My post about my experience upgrading to WordPress 2.0.x has generated some interesting comments. Some folks are considering sticking with 1.5.2 indefinitely.
There is one simple reason why you should upgrade: security.
The 1.5 branch of WordPress isn’t getting the security patches that the current development branch is1. And even if someone were vigilantly applying patches to the 1.5 branch, that might not even be enough. Security vulnerabilities are reported to Matt and the team directly. If a vulnerability is not present in the latest version, the person maintaining the 1.5 branch might not hear about an issue until after it’s already in the wild.
I understand why people don’t feel the need to upgrade to 2.0.x when they don’t feel they need the new features added in this release. I don’t necessarily agree with all the choices that were made during the 2.0 development cycle either. I’m not here to play apologist for the active WordPress developers – and they certainly don’t need me to.
While I didn’t need any of the new features/changes/etc. that were added in 2.02, I do need my web sites to be secure.
I trust Matt, Ryan and the rest of the team to be diligent guardians and custodians of WordPress3.
I started using WordPress v1.5 on the premise that the features now in v2 would eventuate. If people are fine with 1.5 then good on them, just don’t go trying to put the breaks on the developers for those of us who would like WordPress to be further developed.
Actually, 1.5 has recieved all security updates except one patch, which is pending the subversion repository for WordPress being back at work. Check out branches 1.5, and look for either an official release, or Mark Jaquith and I releasing our own rolled up 1.5.3 within the next day or two.
Christiaan – I’m afraid I don’t have a clue what you’re talking about…
Robert – that’s good to hear. The “this vulnerability is already fixed in 2.x” sort of thing is the main thing I’m concerned with. I hope that you and Mark get all the security notifications that the “official” team gets.
[…] Why You Should Upgrade Your WordPress Install, Ch-ch-ch-changes in WordPress 2.0.x e Upgrading WordPress; […]
My 2.0.2 works perfectly, no problem here.
I’m not saying that 2.0.2 doesn’t work, I’m saying that it works differently in ways that broke things I’d done in 1.5.x and versions prior.
One reason I am sticking with 1.52 with one site is that my upgrade to 2.01 and today to 2.02 has been nasty. Specifically, the flipping “Write Post” function is screwed up. I can only center my documents, the italicized icon is missing, I can only insert a picture with img tag, not the icon, etc. A real pain in the butt and it still doesn’t work.
So, please don’t be so hard on those of us who are holding back. We love WP, but not the quirks with the updates.
Go into your Options – Write and turn off the rich text editor, that was the first thing I did. 🙂
Woohoo! Many thanks to Alex King for the tip!!! It works…
Now I no longer am gnashing my teeth everytime I create a thread. Looks like I’ll be updating my two other WP blogs too.
Thanks again! 😉
I prefer to replace the included quicktags.js with the one from my site too – if you want to check out an extended version of the Quicktags.
Following Robert Deaton’s suggestion, instead of upgrading to 2.0.2, I just svned up to the 1.5 branch.
Currently my site shows a 1.5.3-beta1
I’m hoping that one security vulnerability is fixed soon.
I’m reluctant to upgrade to 2.0.x because I know a lot of my plugins will break, which means back to looking for alternatives!!!
I hope that you and Mark get all the security notifications that the “official� team gets.
We don’t get the emails to security@ that the WordPress team gets, we do however watch the subversion commits and therefore can surmise what holes there are (And the fact that each of us reported at least one helped speed things up a bit as well).
Currently, the only one not fixed in the 1.5.3-beta that’s in subversion is one with wp-register, so if you have public registration disabled, you do not need to worry. As soon as WP’s subversion server is working again, we’re hoping Ryan will commit the patch.
Watching the SVN commits will allow you to see a lot of security related stuff, however if a big section of code is changed and a security hole was found in the old way that it worked, i could see the following happening:
1. Someone reports the issue to security@
2. Someone gets that e-mail and tests against the latest code
3. They find that no patch is needed
4. You are not aware of the problem until someone posts the vulnerability on a public board
Robert, is someone patching the 1.5 install or does Matt do it?
You have given me good news about the problem being with wp-register. I got that disabled.
Alex,
I guess we should get Matt or the others in the WordPress team to inform those maintaining 1.5 about security patches so that the needful can be done.
What do you think?
