Whenever WordPress sends out notice that an update includes a security fix, I install it on my own blog right away, for two reasons.
- That phrase security fix
- I want to know how it acts on my blog, before I need to use it on someone else’s
The folks at WordPress are telling us that WP 2.5.1 includes a very important security fix and over 70 other fixes. They’re plowing through the most annoying WP 2.5.* bugs and improving performance. The security part is what gets my attention:
Version 2.5.1 of WordPress is now available. It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.
Give wp-config.php a SECRET_KEY
Reading the official wordpress.org blog is a good idea. Sometimes you learn things. Today I found out about the secret keys that are available for WordPress config files.
Since 2.5 your wp-config.php file allows a new constant called SECRET_KEY which basically is meant to introduce a little permanent randomness into the cryptographic functions used for cookies in WordPress. You can visit this link we set up to get a unique secret key for your config file. (It’s unique and random on every page load.) Having this line in your config file helps secure your blog.
Deactivate plugins before upgrading WordPress. Usually, even if you forget to deactivate plugins everything will be OK. However, once in a while a plugin will conflict with an upgrade, and reactivating them one by one will help indicate the culprit.
My opinion is that it is better to drop a plugin than put off a security upgrade. Plugin authors who are actively maintaining their plugin are usually pretty good about speedy updates.
Protect customization. If you use a customized version of WordPress Default or Classic, consider naming your version and moving it into a folder of its own. No matter how careful we all are, there will come a day when something important gets copied over. If your theme folder is not part of a standard WP install, there is no way that upgrading can accidentally copy over your work.
In case you’re interested, I wrote a brief guide about how to use WP Default to start a new theme.