One click WordPress upgrades are convenient. They fit right in with how I describe blogging platforms to the uninitiated: They make web publishing simple for people of modest technical means.
Some web hosts include the Fantastico module which also allows for one click upgrades of WordPress. I’ve used it many times. It is (usually) faster than upgrading manually.
However there is a serious shortcoming with the one click upgrades and it involves security.
Security Problem
The good folks at WordPress are very security conscious. They are continually improving the platform to make it more secure.
Trouble is some of the most important security enhancements are completely left out of one click upgrades. In fact, they may even be left out of manual upgrades.
The issue involves the wp-config.php file. This is the WordPress file that sets the login information to the data base that houses all of your blog’s information.
This file does not get updated automatically when WordPress is upgraded. In fact, the file isn’t included even when you download WordPress to upgrade manually. With good reason.The good folks at WordPress don’t want every upgrade to overwrite database passwords and lock folks out of their blogs.
Instead they include a different file name with generic info in it called wp-config-sample.php and this file gets overwritten every time WordPress is upgraded.
The problem is some of the biggest security upgrades involve modifications to the wp-config.php file, so they aren’t happening on a lot of WordPress blogs as they are upgraded.
Getting More Secure
In WordPress 2.5 they introduced the Secret_Key encryption. If you look at the wp-config-sample.php file you fill find the following inside:
// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit http://api.wordpress.org/secret-key/1.0/
// to get a secret key generated for you, or just make something up.
define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
And as you can see from the link above, the folks at WordPress did a good job of documenting what you need to do with this file to make your blog more secure.
How to Secure WordPress 2.6
However, starting with WordPress 2.6 they ditched the Secret_Key and added 3 other keys which means the wp-config.php file needs to be manually updated again. Here is the code from the latest WordPress version:
// Change each KEY to a different unique phrase. You won’t have to remember the phrases later,
// so make them long and complicated. You can visit http://api.wordpress.org/secret-key/1.1/
// to get keys generated for you, or just make something up. Each key should have a different phrase.
define(‘AUTH_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
This code should replace the code listed above from WordPress 2.5. Each place you see ‘put your unique phrase here‘ you should replace it with a different long and random character string.
To make it easier on everyone, WordPress has set up a page which will generate random code suitable for replacing the three lines outright at this link: http://api.wordpress.org/secret-key/1.1/
For example I went there and it generated the following:
define(‘AUTH_KEY’, ‘IU/(x3pR(Ae6*PlhA=N6#/ =F^_;\\rpnX|9:|0}so-`zxqXoaV(y|0g~&V0%Kc^a’);
define(‘SECURE_AUTH_KEY’, ‘oiSMI<Ui*\’DCW *cSe5Y0Y_vGx ^G0su~q*8@73xBjWj=z6RZ;\\;mH,UmA@U |eW’);
define(‘LOGGED_IN_KEY’, ‘Cvk{(Dy/.zY:<g^@E)@+QA6qKXkv<oo]\\~VpEi;}+o5(g?@W[{@JNQAW9-v7T`zp’);
Now all you have to do is paste those 3 lines that are generated into your wp-config.php file. Obviously don’t use these phrases here. Go get your own so that they are randomly unique to your blog.
If You’ve Been Hacked
If your WordPress blog was hacked, say, because it hadn’t been updated in a while you are going to want to take some extra precautions.
For starters you obviously need to go through your blog and make sure all potentially malicious code has been removed. An easy way to double check you’ve got it all is to search your posts and pages for a snippet of the offending code.
Then, since you’ve been hacked you also need to change all passwords for any user profile that has access to change your blog content. If the user account’s role is higher than “Subscriber” change the password, especially on your own account!
That last step is crucial. In a lot of the hacking attacks on WordPress, the hackers are breaking in to older WordPress blogs and stealing the login usernames and passwords. Often they don’t do anything with the access they’ve gained until the blog owner upgrades the blog so that it appears like the newer version is vulnerable.
This writeup is just one more reason I count myself blessed to know you, Chris! It still gives me a case of the heebie-jeebies when I think about tinkering with WP, but I’m really glad there are folks like you that understand it.
A tip o’ the Middle Zone hat to ya!
Nice post, would you recommend I always upgrade my WP to the latest edition or not? i’ve disabled auto update of WP because I have heard horror stories or posts getting lost etc. I know most people keep it enabled so any advice appreciated, Chris.
this makes for uncomfortable reading. i always use fantastico as i’m not the most technically gifted guy. in saying that, one of my blogs is still on wp 2.3 haha.
Everyday I am amazed at the levels people will stoop to make a dollar. I am glad that they are addressing the security concerns. I have read countless horror stories of people losing their blogs.
As one of the WP users, I would say that you always need to put the first priority to the website security problem, as if you neglected it, then you’ll surely suffered with it in the end!
I’ve never had a problem with security for my WordPress blog, but I’m sure more established ones definitely need to take further precautions, as people would actually be interested in hacking them (nobody wants me, I’m small fish!)
i agree with Robert….very informative..i cannot even think about such topics for my blog
You rock! I’ve bookmarked this and will follow your instructions!
I’m with Robert and Seo Company, I don’t understand the first thing about this stuff, but glad there’s people like you that do.
Chris, you are a legend! Thanks for explaining the upgrade so everyone is able to understand it. It is good to see that WordPress continually strive to have secure products for their customers.
Thanks, Very interesting read, you should be proud of your blog.
Your website is very nicely designed, I have already bookmarked it.
This is just way to technical for me, which is why I love the simpler, albeit much less robust, Tumblr for my blog.
I love WordPress with one exception – the problems with security. You did a great job identifying the security pitfalls of WP. Unfortunately, with it being the choice platform of bloggers it will probably continue to be easily exploited.
I believe word press is the best hands down. I have used almost every blog program out there and word press beat them all.
I’ve never had a problem with security for my WordPress blog, but I’m sure more established ones definitely need to take further precautions, as people would actually be interested in hacking them
I’m so glad you posted this! I never thought about the fact that updates do not modify the config file.
This is great! Bookmarked and stumbled!!
Nice! Security is also available.Avoid most of the human efforts.It is far better than Manual upgrades.Tomake it more secure,they are continually improving the platform.Really good for all.
Excellent post. I came in here searching for automatic update related security issues.
I did not know that the wp-config file is not updated on automatic update or even manual for that matter. But in a way, that is another safety measure right? (Not overwriting your settings).
I am still sitting on 2.5.x as I did not care yet to upgrade to 2.6.2 and now not yet to 2.7. The reason is that fantastico is always slow to get the upgraded releases from WP. When I checked a couple of days back they still have 2.6.X only. Btw, any feedback on 2.7? I hear that henceforth upgrades will be smoother and fully automatic
Thanks for the security tip and measures to be taken in case of a hacking. I guess, I have been vulnerable.
Ajith
This will be helpful a lot to me as i don’t have to upgrade that manually every time. It will be upgraded by itself..
Its good that wordpress has worked on the only draw back of its site.
Been looking around for security like this. Thanks for all the info this will be my first priority. I’ve bookmarked this to keep up with WP news.
i recently upgraded to latest wordpress using the auto-installer to find to my horror my templates overwritten. it was a royal pain in the hole!