I think it’s an uphill battle. 🙂
In my case I installed WP 2.0 as soon as it was final, not because I wanted it badly or anything but because from day zero my blog has been more an experiment than an actual place for people to visit and be interested. I actually had the tagline as “Nothing to see, move along…”.
I installed it because I wanted to tinker with it and because some friends wanted help setting it up, and I just took it from there and have been helping them along.
To half of them I’ve actually recommended staying with 1.5, the other half had already upgraded when they came for help and so I try to keep on top of things and help them get plug-ins working and themes displaying correctly.
As usual, it all depends on what you want and need. If you’re running 1.5 currently and are satisfied with it by all means stick with it. If you’re setting up a new blog from scratch then by all means go with 2.0. And if your sole reason for staying with 1.5 is the rich editor (a religious debate if I ever saw one) then you need to document yourself. I only enable the rich editor when I need to help someone troubleshoot his (and am currently looking at extending it to add support for footnotes and lightbox flags)
[…] Alex King has an argument (security) for staying on the latest version of WordPress. I’ve been upgrading regularly with no ill effects. […]
[…] I upgraded due to security concerns mentioned at AlexKing.org. Frankly, if this site stops working I’ll be a little miffed. If the Fulwood site dies, I’ll be livid. […]
[…] Alex King explains why you should upgrade WordPress, with some interesting explanations on the changes in WordPress. There is one simple reason why you should upgrade: security. […]
[…] Alex writes Why you should upgrade your WordPress install to 2.0.2 because of this. […]
well, there’s only one thing holding me back, WP-Cache2 doesn’t work with WP2.x!! 🙁
/branches/1.5/ has now gotten the last security fix needed. If it isn’t released officially, it will be released unofficially. That doesn’t mean that 1.5 will be carried along forever… this is just so that people who have issues with upgrading (like with plugins) can have a little extra time. One caveat, however… if you let untrusted users submit posts or post drafts on your WP 1.5.2 site, you NEED to upgrade to 2.0.2 now. This is insecure, and will NOT be fixed in any 1.5.x version that is released. It would simply require too much work… essentially creating a “WP 1.9”
And Amit, WP-Cache2 works just fine with WP 2.x for me… and I’ve implemented it probably half a dozen times on 2.x
[…] Alex King – Why You Should Upgrade Your WordPress Install […]
[…] Alex King probably says it best in his blog. Upgrading is necessary if only to ensure your websites to be secure. If that doesn’t convince you, you probably don’t care about losing your blog to backdoor hungry hackers. Are you willing to risk it? […]
When a big number of long time users don’t upgrade to WP2.x then there are serious reasons.
I read here and other blogs some voices that shun these ‘non-upgraders’. This is not only very stupid, but also very arrogant.
Most people in the past upgraded almost instantly when a new release came out. But WP2.x simply took several wrong turns – and now some devs / fans are pissed off because not everybody is loving these turns. Shunning these users is the worst thing you could do.
IMHO WP2.x is a wankfest for AJAXculation – is leaves behind a lot of the simplicity of WP1.5. Instead of making the software more functional it mostly got only ‘cooler’ to use.
It all reminds me of the big Movable Type disaster a few years ago – when many bloggers moved from MT to WP. Many did this because of the bad communication from SixApart – but also because WP was simply better and more FUNCTIONAL. MT always looked cooler – you could feel the Mac designers behind it.
But people didn’t care about the glitzy interface, but were impressed by WPs usability and many addons.
I am running for example a groupblog with about 15 to 25 users (it always fluctuates a bit). It’s mostly images (about 6.000) and about 4.000 postings. I tested Wp2.x with a testgroup and it was a living nightmare, the whole picture uploading has serious interface issues as well as the ‘almost smart’ editor with it’s funny code corrections.
Content / Image Management isn’t WPs string side – but the current halfsmart solutions are worse then no management features at all.
Wp2.x is a fine release. Nothing is broken there, but some of the new stuff is ‘unwanted’ and only half usable. Instead of Web 2.0 fever I would recommend listening to the less exciting and uncool other ?half? of your user base. And don’t condem or confront them for ‘holding you geeks’ back …
Thanks for reading.
what orangeguru said.
WP2.x was a bad idea, and enough progress has still not been made for it to be worth it for me. it still runs like shit on IIS setups (what i have). until a major stability release happens, i’ll keep dealing with SVN and possible security risks.
I think the jump is well worth it.
2 and half years later and I know several hundred still on 1.5.