WordPress 3.7 Debuts, Improving Security for Millions

The world's most popular open-source content management system got a big update, and it's one that is big on security features.

A new version of the open-source WordPress content management and blogging platform, Version 3.7, has been officially released, providing users with improved stability and security. The impact of the new WordPress platform on the Web as a whole is nontrivial, as WordPress currently is the technology behind some 72 million Websites.

WordPress founder Matt Mullenweg has named the new release Count Basie in honor of the legendary Jazz musician. The naming of a WordPress release after a Jazz great is common practice for Mullenweg. He named the WordPress 3.6 release Oscar after Jazz musician Oscar Peterson and the WordPress 3.5 release Elvin in honor of Jazz musician Elvin Jones.

Jazz can often be an easygoing form of music, and ease of use overall is a theme that WordPress is bringing forward in the 3.7 update with easier updates. One of the biggest changes in the WordPress 3.7 release is the much anticipated introduction of background updates.

Until the 3.7 release, WordPress users needed to manually click the update button inside WordPress or download a new release to update an installation for security fixes. It's a situation that could well have left countless millions of sites with older versions of WordPress, which could potentially be exploited by attackers. However, the new background updater in Version 3.7 can now automatically update WordPress installations for maintenance and security.

The concept of automatic security updates is one that multiple software vendors have embraced in recent years for client-side applications. Google, Adobe and Mozilla all now have some form of background updater technology, which provides users with the latest security updates without the need for a manual update.

Introducing automatic updates for a server-side technology like WordPress, however, could be riskier as it could potentially also impact the myriad plug-ins or underlying technology that the site is running on. Matt Bergin, security consultant at CORE Security, told eWEEK that there are two common issues he sees with automatic updates.

"A great old trick we used to do back in the day was to watch network traffic where we've created man-in-the-middle conditions and in real-time patch Windows updates with our malicious payloads," Bergin said. "The second issue is stability related. Allowing automatic updates which may in turn bork a production environment has never been and will never be a good idea."

WordPress developers, however, are confident the system is stable and safe for production usage.

"Sites already running WordPress 3.7 have attempted more than 110,000 updates without a single critical failure, thanks to a number of verification steps that have made updates that much more reliable," WordPress developer Andrew Nacin wrote in a blog post. "A background update for a minor or security release (which is all they are enabled for, by default) means downloading and copying over just a few files."

Going a step further for the risk-averse, there is also a Background Update Tester plug-in available that site owners can use to validate and test to make sure their sites can properly update in the background. As an open-source project with open code, WordPress site administrators can also choose to disable the background updates if they so choose.

The update mechanism itself has also been secured by WordPress developers through the use of Secure Sockets Layer (SSL) encryption. WordPress developer John Blackbourn blogged that WordPress 3.7 will only communicate to the core api.wordpress.org site over SSL.

"This is an especially important security enhancement, given that automatic background updates are now a part of WordPress," Blackbourn wrote. "Indeed, automatic background updates are disabled if the server cannot communicate securely with the api.wordpress.org."


Automatic background updates aren't the only security enhancement in WordPress 3.7. One of the easiest ways any Website can be attacked is via weak passwords, which is another area of improvement in WordPress 3.7. The system will now alert users when they try to create a weak password that might include common terms that can be easily guessed by an attacker. The password "1234," for example, will now trigger an alert warning the user that the password is insecure.

The WordPress 3.7 update is available to existing self-hosted WordPress users from inside the WordPress dashboard and is freely available to anyone as a direct download as well.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.