Many security vulnerabilities have been found in older software and WordPress is no exception. Some malicious elements have found a way to alter parts of the header or footer files in many unsuspecting WordPress installations. So it would be very prudent to keep up with the release of recent patched software.
If you follow the guidelines as detailed here, it will be relatively painless. I will also go over a few ways how you can secure better your WordPress installations. Remember that you have to be lucky all the time whereas for the malicious hacker – he has to be lucky just once.
Recipe for Upgrading WordPress
Items Required & Method
1. Grab the latest version of WordPress from here: http://wordpress.org/download/
At this time it is available in two formats – gunzipped version for the Unix/Linux boxes and zipped version. You can grab any version which will suit you. Extract to a local directory and keep aside.
2. Backup your present Installation. If you have access to the control panel of your server, take a mysql backup of all the data from your WP.
Copy all the files from the root, wp-admin, wp-content and wp-includes into another directory, or better still copy to your local machine. In case something goes wrong, you need to have a fall back plan.
Open wp-config.php and save the // ** MySQL settings ** // information somewhere close. You will need to hang on to this file if you want to have a trouble free upgrading experience.
3. Place an index.html with a message – “The Blog is undergoing some changes” and some polite message to the effect that the service will be unavailable for some time. You should take only a few minutes for the complete upgrading process. But still it is nice to put up a temporary index.html
At the time of upgrading your server will likely throw up some error message which is best avoided.
4. Now it is time for the Rock and Roll ! Now go ahead and delete the following 2 directories ONLY:
Wp-admin
Wp-includes
Some FTP clients will protest if you are trying to delete the directory with files inside. Use your control panel’s file manager for this task.
Upload your extracted wp-admin and wp-includes to the production server.
Now copy all the files over the old files. If you use any of the themes from the themes directory, leave them for now.
You will find the following files under the themes directory:
- comments.php
- comments-popup.php
- sidebar.php
- header.php
- footer.php
- functions.php
- index.php
- style.css
- rtl.css
- screenshot.png
Edit them – adding whatever changes you have incorporated into these files. Then transfer these files over.
5. The final step: Launch your browser and point to your blog/wp-admin/ and you will be greeted with a login screen. Login and you will be taken to the upgrade part where it will ask your approval to fill in the data. The upgraded version will look for the config file from the root where it stores the database connection details. So if you have done the steps as detailed here, you will have completed the upgrading process with out any fuss.
WordPress Security Details
Matt Cutts has this to say about securing the WordPress installation – http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/
The recent version ( at the time of writing this blog – it is 2.5.1) doesn’t have the earlier vulnerabilities regarding the plugins where anyone can see what plugins you have installed by just looking at the directory index. The newer version will show the “Sorry, no posts matched your criteria.”
It would be a good idea to lock down the wp-admin directory by any of the following means:
- Place Password protection to this directory. Use Apache server’s password protected directory mode. You will see this error message – “Sorry, no posts matched your criteria.” Instead of a 403 Status code.
- Use .htaccess to block unauthorized access. A sample is shown as below:
Order Deny,Allow
Deny from all
allow from 67.23.67.255
The above directives will block the world from accessing this directory, but allows access only to the IP 67.23.67.255 ( not a real IP )assuming that is your IP.