
Remind HN: Update your wordpress sites - spocked
Wordpress released version 4.2.2 a week ago with some important security updates. As someone who owns multiple WP installs, it is critical for me to get these updated asap. I am sure there are quite a few members on HN that fall in this category too.
======
rob
And if you manage multiple WordPress websites, try something like InfiniteWP.
It takes care of updating core, plugins, and themes. We use it to manage about
23 WordPress websites and being able to update all of your websites with a
couple of clicks is an incredible timesaver. We still do manually review
everything though (like changelogs, making sure the site still loads and isn't
a WSOD, etc.)

We like InfiniteWP because it's free and we can host it ourselves (we've had
no need for their paid addons), but there's also other solutions like MainWP,
ManageWP, WP Remote, iControlWP, CMS Commander, etc. I think most (if not all)
of those are hosted and paid / free trial.

~~~
liotier
Or let your Linux distribution handle the multi-site Wordpress hosting for
you... Thank you Debian !

------
ozh
As someone who owns multiple WP installs, I have added "define(
'WP_AUTO_UPDATE_CORE', true );" to all my wp-config.php files so that all my
installs automatically self update with ALL future updates, minor & major

~~~
Fradow
It is great in theory. In practice, the last auto-update caused a WSOD on my
site without any helpful debug log (both on WP and server log) until I
manually disabled a (popular) plugin by editing its php file.

I wonder how a less tech-savy person would have resolved that. Even being
tech-savy, I had to ask someone for help.

Updates of core and plugins are always very scary to me.

~~~
Mojah
It's a system that's based on trust, but the auto-update that is active in
WordPress has saved millions of sites of getting hacked in the last few weeks:
[https://ma.ttias.be/in-defence-of-wordpress/](https://ma.ttias.be/in-defence-
of-wordpress/)

As soon as something major breaks by those auto-updates, the trust is over and
a lot of users will disable it. That would be a shame indeed, because besides
a couple of WSOD's some users may experience, it's an extremely powerful
feature.

------
joeyspn
I'm not a big fan of wordpress but it is undoubtedly a great tool to have in
your toolbox, specially when your customers need user-friendly blogging tools
or a quick CMS. I've installed for some of my clients Django blogs (with
Django-CMS), rails-based blogs, and even a couple of Ghost installs. Nothing
has beaten wordpress so far, clients love its versatility...

What I do to fly _under the radar_ of many of the bots and automated scripts
targeting wordpress sites is using a modern wp framework: roots bedrock[0].
This gives you a convenient time windows to update wp when you have the time
(although with bedrock it is really easy with a couple of commands)

[0] [https://roots.io/bedrock/](https://roots.io/bedrock/)

------
runarb
For the first time I got an email from my Wordpress installation yesterday,
asking me to update. Have not seen that before. A nice detail I appreciate, so
I don't have to keep up with what i the latest release of Wordpress at all
times.

~~~
aram
Interesting, AFAIK it's not something in the core. Which security plugin are
you using?

~~~
runarb
I am not running any security plugins. I just had a look on the email headers,
and it was sent from my server, so this must have come from Wordpress somehow.
It is also the first one I have gotten.

The email seed:

 _Subject: [{my website} Wordpress MU] WordPress 4.2.2 is available. Please
update!

Please update your site at [http://{my](http://{my) websites url}.com to
WordPress 4.2.2.

Updating is easy and only takes a few moments: [http://{my](http://{my)
websites url}.com/wp-admin/network/update-core.php

If you experience any issues or need support, the volunteers in the
WordPress.org support forums may be able to help.
[https://wordpress.org/support/](https://wordpress.org/support/)

Keeping your site updated is important for security. It also makes the
internet a safer place for you and your readers.

The WordPress Team_

I have the following plugins installed: All In One SEO Pack, FeedWordPress,
Github Ribbon, Hello Dolly, Revision Control, Unfiltered MU, WordPress
Importer and WP-Polls.

Maybe it originated from one of them?

~~~
SamReidHughes
I got this email too. I'm pretty sure I didn't seek out and install any
plugins. I don't remember getting any of those you've listed. I nuked the
install completely so I can't say for sure.

------
listic
Does Wordpress release security update for those who stick to older versions?

~~~
onion2k
Wordpress only has one track, which is the only one that gets updates. Once a
new major release is available all support for the previous release ends. If
you want the most secure version you need to be on the latest (4.2.2).

~~~
toxican
Um, no? They do security updates for the last couple of versions of Wordpress.
They even extend that to the last couple versions of their stock theme when
they require an update.

------
gesman
I usually skip N.N.0 but update everything when N.N.2+ comes out.

~~~
falcolas
4.2 and 4.2.1 contained a lot of vulnerability fixes from 4.1.n - when it
comes to an operating system, err, blogging platform, it's not a bad idea to
keep on top of your updates.

------
gauravnews12
if i am not update. Get any problem on my website??

~~~
spocked
[https://wordpress.org/news/2015/05/wordpress-4-2-2/](https://wordpress.org/news/2015/05/wordpress-4-2-2/)

This is a critical security release. The cross-site scripting vulnerability
lets a commenter compromise your website.

~~~
ghubbard
The exploit is described and demonstrated in a video on the site of the
discoverer:
[http://klikki.fi/adv/wordpress2.html](http://klikki.fi/adv/wordpress2.html)

------
NewsReader42
or just remove wordpress and use something secure, not bloated and easier to
develop with.

~~~
adam74
A lot of people who run Wordpress have clients who need a nice, easy user
interface to be able to update their site. Do you have any suggestions for
software that fulfills that need and is "secure, not bloated and easier to
develop with".

~~~
jon-wood
> A lot of people who run Wordpress have clients who need a nice, easy user
> interface to be able to update their site.

This is clearly opinion, and should be taken as such, but I absolutely loathe
Wordpress' admin interface. I'm sure at some point it was a nice, easy user
interface but those days have passed. Anytime I have the misfortune of being
thrown into a Wordpress backend I have no idea how to get anything done.

~~~
ereckers
The WordPress admin interface hasn't changed all that much over the years.
Unless the change to a darker admin theme tripped you up, I'm not sure where
anyone that has any experience using anything on the internet would have much
problem getting anything done with it.

