Why not updating your Core, Themes & Plugins is Stupid

This morning I woke up to 3 email messages and 2 Skype messages from people telling me my site was hacked. I’ve had better mornings, as you can imagine. Luckily, through CodeGuard, I was able to determine what had changed in the last period. You know what? It was my own stupid fault: I hadn’t updated a theme.

I run a couple of WordPress instances on this server. This website, which you’re looking at, but also a MultiSite install in /bugs/, running WooThemes’ FaultPress. Now had I been paying attention, I would have read this post on the WooThemes blog a month ago, telling me to upgrade their WooFramework to fix vulnerabilities. I didn’t, I was slacking. This morning I found out that was stupid, as that exact vulnerability was used to hack my server.

The issue is bigger though: so many of you don’t upgrade regularly. You see, security breaches happen. I have helped quite a few plugin authors fix security issues in their plugins, and I myself have been helped by the likes of Jon Cave and Andrew Nacin to fix security issues in my own plugins. When I update a plugin though, it’s very rare to see more than 20% of the users update within a week. We, as a community, need to get better at that.

Now, I’m on both sides of this fence, I’m a user and a developer. As a developer, I started thinking about how I could get more of you to upgrade. I know Genesis has a feature in their backend that’s quite cool:

theme update warning

You just drop your email in there and you get an email when an update is available. I’m going to add something like that to my own bigger plugins, though I have to think a bit about what the best way to do this is…

The moral of this story is quite simple though: don’t let this happen to you: upgrade your core, themes & plugins very regularly!

Yoast.com runs on the Genesis Framework

Genesis theme frameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Whether you're a novice or advanced developer, Genesis provides you with the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Read our Genesis review or get Genesis now!

39 Responses

  1. Olaf LedererBy Olaf Lederer on 4 September, 2011

    If you run 1 or 2 websites on wordpress, it’s not very “hard” to upgrade everything. Most of the time website with less traffic (and attention) didn’t get frequent updates. I’m using CSF and I get a mail for a lot of stuff (changed files, long running services, etc.) Must say that feels much better if you get warnings like this,

  2. Gautam DoddamaniBy Gautam Doddamani on 4 September, 2011

    its very true dat we should upgrade from time to time. we never which vulnerabilities will be discovered in the future. although i use the thematic framework i constantly keep all my plugins and core updated all-time :)

  3. TradiArtBy TradiArt on 4 September, 2011

    I can’t believe people don’t take care about their own websites.

    Codeguard is also a CloudFlare app, highly recommended.

  4. ChrisBy Chris on 4 September, 2011

    I recently learnt this the hard way. My theme uses timthumb and a vulnerability in that script allowed my site to be hacked. Had I reacted immediately to the warning from the author I would have been OK, but instead I thought ‘I’ll do that tomorrow.’ Fortunately there was no real damage but it’s a lesson learnt.

  5. Kirk WightBy Kirk Wight on 4 September, 2011

    A lot of themes and plugins never get updated because the people who wrote them never maintain them – particularly if it was a paid project with no maintenance budget (and I’m looking myself squarely in the eyes as I write this).
    It would be great if we start fostering more of a lifecycle approach to developing themes and plugins – I think clients deserve it.

    • wycksBy wycks on 4 September, 2011

      This is right on the money, if users are more educated they would gravitate to plugins/themes that are updated quickly and often. For instance out of about 100 exploits in .org plugins listed this year about 65-70 were actually updated within a fast time frame, the other 25 or so remain unpatched or were simply removed.

      Also if the idea behind updated WordPress like chrome (automatically and seamless) will also most likely be applied to plugins and themes at some point.

  6. Ronen BekermanBy Ronen Bekerman on 4 September, 2011

    Hi Yoast… So True.

    But sometimes upgrading could also be a problem, by braking the functionality of the WordPress site.

    For example I had issues with w3 Total Cache upgrade, A WordPress upgrade that my theme was not ready for, etc…

    So while being up to speed with the updates and especially security updates is important – It is also important to check for any issues that might have happen with the new versions.

    I make it a habit now to always read the changlog. I never blindly update like i did before. I’m sure many of you do it blindly and that is not good practice.

    P.S. You mention CodeGuard. It sounds very interesting… How is it compared to VaultPress (considering I now run a Multisite too). Would appreciate any insight you have on that ;)

    Cheers,

    Ronen.

  7. PeterBy Peter on 4 September, 2011

    One quick note about timthumb – huge numbers of themes, and a few plugins use that script, and lots of those havent been updated to deal with it. Here’s a simple plugin to scan/fix the vulnerability on your sites:
    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    • colbertBy colbert on 6 September, 2011

      Hi Peter, well I did try out this new plugin and it managed to find one theme with an outdated timthumb.php. So I clicked FIX and it was done in a jiffy. Pretty cool.

    • HarrisBy Harris on 6 September, 2011

      Thanks so much for that handy little plugin. I had 3 cases of outdated file.

