An Update on the WordPress 2.3.3 Security Retro-fit Adventure

Just wanted to update you on a few developments with the back-porting of WordPress 2.5.x security improvements to version 2.3.3.

First, I want to emphasize that I did this largely to show that it was possible, and that WordPress (Automattic) should consider rolling out such security fixes for older versions as patches rather than forcing "upgrades" to entirely new iterations of WordPress with many feature changes mixed in with such fixes.

First, I did move the "Retro-fit" to this production blog of mine that is running a customized version of 2.3.3, and things have been going fine, for the most part.

Here is a screen-shot of the "no frills" login screen that is now missing the formatting that changed with 2.5.1 (as mentioned in the prior post). Since I have the user registration turned off, this is a non-issue for me, I can easily deal with not having a "pretty" login screen.

Continue reading “An Update on the WordPress 2.3.3 Security Retro-fit Adventure”

WordPress 2.3.3 Security Retro-Fit

OK, the content of this post is so important that I won’t agonize too much over whether the writing is all that smooth or not.

You may have heard any number of things in recent weeks and months about the need to upgrade to WordPress 2.5.x because of security issues with the older versions. In fact, it can almost sound as if some people wanted to scare you into upgrading.

Now there have been for a long time issues with the fact that each WordPress "update" tends to be far from a smooth/pain-free operation for many people, breaking relied-upon plugins, creating issues with your (possibly custom) themes, and requiring the re-edit of any personal hacks you may have had reason to place directly into the WordPress core distribution because some things don’t work quite right in there, and pleas to fix them are often ignored.

In this case however, there have also been a large number of changes to the WordPress admin back-end, the usefulness of some of which has been judged to be questionable, or that have caused actual problems (2.5 could delete your text widgets among other things). One look at the WordPress support forum tells the story. I am not going to get into all of the reasons right now why I am not upgrading to 2.5.x for the foreseeable future. That is for a different post.

Suffice it to say that many top bloggers with an understanding of the tech issues have said they won’t upgrade for a while.

What is important though is that the security fixes that came with 2.5 should in reality be made available as small, "single file copy" patches for anyone deciding to stay with the older version(s) for now. I have said as much on the support forum in several places, most recently on a very active "2.5 backend issues" thread that actually got shut down my "Mr. WordPress" Matt Mullenweg himself.

Since they currently seem rather unconcerned with making these fixes available without a wholesale upgrade, I decided to take it upon myself to do so.

Here are the results:

Continue reading “WordPress 2.3.3 Security Retro-Fit”