 2006 at 6:02 pm
Alex adds this Comment:
I prefer to replace the included quicktags.js with the one from my site too - if you want to check out an extended version of the Quicktags.
March 13th, 2006 at 6:04 pm
Ajay D'Souza adds this Comment:
Following Robert Deaton’s suggestion, instead of upgrading to 2.0.2, I just svned up to the 1.5 branch.
Currently my site shows a 1.5.3-beta1
I’m hoping that one security vulnerability is fixed soon.
I’m reluctant to upgrade to 2.0.x because I know a lot of my plugins will break, which means back to looking for alternatives!!!
March 13th, 2006 at 6:18 pm
Robert Deaton adds this Comment:
I hope that you and Mark get all the security notifications that the “official� team gets.
We don’t get the emails to security@ that the WordPress team gets, we do however watch the subversion commits and therefore can surmise what holes there are (And the fact that each of us reported at least one helped speed things up a bit as well).
Currently, the only one not fixed in the 1.5.3-beta that’s in subversion is one with wp-register, so if you have public registration disabled, you do not need to worry. As soon as WP’s subversion server is working again, we’re hoping Ryan will commit the patch.
March 13th, 2006 at 7:00 pm
Alex adds this Comment:
Watching the SVN commits will allow you to see a lot of security related stuff, however if a big section of code is changed and a security hole was found in the old way that it worked, i could see the following happening:
1. Someone reports the issue to security@
2. Someone gets that e-mail and tests against the latest code
3. They find that no patch is needed
4. You are not aware of the problem until someone posts the vulnerability on a public board
March 13th, 2006 at 7:11 pm
Ajay D'Souza adds this Comment:
Robert, is someone patching the 1.5 install or does Matt do it?
You have given me good news about the problem being with wp-register. I got that disabled.
Alex,
I guess we should get Matt or the others in the WordPress team to inform those maintaining 1.5 about security patches so that the needful can be done.
What do you think?
March 14th, 2006 at 12:44 am
Alex adds this Comment:
I think it’s an uphill battle.
March 14th, 2006 at 10:09 am
Eduo adds this Comment:
In my case I installed WP 2.0 as soon as it was final, not because I wanted it badly or anything but because from day zero my blog has been more an experiment than an actual place for people to visit and be interested. I actually had the tagline as “Nothing to see, move along…”.
I installed it because I wanted to tinker with it and because some friends wanted help setting it up, and I just took it from there and have been helping them along.
To half of them I’ve actually recommended staying with 1.5, the other half had already upgraded when they came for help and so I try to keep on top of things and help them get plug-ins working and themes displaying correctly.
As usual, it all depends on what you want and need. If you’re running 1.5 currently and are satisfied with it by all means stick with it. If you’re setting up a new blog from scratch then by all means go with 2.0. And if your sole reason for staying with 1.5 is the rich editor (a religious debate if I ever saw one) then you need to document yourself. I only enable the rich editor when I need to help someone troubleshoot his (and am currently looking at extending it to add support for footnotes and lightbox flags)
March 14th, 2006 at 12:06 pm
John Tokash’s Blog » Response to Scoble’s Fun Challenge adds this Pingback:
[…] Alex King has an argument (security) for staying on the latest version of WordPress. I’ve been upgrading regularly with no ill effects. […]
March 14th, 2006 at 1:28 pm
Red rose ramblings » Wordpress 2.0.2 adds this Pingback:
[…] I upgraded due to security concerns mentioned at AlexKing.org. Frankly, if this site stops working I’ll be a little miffed. If the Fulwood site dies, I’ll be livid. […]
March 14th, 2006 at 3:32 pm
Lorelle on WordPress » Good Reasons to Upgrade WordPress adds this Pingback:
[…] Alex King explains why you should upgrade WordPress, with some interesting explanations on the changes in WordPress. There is one simple reason why you should upgrade: security. […]
March 15th, 2006 at 8:00 am
my weblog » Caught in the World adds this Pingback:
[…] Alex writes Why you should upgrade your WordPress install to 2.0.2 because of this. […]
March 15th, 2006 at 8:31 am
Amit adds this Comment:
well, there’s only one thing holding me back, WP-Cache2 doesn’t work with WP2.x!!
March 15th, 2006 at 3:53 pm
Mark Jaquith adds this Comment:
/branches/1.5/ has now gotten the last security fix needed. If it isn’t released officially, it will be released unofficially. That doesn’t mean that 1.5 will be carried along forever… this is just so that people who have issues with upgrading (like with plugins) can have a little extra time. One caveat, however… if you let untrusted users submit posts or post drafts on your WP 1.5.2 site, you NEED to upgrade to 2.0.2 now. This is insecure, and will NOT be fixed in any 1.5.x version that is released. It would simply require too much work… essentially creating a “WP 1.9″
And Amit, WP-Cache2 works just fine with WP 2.x for me… and I’ve implemented it probably half a dozen times on 2.x
March 15th, 2006 at 9:19 pm
Keeping Tabs On My Links at Botsmack adds this Pingback:
[…] Alex King - Why You Should Upgrade Your Wordpress Install […]
March 17th, 2006 at 12:54 pm
» Not convinced? Why you need WordPress 2.0.2 adds this Pingback:
[…] Alex King probably says it best in his blog. Upgrading is necessary if only to ensure your websites to be secure. If that doesn’t convince you, you probably don’t care about losing your blog to backdoor hungry hackers. Are you willing to risk it? […]
March 17th, 2006 at 8:52 pm
orangeguru adds this Comment:
When a big number of long time users don’t upgrade to WP2.x then there are serious reasons.
I read here and other blogs some voices that shun these ‘non-upgraders’. This is not only very stupid, but also very arrogant.
Most people in the past upgraded almost instantly when a new release came out. But WP2.x simply took several wrong turns - and now some devs / fans are pissed off because not everybody is loving these turns. Shunning these users is the worst thing you could do.
IMHO WP2.x is a wankfest for AJAXculation - is leaves behind a lot of the simplicity of WP1.5. Instead of making the software more functional it mostly got only ‘cooler’ to use.
It all reminds me of the big Movable Type disaster a few years ago - when many bloggers moved from MT to WP. Many did this because of the bad communication from SixApart - but also because WP was simply better and more FUNCTIONAL. MT always looked cooler - you could feel the Mac designers behind it.
But people didn’t care about the glitzy interface, but were impressed by WPs usability and many addons.
I am running for example a groupblog with about 15 to 25 users (it always fluctuates a bit). It’s mostly images (about 6.000) and about 4.000 postings. I tested Wp2.x with a testgroup and it was a living nightmare, the whole picture uploading has serious interface issues as well as the ‘almost smart’ editor with it’s funny code corrections.
Content / Image Management isn’t WPs string side - but the current halfsmart solutions are worse then no management features at all.
Wp2.x is a fine release. Nothing is broken there, but some of the new stuff is ‘unwanted’ and only half usable. Instead of Web 2.0 fever I would recommend listening to the less exciting and uncool other ?half? of your user base. And don’t condem or confront them for ‘holding you geeks’ back …
Thanks for reading.
March 19th, 2006 at 8:52 am
adam adds this Comment:
what orangeguru said.
WP2.x was a bad idea, and enough progress has still not been made for it to be worth it for me. it still runs like shit on IIS setups (what i have). until a major stability release happens, i’ll keep dealing with SVN and possible security risks.
March 26th, 2006 at 5:33 pm
Marc adds this Comment:
I think the jump is well worth it.
June 2nd, 2006 at 10:50 am