      Waking up in the morning and seeing your site hacked is a shocking experience, so I fully understand where is Joost coming from. What’s worse is when this happens while you’re on holiday with very limited internet access.

  8. Eddie GearBy Eddie Gear on 5 September, 2011

    Joost, that is very true and I agree that you have keep your systems up to date. However, not all plugins work this way and are not updated regularly with the latest trends. there is always significant delay that crashes systems and disrupts functionality within the admin area or the front end as well.

    • Joost de ValkBy Joost de Valk on 5 September, 2011

      Then start looking for alternatives to those plugins.

  9. Abhijeet MukherjeeBy Abhijeet Mukherjee on 6 September, 2011

    Joost, do you use the backup mode or the staging mode with Codeguard?

  10. Kevin MeredithBy Kevin Meredith on 6 September, 2011

    Its not very often that you have to update a plugin, theme and the WordPress core but it would be nice to have the option to update them all at the same time as you can with multiple plugins. As some who just uses a few basic plugins and the 2010 theme an auto update option for WordPress would be dead handy.

  11. Luciano PassuelloBy Luciano Passuello on 7 September, 2011

    Hi Joost,

    I use the WP Updates Notifier plugin and am quite happy with it. It emails you on core, plugin and theme updates.

  12. AnkurBy Ankur on 7 September, 2011

    Thanks a bunch Joost. I got to know about it from your post only and have now updated my sites wherever I use Woo. I can see some horriying stories on how some sites were hacked.

    That tells me I need to subscribe to Woo blog as well!

  13. Big City NewsBy Big City News on 7 September, 2011

    Right, always update asap. But sometimes the update brings the vulnerability with it, as it happened recently. So waiting would have been better in that case.
    As for the hack on your site, we have been hacked via the timthumb hack as well, and the fix only came out after the hack was done. So even a fast update did not help in that case.
    So updating is important, but it cant fix all problems and sometimes makes things worse. Auto-update features could make it worse by spreading vulnerabilities introduced with an updated plugin much faster. What do you think Yoast?

  14. ريانBy ريان on 7 September, 2011

    Hi Yoast
    Thx To The Post , I,m Upgrade Plugins weekly

  15. fritzBy fritz on 7 September, 2011

    I hate that the upgrade module requires http://FTP... I don’t want FTP on my server, and anyway I can’t get it to work for WP upgrades (it keeps asking me for login details)

    Why can’t WP use curl like everyone else, it’s quite pathetic really

    • fritzBy fritz on 7 September, 2011

      You got some weird formatter for your comments, the first occurrence of “FTP” gets turned into an http link…

  16. Website DesignBy Website Design on 7 September, 2011

    My girlfriends website was hacked this exact way, and it can be reoccur even after updates if the hackers created a new backdoor or embeded another virus / malware.

    I had backup buddy detect the file that had the damage in it (planeted there as a failsafe if i did fix the other issues) and fixed it all up.

    For my own websites, i did myself fix them immediately, as i keep up to date on security news and always update – but if you’re running themes from themeforest or other market places you need to be extra careful, as those dev’s won’t usually know of or fix such issues.

  17. Alastair McDermottBy Alastair McDermott on 7 September, 2011

    That sucks, but it’s nice to see you’re human, Joost :)

    Thanks for the CodeGuard recommendation, going to check them out.

  18. Felipe LavínBy Felipe Lavín on 7 September, 2011

    @fritz: actually, WP can and it does use curl and it can automatically upgrade your WP install, plugins and themes with no FTP configuration… if you’re sure curl it’s enabled but you can’t use the automatic upgrade, it almost surely it’s because of a permissions issue (the web server user should be the owner of WP folders and files)

  19. MaxBy Max on 7 September, 2011

    Would be cool if you shared your implementation later in your blog. The plugin side is self-explanatory, but I wonder what would you use on your end to notify all of the subscribers.

    • GaryJBy GaryJ on 8 September, 2011

      Max – the Genesis implementation Joost highlighted is not a subscription, but a theme setting saved to the database, the same as any other theme (or plugin) setting might be.

      Hooked into the init action is a function that looks to see if the checkbox is checked, and if the email field is populated with an email address. If so, it does an update check (calls home), and if there’s a new version, uses wp_mail() to send an email to the address given.

      So long as the output script that receives the call home script is updated when a new version is released, everything else is automatic in terms of emailing people. In short, the bit that does the notifying is built into the theme / plugin.

      • MaxBy Max on 8 September, 2011

        @GaryJ – oh, it’s even simpler than I thought. Thanks for the clarification :)

  20. AllieBy Allie on 8 September, 2011

    I agree with keeping them up to date, but WordPress doesn’t like to make it easy. I’m not talking about notifying, which it does fine on stuff located on .org. I’m talking about actually pushing people to update and work together, along with knowing something is even wrong.

    First off, you can’t follow what you use, to learn anything about them. You can’t favorite any plugins or themes, or even subscribe to them. You end up with this constant need to not only crawl back over each one you use, but to also keep checking to see if something replaced it. I swear, I spend more time at WordPress.org looking around, than I do anywhere else.

