Uh, version 2.1.1 of the popular Wordpress blog software was compromised by a hacker who introduced malicious code into the version that was downloaded and installed by quite a few people across the globe.
While I wasn't directly affected (I hadn't upgraded to 2.1.1 yet), I upgraded another instance of WP on my server immediately because it did have the malicious code, as a quick grep for "ix" in the wp-includes directory showed.
When I decided to upgrade my own blogs to 2.1.2 as well today (skipping the bad release ;) ) I realized again how painful upgrading Wordpress is. While, once the code is in place, it's a one-click upgrade, getting the new code where it belongs is a pain in the arm. Code backup, database backup, disabling plugins, deleting code files (yet not deleting the user files that are heavily mixed up with actual application files), running the upgrade script, re-enabling the plugins.
Upgrading Wordpress should be easier than that. After all, it's an open source project. RERO is what makes it strong, and therefore even weekly updates should be desirable, but easy to do. So far, the Wordpress people haven't done much to solve this: And that is even more surprising considering how many releases they've pushed out since their 2.0 milestone.
I could imagine an options page in the admin interface automatically downloading a diff for the most recent version, trying to apply the patch (incl. merging) and failing gracefully if a conflict occurs (for extra credit, give advanced users an interface to resolve the conflicts). It should also do the DB backup and code backup itself: After all, it has at least read access to both its database and code directory.
This is a similar idea to what the Mozilla project calls AUS: The Application Update Service. It applies binary diffs to Firefox and friends in order to make staying up to date easier for people and save their precious time.
For now, I switched my wordpress instances to an SVN checkout of the latest tagged version, making the download process easier, but not solving the whole backup-disable-update-enable issue.
I like Wordpress -- and I don't seem to be alone: Wordpress is probably one of the most popular blog engines in the world. Now if they made updating as easy as installing it, they could show that their popularity has a good reason.
Read more…