Most secure Wordpress version?

yangyang · July 8, 2011, 11:06pm

I hate updating. I don’t care about the new / fancy features. I just want to blog and have a peace of mind in terms of security.

Does anyone know of a version of Wordpress that’s the most secure? I don’t have to update any more.

yangyang · September 4, 2011, 1:13pm

Thanks! I think that’ll do. Just found out about it.

Dan_Grossman · July 8, 2011, 11:12pm

That’s not how software works. That there are new versions means there are now known security vulnerabilities in previous versions which the new one fixes. Virtually every WP update contains security fixes outnumbering feature changes.

If you don’t update, you know that your version has vulnerabilities that are known and are being exploited. Even in software with multiple “stable” branches where you can choose to stay with an old version, there are minor version patches released for each branch to fix new vulnerabilities, and you have to update.

You have to update, just like your web host has to keep the services on their servers updated and patched every single day, or they’ll be vulnerable at that level.

This is part of your job as someone that sells website services. Think of it like changing the oil in your car. You might not like doing it but you have to in order to keep a car running.

felgall · July 8, 2011, 11:34pm

The only secure version of WordPress is the one that you don’t install on the web. Once it is on the web it will have exploitable vulnerabilities just waiting to be found and once they are found a new version will be issued to fix that security hole and introduce other hidden security holes in its place.

jlrosine · July 10, 2011, 5:02am

The best thing you can do is exercise doing backups and updating frequently, you have a lot better chance at not being hacked if you stay current.

If you get to the point where you don’t hate updating, and get over the fear of it, life becomes much easier

samanime · July 10, 2011, 6:08am

With Wordpress though, it’s so quick, is it really that big of a deal to update? It takes me longer to log into GMail then to update my Wordpress.

DPWeb · July 10, 2011, 9:55pm

Wordpress updates directly from the admin, its not a long process at all. I think its 3 clicks total. Themes have to be updated as well to continue to work with the latest versions of WordPress.

Keeping up with the most current WordPress versions for the WordPress system, your themes, and plug ins, will help keep your security higher.

Make sure you have a strong password as well.

force · July 11, 2011, 2:02am

Updates tend to break things

Or, plugins might not be compatible right away with the latest and greatest version. I tend to wait a little while, then attempt an update in a sandbox environment before updating the wordpress install that’s live on the web.

Now, there are some security-related plugins which can help lock things down a little bit:

Secure WordPress plugin by WebsiteDefender

Better WP Security - Chris Wiegman

But–they don’t necessarily prevent creative exploits, as most of those are the result of holes/bugs in the wordpress core.

Additionally, don’t go overboard with the security plugins and keep an eye on the overlap with feature duplication. You don’t need to be applying the same security adjustment in more than one plugin–it eats up resources and has the potential to cause issues.

force · July 11, 2011, 2:04am

If you’ve made any changes to the default themes, they will be overwritten. However, I’m not entirely sure if this behavior will be changing after upgrading to the 3.2 branch, as I saw one of the features was to only overwrite files which had changed.

samanime · July 11, 2011, 11:28pm

True. I forget about that since I write 99% of the plugins we use myself and I carefully read the changes before we apply, just in case (and we sandbox as well). =[

pinkypainter · July 12, 2011, 6:14am

Wordpress is an open source software, the chances of being hacked is higher if you do not update the software to the updated version. The reason of updating the software not only to enhance the features but also the security of the software.

So, don’t be lazy, update it frequently

ChrisWiegman · July 14, 2011, 1:54am

Plugins like my Better WP Security will help, but nothing is a replacement for common sense and a good host.

Two of the most important things you can do easily are to use different [strong] passwords for the admin area, the database, and any file system access you have and keep up on the updates.

On top of that, all the security you can do will fail if your host is weak on this area so be careful when choosing a host. There is more at stake than a few bucks a month. In addition, you should be backing up at least daily should an incident occur.

yangyang · August 30, 2011, 10:56am

Thank you all for the insights!

Basically, I’m a bit troubled by this issue which I posted at WHT here: Host for hundreds of wordpress sites? - Web Hosting Talk

Updating can be really annoying when you have a lot of wordpress blog sites. Any suggestions to make it easier?

mortimerGER · August 30, 2011, 3:10pm

Naaah, not really. I dunno. It’s like someone said further up. You install one version and then in the next version the problems are fixed but new problems have arrived…:injured:

felgall · August 30, 2011, 7:20pm

If you have lots of blogs then you should be using one copy of WordPress with the multisite option turned on. That way there’s only the one copy to update.