    Then, even when something does get outdated, what is actually there to push it to get updated? They need to learn from Drupal, where they encourage people to work on projects together, they give abandoned projects to other people, and they provide quick ways for the whole community to help, get help, and to test.

    Right now, if something gets outdated, it may not be just easy to say update it. There may not even be an update or anyone hanging around to update it.

    I think the fastest way to get ahead of a lot of this is to get people to actually work together. More people working on projects, keeping them updated. Useless, buggy, exploitable, or dated projects should be handed off or deleted. There should be a faster way to keep track of everything, as well.

    I really do think Drupal sets the gold standard for this and WordPress is rather far behind. I did do a post years back on just trying to make the plugins easier to get through and get back to:

    http://wordpress.org/support/topic/wordpressorg-plugin-suggestions

    You can see how popular that was :(.

  21. David StillwagonBy David Stillwagon on 8 September, 2011

    I didn’t realize that not updating your themes on WP would be a security threat. I definitely have some updating to do.

  22. VincentBy Vincent on 8 September, 2011

    So out of interest, why didn’t CodeGuard catch this issue and alert you?

    • Joost de ValkBy Joost de Valk on 8 September, 2011

      Because I didn’t actually set up the correct checks… Luckily I could read back and find it.

  23. Alexandre GiesbrechtBy Alexandre Giesbrecht on 8 September, 2011

    I update plugins whenever they alert me, because I can do it automatically in seconds. But updating the core is much more troublesome, because I was never able to do it automatically, always manually — and more than a couple of times I had to do it again just a few days later. If the automatic update worked more often (I have read other people complaining about it at digwp.com), I’m pretty sure more people would update the core more frequently.

  24. MarceloBy Marcelo on 8 September, 2011

    Another thing to consider is a good backup plugin and actually backup your entire site and database before upgrades. If anything goes wrong, you have the option to restore it.

  25. RemcoBy Remco on 8 September, 2011

    True but annoying since I changed the code of many of the plugins I use where when it doesn’t allow for css changes in the settings.

  26. Eric SheffermanBy Eric Shefferman on 8 September, 2011

    I work with websites specifically because I don’t want to be tied to having to do some specific task every day.

    And yet WordPress comes up with a way that I need to be checking for updates to the software and updating all my sites 24/7. That’s worse than having a job for set hours in some office. With WordPress on your website, here’s no such thing as a vacation.

    On the WordPress.org forums, it seems that the victim of a hack gets blamed for it — because they weren’t monitoring this crap 24/7.

    As far as getting emails of updates:
    I don’t know about anyone else, but I like having days where I don’t check email 24/7 and don’t carry a cellphone and actually just enjoy my day.

    I do not understand:
    When I log into my WordPress sites, they are capable of telling me that there are upgrades available to WordPress core, plugins, and themes. Since the software is aware of the updates and is capable of installing them itself (all I have to do is click and select them)… why doesn’t the software just do the smart thing and update itself without my intervention?

    Since I’ve ranted this same thought before:
    Yes, it is like George Jetson complaining about how hard work is because he had to push a button all day, however, when you have to log into 20 or more different WordPress installs and run through the clicking for all the updates on each of them, this becomes a day-killing timewaster of rote work that is exactly the sort of work that was intended to be done by a computer.

    As far as upgrading blindly damaging the website:
    Yes, it might crash the site. It would have done that anyway even if I upgraded by hand. But whatever it does is probably just as fixable as if I had upgraded by hand and it crashed the site. It’s a temporary problem.
    Whereas not doing the upgrade leaves you vulnerable to being hacked and as someone above pointed out — the hackers get to install extra backdoors so that your entire server remains compromised until the day you finally find them all.

  27. Puiu DarleaBy Puiu Darlea on 8 September, 2011

    Hi all,

    TWO problems:

    1) What do you think about VaulPress vs. CodeGuard?
    2) Since I do not seam to able to solve a permalink issue in the latest WP issue, I am very afraid to upgrade and loose all my custom permalinks that got me #1 on Google.
    So should I upgrade to WP 3.2.1?

    Puiu – RO

  28. HarshaBy Harsha on 9 September, 2011

    This came at right time for me. I’ve a bunch of sites which needs updates and your additional resources are great help . Thanks a lot.

    BTW, What is that plugin which you are using to pop-up image on this post ?

  29. GregBy Greg on 9 September, 2011

    Great advice, after reading this I went back and looked at a few of my sites, and sure enough, every single one had a few overdue updates that I had let slide, thanks for the reminder.

  30. Carlo C.By Carlo C. on 9 September, 2011

    Thank you for posting. It is good for beginners like to do learn things like that about using wordpress.

  31. ClaudioBy Claudio on 29 September, 2011

    Hi,
    thank you for the post. I experienced at my own expenses what it means not updating WP and its plugins on a regular basis (it happened with the cforms plugin).