OK, the content of this post is so important that I won’t agonize too much over whether the writing is all that smooth or not.

You may have heard any number of things in recent weeks and months about the need to upgrade to WordPress 2.5.x because of security issues with the older versions. In fact, it can almost sound as if some people wanted to scare you into upgrading.

Now there have been for a long time issues with the fact that each WordPress "update" tends to be far from a smooth/pain-free operation for many people, breaking relied-upon plugins, creating issues with your (possibly custom) themes, and requiring the re-edit of any personal hacks you may have had reason to place directly into the WordPress core distribution because some things don’t work quite right in there, and pleas to fix them are often ignored.

In this case however, there have also been a large number of changes to the WordPress admin back-end, the usefulness of some of which has been judged to be questionable, or that have caused actual problems (2.5 could delete your text widgets among other things). One look at the WordPress support forum tells the story. I am not going to get into all of the reasons right now why I am not upgrading to 2.5.x for the foreseeable future. That is for a different post.

Suffice it to say that many top bloggers with an understanding of the tech issues have said they won’t upgrade for a while.

What is important though is that the security fixes that came with 2.5 should in reality be made available as small, "single file copy" patches for anyone deciding to stay with the older version(s) for now. I have said as much on the support forum in several places, most recently on a very active "2.5 backend issues" thread that actually got shut down my "Mr. WordPress" Matt Mullenweg himself.

Since they currently seem rather unconcerned with making these fixes available without a wholesale upgrade, I decided to take it upon myself to do so.

Here are the results:

After studying the ticket records for WordPress 2.5 and 2.5.1 (the very rapid release of yet another "update" so close to the first one should tell you that 2.5 wasn’t quite as ready for prime-time as they might have wanted you to believe), it appears obvious that the biggest security issues come from WP user registration and the way it handles passwords.

As for registration, I recommend for both 2.3.3 and even the later versions that you turn it OFF in your Admin panel under "Options > General > Anyone can register" (uncheck the check-box). Unless you are using WordPress as a sort of membership site, there is really no reason that I can see for yet another registration. Just require name and email in your comment form, those get auto-filled after the first comment for most themes and in most browsers.

If you have multiple WP authors, Admin can add those manually in a controlled way. Else, what are those users for? Since WP isn’t designed to be e.g. an auto-responder by default, those Email addresses from registration aren’t really all that useful to you. Better to use Feedburner or other means of opt-in.

By the way, even 2.5 still had an issue with their user roles security, potentially allowing "less than admin" type users to add other users. Ooops. (Aside: The role system in WordPress is a bit labyrinthine because the application logic for it is spread all over the place in the code.)

So turning this off is a good idea (if possible for your purposes). So then the only major security issue that still needs fixing is the way that passwords (for Admin, etc.) are handled in WordPress, both in the password database and as cookies in your browser once you are logged into your WordPress back-end. If you are interested in the deeper technical issue of this, go here and here and enjoy…

From studying these, I simply extracted the files that were changed for 2.5, and then proceeded to copy those, one by one, into a 2.3.3 test install. To not keep you in suspense any longer, this security retro-fit for 2.3.3 works and here are the files to update:

(all files can just be overwritten with the 2.5 version, any totally new 2.5 files are marked)

/wp-includes/class-phpass.php (new file)
/wp-includes/compat.php
/wp-includes/functions.php
/wp-includes/media.php (new file)
/wp-includes/pluggable.php
/wp-includes/registration.php
/wp-includes/shortcodes.php (new file)
/wp-includes/user.php
/wp-includes/wp-db.php
/wp-admin/includes/misc.php
/wp-login.php 
/wp-settings.php

The there are two files that you each have to add one line each to. In

/wp-includes/deprecated.php

add the line

function gzip_compression() { return false; }

at the top inside of the ‘<?php’ open tag. The reason we can’t just overwrite the whole file with the 2.5 version is that it actually would try to re-declare many more functions that were deprecated in 2.5 and placed into this file.

Last but not least, we need to place our own "secret key" generation phrase into your

/wp-config.php

with this line:

define('SECRET_KEY', 'put your secret key phrase here');

Note that the comment above this new code reads:

// Change SECRET_KEY to a unique phrase.  You won't have to remember it later,
// so make it long and complicated.

