Automattic have announced the release of WordPress 3.7 “Basie” so if you have a website that runs on WordPress it’s time to upgrade.
We don’t always trumpet software releases on Naked Security but I think WordPress 3.7 is very important.
It’s not important because it fixes any particularly devilish vulnerabilities but because, for the first time, it will automatically update itself with the latest maintenance and security releases – something that could change the security of the whole WordPress ecosystem.
The signature feature of this latest version of the hugely popular blogging platform is automatic background security updates.
Next time WordPress.org issues an urgent security point release – such as the recent version 3.6.1 which came with the exhortation to update your sites immediately – it will be deployed automatically to site owners using 3.7 or above.
We’ve all become quite used to the idea of the software on our desktops, tablets, laptops and smartphones silently patching itself in the background and it’s good to see popular web software catching up – it’s long overdue.
What makes background updates for WordPress such a significant step is the software’s sheer popularity. Nobody is quite sure how many of the world’s websites are running on WordPress but the consensus seems to be that it’s about 15 – 20%.
Needless to say that’s a very, very, very large number of websites – so large that criminals looking to build botnets are prepared to invest in large-scale automated attacks that scan for and target known WordPress vulnerabilities.
The best defence against such attacks and the first rule of WordPress security is always run the latest version of WordPress.
As Andrew Nacin put it on the Make WordPress Core blog:
If you don't keep your site up to date, you are making the web a less safe place for you and everyone who visits your website.
The trouble is that it seems a lot of people don’t bother. Some researchers believe that as many as 73% of the WordPress sites out there are vulnerable to attack purely because they aren’t running the latest version.
So automatic updates for WordPress could do more than simply ensure fewer websites are vulnerable to attacks, it could ultimately provide a kind of ‘herd immunity’ that will make the entire population a less attractive target.
The automatic updater also supports themes and plugins – the software skins and add-ons that allow users to customise their WordPress websites. Some plugins are so widely used that they are popular enough to be targetted in their own right.
Although auto update support for themes and plugins is on an opt-in basis for now I fully expect that to change in future, and to quote Nacin one more time, “That’s a huge win for a safer web”.
The software is available to download from WordPress.org. If you want to know more about what’s in 3.7 take a look at the release announcement on the WordPress blog. There is also a very long and detailed post about disabling automatic updates on the Make WordPress Core blog.
If you’d like to know a more about WordPress security then take a minute or two to read our article on How to avoid being one of the “73%” of WordPress sites vulnerable to attack.