Just a quick note – if you’re about to install the WordPress 2.6 upgrade, make sure you don’t just check your homepage and then call it a night. On a site I help manage for some friends I ran into a huge bug – the upgrade went smoothly, the homepage looked fine, but all the posts returned 404 errors.
It’s apparently very common if you are using “index.php” in your URL structure, which many sites use because IIS doesn’t have an equivalent of Apache’s mod_rewrite or because their host doesn’t allow mod_rewrite for some reason.
The solution can be found in this thread on the WordPress support forums. Basically the solution is to get the latest copy of rewrite.php and copy over the version for 2.6. Here’s another post with a technique for category and tag pages.
There’s a lot to like about WordPress… the open-source codebase, the templating system, the extensible plugin architecture. But I’m starting to feel like I’m squeezed between a rock and a hard place – delay an upgrade and you run the risk of getting hacked; go forward with an upgrade and you run the risk of throwing 404s for your entire site.
I’ve already written about what to do once your site has been hacked, but let’s talk a bit about hack prevention.
I think it’s fair to say that most people manage their own WordPress installation because they have some programming background and want a little more control than you get with a hosted solution like Blogger or WordPress.org. Webmasters like you and me usually know a bit about security and how important it is to keep things up to date. The problem is that every minute spent upgrading your CMS to the latest version is a minute not spent writing or running your business.
So you know you should download the latest patch, make backups, disable, plugins, install… but it’s already 1 a.m. and you need to meet clients in the morning, so you put it on the back burner and your site ends up hacked. What’s the solution? If you’re Technorati, the solution is to motivate bloggers a bit more by threatening to delist them. I can understand their point of view. But how about something a bit more positive – automation.
There are two ways I’ve automated WordPress upgrades. One is through Fantastico, which is a really cool script management system that your web host should probably provide. I’m giving up on Fantastico, though, because it takes a long time for it to notice updates.
The second way I just tried out recently is the WordPress Automatic Upgrade plugin. I’ve tried it out on three blogs now and so far so good – it hasn’t skipped a beat. This functionality really needs to be folded into WordPress itself – with 2.5, they added the ability to automatically upgrade plugins but it seems like most security holes lately are found in the WordPress code itself.
That plugin is WordPress-only, but I recommend doing some research to see if there’s something similar out their for your blog software or CMS. Even if WordPress never has another security bug, there’s always Joomla, and Drupal, etc…