Ouch, Another Wordpress Update
Uh, version 2.1.1 of the popular Wordpress blog software was compromised by a hacker who introduced malicious code into the version that was downloaded and installed by quite a few people across the globe.
While I wasn’t directly affected (I hadn’t upgraded to 2.1.1 yet), I upgraded another instance of WP on my server immediately because it did have the malicious code, as a quick grep for “ix” in the wp-includes directory showed.
When I decided to upgrade my own blogs to 2.1.2 as well today (skipping the bad release 
) I realized again how painful upgrading Wordpress is. While, once the code is in place, it’s a one-click upgrade, getting the new code where it belongs is a pain in the arm. Code backup, database backup, disabling plugins, deleting code files (yet not deleting the user files that are heavily mixed up with actual application files), running the upgrade script, re-enabling the plugins.
Upgrading Wordpress should be easier than that. After all, it’s an open source project. RERO is what makes it strong, and therefore even weekly updates should be desirable, but easy to do. So far, the Wordpress people haven’t done much to solve this: And that is even more surprising considering how many releases they’ve pushed out since their 2.0 milestone.
I could imagine an options page in the admin interface automatically downloading a diff for the most recent version, trying to apply the patch (incl. merging) and failing gracefully if a conflict occurs (for extra credit, give advanced users an interface to resolve the conflicts). It should also do the DB backup and code backup itself: After all, it has at least read access to both its database and code directory.
This is a similar idea to what the Mozilla project calls AUS: The Application Update Service. It applies binary diffs to Firefox and friends in order to make staying up to date easier for people and save their precious time.
For now, I switched my wordpress instances to an SVN checkout of the latest tagged version, making the download process easier, but not solving the whole backup-disable-update-enable issue.
I like Wordpress — and I don’t seem to be alone: Wordpress is probably one of the most popular blog engines in the world. Now if they made updating as easy as installing it, they could show that their popularity has a good reason.
You’re absolutely right about WP being a pain to upgrade. I don’t mind the backups and I usually get a changefile for the updates, but something has got to be done about the plugins. They should really have a mass deactivate/activate tool, or at the very least a way to dump a list of the active plugins so you can know which ones are in use if you have plugins that you don’t have activated like I do. If they did I probably would have upgraded my software last night rather than waiting until this morning when I was more rested.
How about a one 5 minute backup (directory and MySQL) and upgrade for multiple Wordpress installs? Yeah its real.
It can be found at the codecave.com, and I’ve used it for at least 8 Wordpress upgrades for several sites. Upgraded in less 5 minutes. But it requires BASH. I built a web interface for it and I’m thinking of making a plugin version of that. Hope that helps… 
Does that require deactivating and reactivating plugins? That could end up being a lifesaver, even for a single install of WP.
No you don’t have to disable plugins to upgrade wordpress. It turns out you don’t. But I also built a plugin (still working on it) thats called Plugin Tools, and it allows you to disable and enable (previously enabled) plugins with one click.
I almost left everything activated since it seemed like such a relatively minor upgrade, but I tried that before an paid for my audacity. Plugin Tools sounds like it could be a godsend. I look forward to using it.
Ok, I’ll keep working on it. Any ideas you have?
I actually only had the plugin problem once upgrading from 1.5 to 2.0.
But that script does work. I just used it today. 
I think my plugin issue cam during a major update so I may try the next minor update without disabling anything and just putting my blog offline with the Site Unavailable plugin.
I’ve been looking for a plugin that did three things, a mass deactivation before an update, a mass reactivation after the update, and a way to dump a list of the plugins like I can get with the Nightly Tester Tools plugin for Firefox. I’d be willing to help test it next time we have an update. I think I saw a script from Aaron Brazelle or someone else who did updates through the svn code.
If you want I can send you the Plugin Tools plugin its not finished or pretty but it works.
So you want SVN code only?
[…] glad I’m not the only one who thinks that wordpress upgrades mar an otherwise excellent experience. Comments indicate fixes may be in the pipeline, […]
[…] comments that I’ve seen elsewhere, Frédéric Wenzel makes the case for an improved WordPress upgrade experience. The objection is fair, I suppose, because the upgrade […]
good.i’ll upgrade to this version,too.