WordPress Security Updates

Good catch: "WordPress 3.1.2 is now available and is a security release for all previous WordPress versions. This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts." Does this sound familiar if you have been following WordPress updates for a while.

Well, I found that most security patches are related to certain kind of level access users. We do not give Contributor-level or higher to any users unless it is really necessary or to someone you can trust to certain extend.

Of course, whenever possible, we should upgrade our WordPress as soon as the new security release is available. For this reason, we found that Lunarpages hosting is great as their setting allows you to do "one click upgrade" from the WordPress Dashboard | Updates. For VPS hosting such as Linode or Slicehost, you need to change the owner of the WordPress installation folder to www-data to enable the "one-click" upgrade, but if you are not familiar with Linux, the process could be a bit tricky. What I mean is, in order to do the automatic WordPress upgrade withou FTP, we need to make the files and folders writable by the Web server. It is the same requirement for installing plugins without ftp and writing config files.

e.g. If your WordPress is installed in /var/www/wordpress, the basic linux command is
chowner -R www-data /var/www/wordpress
However, some people are also concern about another security issue caused by this setup if there are other sites (owned by different people) sharing the same Web servers.

Well, if you want convenience, you sacrifice your security on the other hand. If you do want more security, don't share your Web server with others, and it means you need to pay more. It is like sharing the same house or room with your schoolmates.

Leave a Reply

Your email address will not be published. Required fields are marked *