So that’s what you want to do.

Again, so far I have found this to work after having put my 2.3.3 test-bed blog through the paces. I run about a dozen or so standard plugins in this installation, and there APPEAR to be no adverse effects from these changes. Security should have been enhanced, which was the goal in the first place.

So far the only adverse effect has been that the "blue shield" formatting of the login screen form has gone bye-bye, likely because 2.5 wants to use it’s changed CSS to format. But since we said to turn off the user registration (and thereby login) for all but Admins and maybe collaborating authors, this shouldn’t be a concern. I might post a visuals fix for this at some later point, but right now that’s way down my listy of priorities…

Here again is the predictable WARNING/DISCLAIMER to only attempt this in a test install of your own first (with all of your plugins in it), OR if done to a live install, to do it during off hours and with back-ups of your old 2.3.3 files at the ready in case there are any problems.

Hope this has been useful to you, and that you’ll sleep better at night. If these explanations seemed too complicated many paragraphs up, PLEASE DO NOT ATTEMPT this without someone technical helping you.

UPDATE:

Before proceeding with any of this, read about some of the additional issues that came up in this follow up post.

71 thoughts on “WordPress 2.3.3 Security Retro-Fit

  1. In reply to @Pressed Words:
    I also responded to this ping-back on Austin’s Blog, but I felt this would warrant further explanation here as well. The post was already getting long, so I didn’t want to go on an on about all of the reasons from 5 angles. So here is more in the form of a reprint of my comment on his blog:

    Austin, first off, thanks for picking this up so quickly.

    Now I want to make it clear that you overstate my “antipathy” toward WordPress 2.5, despite its admitted flaws and real bugs that seemed egregious enough to warrant everyone being a little weary of upgrading too quickly. After all I do use WordPress over other solutions, and have come to really like it for the degree to which I can dig around in the “guts” of the code, vast availability of plugins, etc.

    This is why the main gist of my argument is really to separate out security and other critical FIXES from new feature introductions. It’s the sane thing to do, and would be a lot more palatable to/respectful of the users that have to deal with the fall-out from upgrades. Some have to maintain dozens of WordPress installs for clients, all with possibly different plugins, etc. I have stated all of this on the support forum.

    They way it is handled now is actually worse than Microsoft, even they know they can’t just completely force you into Vista [to fix XP security flaws] from one month to the next, even though they sure want to and are always trying… :)

    Check around, there are a lot of influential bloggers with a deep tech knowledge (such as Andy Beard), that won’t go near 2.5 for a while. I just thought that there should still be security improvements rolled out as patches to those who don’t want to upgrade right now.

    Agreed that it would be much preferable for WP to come out with a certified patch “package” themselves, my attempt (which so far appears successful) is by no means the ideal state of affairs, and you may have read my big fat DISCLAIMER at the end.

    I welcome the discussion and any testing/improvements that anyone is able to contribute. If it hadn’t appeared from the WP tickets on security fixes in 2.5/2.5.1 that the password/cookies issue was a very isolated element that didn’t seem to have any other implications, I likely wouldn’t have attempted it. Agreed that there could have easily been more issues popping up through the file replacements, but so far I haven’t seen any.

    As you said, stay tuned for my post on the detailed feature reviews and issues that were left unresolved that I have actually hacked/fixed myself in my own personal WP “distribution”. Then it will likely make even more sense why I am not upgrading for now…

  2. For me the top security fix is just to keep lots of backups though there are also additional admin plugins for locking WP to specific IP ranges etc.

  3. In reply to @Andy:
    Andy, that is certainly good advice regardless of any other measures, and often overlooked by too many people.

  4. I read your blog & it has really awesome information.These days there is slam in business & many famous companies are also going to down. However it is good blog have impressive information

  5. Excellent advice. I know how important it is to comment on other blogs. This article made me realize how much more important it really is! I’ve been doing forum comment but only see minimal traffic with that technique. I think blog comment is a much better approach. I start to give it a try. Crossing my figers for better results shopping guide!

Comments are closed.