Uneasy Rhetoric

WordPress is, as usual, on the ball with their security, issuing a new release of the software in light of a security flaw.

Generally, I don’t find upgrading these minor versions to be extremely difficult, but it is onerous. I have to backup my database, backup my files, turn off my plugins which breaks my site temporarily, delete all of the appropriate files (while making sure to save the essential ones) and then upload the new files. I had a hard enough time upgrading from 1.2 to 1.5 that I always sweat a little when I test the new version. Since upgrading to 1.5 however, I’ve done another 4 upgrades without a hitch.

But a part of me agrees with this guy:

Yet again, another tiny update to Wordpress has been released, but yet again it is available only as a ‘full install’ ie over-writing ALL of the files that need to be modified for plugins etc. I’m getting a bit (sic) annoyed about this, but luckily I was able to download WinMerge, which told me the files that had actually changed. Given that it took about 10 seconds, why the Wordpress team couldn’t have done the same, and included the changed files in an ‘upgrade’ package, is beyond me.

Another part of me thinks that the reason for the full re-installs is either that code was changed across a number of files or they didn’t want to give away the source of the security flaw or both.

The second theory seems less likely though in light of these instructions from WordPress:

If you are unable to do upgrade in the short-term you may protect yourself by deleting the xmlrpc.php file from your WordPress directory.