For the past couple of weeks, webmasters all over the globe have been scrambling to update and protect their WordPress self hosted blogs. It all started when a couple of rather large, well known blogs were having issues with their permalinks displaying odd characters, rendering the links useless. Further investigation revealed “hidden” admin accounts (meaning that they existed, but were not visible in the WP dashboard).
I was originally made aware of this issue on Twitter, as people started spreading the word about a vicious worm that was working it’s way through older, non updated installs of WordPress. So, as usual, I went surfing for some trustworthy information. The best description of what happened can be found in Lorelle’s blog.
In my opinion, the most important thing to know about this worm, is described this way by Lorelle:
Once the worm has infected your site, surface fixes do not remove the “back door” the worm injects into your database and system, as happened with Robert Scoble. Once infected, upgrading does not fix the issue, so those reporting they were now infected after upgrading, were infected before upgrading. Versions after WordPress 2.8.3 are safe, but upgrade to 2.8.4 anyway as it included other fixes.
Since this worm works it’s way so deep into your database, you have to approach the clean up in a very specific way to avoid updating with the worm’s ‘backdoor’ in tact.
“How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database.
Once I was armed with the information I needed in order to understand what was going on, (Thank you to my Twitter friends, and especially you Lorelle!) and what to do about it… it was time to go through each and every site I run and/or manage for my clients. A daunting task, to say the least.
Most of the sites I manage were only a version behind, being that 2.8.3 wasn’t that old. There was one that I had to update from 2.7.1, and even one that I had to update from 2.5! That last one was in the most danger of falling victim to the worm, so I took special care with it, as updates from the 2.5 series had given me trouble in the past. (The introduction of “Tags” sometimes made upgrades from 2.5 rather difficult and laborious.)
Below are the steps I take when updating WordPress self hosted blogs. There are a couple of tricks I’ve learned along the way that I hope help some of you in the rare occasion that you too come across a difficult upgrade. First and foremost, find the WP Codex upgrade instructions here, bookmark them, and visit them every single time you upgrade.
Upgrading your self hosted WP blog
1. Back up the database. One of the first plugins I install with a new WP is the WP Database Backup plugin. Not only does it make backup of your database “one click easy”, but I can schedule it to send me daily backups of my databases! (You can choose whatever interval works best for you.)
2. Save a copy of the WP files currently in use. Why? If I’ve made manual edits to the core files, I can just pull them from the old files.
3. If you are doing a manual update, you must remember to deactivate all your plugins. This is especially important if you’re updating a version prior to 2.7! I forgot to deactivate mine on the oldest blog, so before I ran the database update, I simply removed my plugin folder and replaced it with the bare bones plugin folder from the new version. After I had run the update, I uploaded my plugins again, and activated them one at a time. Worked out fine.
4. With WP versions 2.7 and up, you can then simply press the “Update Now” button, and allow the blog to update itself (it will automatically deactivate your plugins, so no need to worry about step 3 above). This works, most of the time. If your server or browser times out, then you have to do it manually. See these instructions for a manual upgrade.
Trouble shooting issues after an update
1. I use WP-Affiliate on the older site, and after the update, the links produced by the plugin were returning a 404 error. If this happens, simply go to your “Settings > Permalinks” and save your options again. This cleared up the issue of the WP-Affiliate links not working. (Anytime an update results in a problem with your links, this is a good step to take, as it oftentimes fixes the problem… just needs a lil reminder.)
That was really the only issue I ran across, with over 20 WP updates, two of which were old enough to be in danger of being effected by the worm. All in all, WP really does make it pretty easy to maintain a healthy blog by keeping it updated. If you’ve run into issues updating a WP blog, comment here and perhaps we can figure it out together. I will add to the troubleshooting section of this article with any issues brought to my attention.