Upgrading Wordpress is a pain in the neck

wordpress

#1

Maybe I’m missing something here, but I would like to see an improved one click WordPress update that will allow us to update the essential new files and not have to update the entire thing. It’s a pain in the neck and I’d like to see a better solution out there…

Unless there is already?


#2

Well, you could always abandon the “one-click” altogether, which is what I do. Srsly, a “manual” install of WordPress is like maybe a “two-clicker” - it’s just as easy, and then you can upgrade just changed files from the shell in a breeze. :wink:

–rlparker


#3

DH could probably add an option like “Don’t change the contents of the wp-content” folder, but then someone will always use that option and the included plugins will never get updated which can be a security risk. They could even add an option, “don’t change wp-content folder put update plugins” …

But like rlparker said, installing/updating wordpress using ssh/ftp is really not that hard, especially compared to other PHP applications.

Jan

Promo-Code: [color=#CC0000]SAVEMONEY97[/color] - Save [color=#CC0000]$50[/color] on your first year of hosting.
Get more promo codes here


#4

I thing one thing to consider about all this is that, given the recent exploits perpetrated on “old” WordPress installations (just Google for ro8kfbsmag.txt!), and the likelihood that many “one-click” users might be trying to “upgrade” out of their hacked condition, replacing only “changed” files could get complicated.

It would be pretty hard for DH, or anyone for that matter, to know without some forensic work what “changes” are part of the new upgrade, what the hacker had done, etc.

I’m currently spending a lot of time cleaning up after a “wedesigner” who failed to upgrade a lot of WP websites she has built for clients, and had many of them hacked. While the damage done is sometimes similar, there are differences in payloads and changed files … so it is not a simple “fix” to automate. :wink:

–rlparker


#5

I totally agree with you, it would be hard to make the one click install that flexible and it would also be dangerous. DH probably could have an internal filelist for each release and then update the changed files from one release to another, but then it would also take them longer to release update to the one-click installer.

Btw. the ro8kfbsmag vulnerability is also being reported for 2.5.1 installations, very scary.

Jan

Promo-Code: [color=#CC0000]SAVEMONEY97[/color] - Save [color=#CC0000]$50[/color] on your first year of hosting.
Get more promo codes here


#6

Yes, I have noticed that, but it’s important to point out that the ro8kfbsmag issue is NOT really a “WordPress” issue, IMHO. What I mean by that is that once ro8kfbsmag has found it’s way onto your server, it doesn’t need to rely on a vulnerability in WordPress or any other script to do its evil.

Granted, it may have found it’s way onto the server in the first place via an out-of-date/exploitable WordPress installation (which is what happened to by “webdesigner” client!), but its very nature as a PHP-shell means that the hacker has (or certainly could have) accessed your MySQL host, user, and password details which are readily visible once “in” to the file system of an unhardened WordPress installation.

Add to this other applications’ files that may be accessible to that program (like Joomla! configuration files, etc.), and you have a real problem.

I have not yet seen an “exploited” WP site running 2.5.1 that I am sure had not previously exploited before “upgrading”, and I suspect that ro8kfbsmag.txt might still be at play. From looking at the general level of knowledge and understanding of such things evidenced by many on the WP forums, I suspect many of those reports of a “hacked” 2.5.1 are really the result of just installing the upgraded/new version 2.5.1 site without:

  1. successfully purging the culprit in the first place

  2. changing the MySQL and WP users/passwords (which you have to assume the hacker now has)

  3. changing the shell/ftp users’ passwords (as far too many people foolishly use the same credentials for shell, ftp, MySQL, and WP itself).

Without all of those steps being taken, it doesn’t really make any difference whether you upgrade to 2.5.1 or whatever - you will remain vulnerable, and the hacker will just just hack your “new” installation with the tool he left behind or your own credentials, which he now has.

Just one example of this type of a “recursive hack” is when you did successfully purge the ro8kfbsmag shell code, but you didn’t change the passwords - the hacker can just revisit your site and use your unchanged credentials to access WP, your shell/ftp account, and/or your database, and upload his payload again … and so on. This sucketh!

Edited to supply a resource:

This link is to “must read” article on ro8kfbsmag.txt and for those interested in securing WordPress.

–rlparker


#7

Good article, Robert. Thanks for posting it!

Use the [color=#CC0000]3DOM50[/color] promo code for 3 extra lifetime domains and $50 off
More Dreamhost coupons here!