Do I Have To?

Viewing 1 replies (of 1 total)

  • There are several specific areas in which 2.5 improved security over 2.3.3. First is the way passwords are handled. Previously, if someone got a copy of your database, they could spoof the login credentials of your admin user, and log in to your site (assuming the password is the same).

    The second is the way WordPress handles nonce check failures. Someone could make a CSRF attack : if you’re logged into your blog yet visiting someone else’s site, you could be tricked into performing administrative actions on your site while thinking you’re doing something else on the other site (such as submitting a comment).

    Third, 2.5 has better escaping of values submitted to MySQL queries, which is a common type of exploit.

    Only you can decide whether you think the risks of staying with an older version outweigh the perceived disadvantages, but as time goes by it’s likely that particular security holes will be discovered in 2.3.3 and it will become even riskier not to upgrade.

Viewing 1 replies (of 1 total)
  • The topic ‘Do I Have To?’ is closed to new replies.