WordPress.org has announced WordPress 3.7 – a new version of its blogging and content management software.
The software, dubbed “Basie” in honor of American jazz pianist Count Basie (previous versions have included “Oscar”, “Getz”, “Ella”, “Coltrane”… WordPress.org clearly loves its jazz), comes with some significant enhancements in terms of security.
Best guesstimates reckon that WordPress-powered websites account for some 20% of the sites on the internet – which makes any advancements with its security incredibly significant for the protection of the web.
After all, with so many websites running the same software any exploitable vulnerabilities become very attractive to malicious hackers – who might be interested in compromising sites en masse to spread malware or create a botnet.
From the security point of view, here’s how the new features in WordPress 3.7 are described:
Updates while you sleep: With WordPress 3.7, you don’t have to lift a finger to apply maintenance and security updates. Most sites are now able to automatically apply these updates in the background. The update process also has been made even more reliable and secure, with dozens of new checks and safeguards.
Stronger password recommendations: Your password is your site’s first line of defense. It’s best to create passwords that are complex, long, and unique. To that end, our password meter has been updated in WordPress 3.7 to recognize common mistakes that can weaken your password: dates, names, keyboard patterns (123456789), and even pop culture references.
Obviously anything which encourages stronger, harder-to-crack passwords is a positive step – but the more interesting feature for me is automatic updating of maintenance and security updates.
Statistics from W3Techs reveal that an alarming percentage of sites are still using out-of-date versions of the software on their websites, which contain known vulnerabilities.
Despite all the publicity about WordPress security flaws, many sites are still running vulnerable versions of the software on their sites, potentially putting themselves – and the internet users who visit them – at risk.
If administrators upgrade their websites to use WordPress 3.7, then they can avoid some of the donkey-work involved in keeping their website software current. Future maintenance updates and security fixes should be automatically rolled out.
There’s also an option to enable automatic updates for plugins and theme skins – good from the security point of view, but typically website administrators like to be cautious, checking that updated plugins written by third parties don’t cause conflicts or have unexpected consequences on their sites.
Automatic updates aren’t for everyone, of course, and some more hands-on website administrators will feel happier disabling the functionality.
I have no doubt, however, that WordPress.org is going to do more work in this area – making the system more reliable, and pushing hard to make updates an even more seamless and safer process for website owners in future.
If you run a WordPress-powered website, check today which version you are running – and upgrade to version 3.7 if you can.
Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.
Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.
Don’t worry if you’re confused. It’s kinda crazy, in my opinion, that the names are so similar.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.