Over the last 6 months we have had a few clients want to delay upgrading to the latest version of WordPress. They didn’t see any urgency to upgrade because there were no immediate security concerns addressed in the update that affected their site.
I can certainly understand this thinking. When upgrading you need to spend time re-testing custom functionality, perhaps take the site down briefly, address any post-upgrade issues that might have snuck through the initial QA process; when the site is reasonably complex, it takes time. I can understand this thinking, but it’s wrong.
Any time you are running an application in production, you need to keep yourself in position to apply security patches immediately upon release. For WordPress, this means always running the latest version.
While the current new release may not include any security patches, it’s still important to upgrade quickly. You never know when a new security patch may be released. With WordPress, these patches are available as new versions (3.2.x) to the most recent version (3.2). If you delay upgrading because there were no security issues addressed in a specific release, you can easily find yourself in a position where you need to urgently upgrade through several releases in order to apply the security patches in the latest release.
That kind of fire drill is a recipe for trouble and sometimes it just isn’t feasible. If this happens, you may end up running code with known vulnerabilities for several days while you get everything in place and tested to push the upgrade to your live site. That’s a bad place to be.
You want to be performing upgrading to major feature releases on your schedule. This allows the upgrade process to be organized, well-tested and (hopefully) without incident. You also benefit from smaller functional deltas – fewer changes to test against makes the testing easier.
Performing upgrades as soon as they are available is the best way to keep your site secure and running smoothly. Do it.
Alex King: Upgrading WordPress ALL THE TIME is a Security Best-Practice http://t.co/19d1WyCq
Alex King: Upgrading WordPress ALL THE TIME is a Security Best-Practice: Over the last 6 months we have had a fe… http://t.co/zKC0tSZP
[planet wordpress]: Alex King: Upgrading WordPress ALL THE TIME is a Security Best-Practice: Over the last 6 mon… http://t.co/U6sNnPJv
Alex King: Upgrading WordPress ALL THE TIME is a Security Best-Practice http://t.co/JQTzJDLs #wordpress
Upgrading WordPress ALL THE TIME is a Security Best-Practice: Over the last 6 months we hav… http://t.co/RSDt9Blm #wordpress #wp #news
For sites that keep a development version and a production version running side by side (and there are a lot of them), I would actually suggest either running the development version on trunk or making a third version to run on trunk. Set it up via SVN and have it update automatically every day.
This gives you an advantage when it comes to production upgrades, in that you have a copy of the latest and greatest code running all the time, and can see exactly when something custom for your system breaks down, then proactively fix it, potentially months before the WordPress release date. A couple months head start on problems is a *BIG* advantage to get.
It also encourages better code since you tend to code for forward-compatibility. If you’re running your code on a system that upgrades *daily*, then you naturally gravitate towards code that doesn’t break very often.
Furthermore, seeing the WordPress core code change on a day to day basis can encourage people to get involved in core, as well as give them new ideas to best take advantage of “coming soon” features.
Everybody who is a WordPress developer should be running at least one test site on trunk. It’s just a good thing to try your hand at.
Having a development version that is always on trunk is a good idea – but that should be a different environment from your staging/test environment.
Completely agree that all WordPress devs should have a test trunk install. I generally end up with a new one every time I want to maintain a potential core patch.
Uggghh, I hate upgrading WordPress, lol. I have a few personal sites of my own and I have to admit that I’m bad with upgrading. I at least try to maintain the sites that I work with more often. I’ve seen horror stories from friends though, having their sites hacked and them not having recent backups, etc. and I always think “wow, that would really suck.” And then I don’t take my own proper precautions. I wish there was an auto-upgrade feature.