July 6, 2011 at 10:53 AM ET
WordPress bloggers have a reason to be a little happier in the world with the introduction of its latest version, WordPress 3.2, which comes with a much steeper security update than previous versions.
But Chester Wisniewski, of the security site Sophos, still cautions that, "As big a step forward as this is, however, it doesn't bring web hosts nearly close enough to versions of PHP and MySQL that could be considered safe to use. And clearly, this doesn't change anything for those users and hosts who aren't in the habit of updating their WordPress to begin with."
So consider this a wake-up call, especially if you're one of the 330,000 who downloaded 3.2 in the past 24 hours.
Wisniewski checked out blogs that had been hacked into and used to distribute malware. SophosLabs had identified about 30 sites festering with infections and Wisniewski wanted to see if he could detect any patterns that made them so vulnerable.
He found that the 10 older versions of WordPress were not only out of date, but also crammed with many known vulnerabilities.
The only current patched version —aside from the new 3.2 — is 3.1.4.
Wisniewski's advice: "If your host doesn't meet WordPress's new requirements, it is time to ask some serious questions about their security procedures to ensure your site remains secure."
And this, too:
Not patching our computers, servers and devices leaves the barn door wide open for criminal squatters.
Run your own WordPress installation? Be sure to update your web server, PHP and WordPress installations. I recommend signing up for security notifications from each vendor so you are aware of new versions that plug security holes.
Outsource your blog hosting? Review the policies of your service provider to understand whose responsibility it is to patch the underlying software and WordPress itself.
If all of that is too much hassle, just consider using WordPress.com and let others worry about these pesky version numbers.