A Picture Guide to securing your WordPress 1.5.x Blog
Latest reports have it that WordPress 1.5.x install is not secure. The patches have been applied to WP 2.0.2, however if you are running 1.5.2, you are still vulnerable.
Alex writes Why you should upgrade your WordPress install to 2.0.2 because of this.
However, if you are like me and don’t want to upgrade to 2.x but still want to secure your WordPress blog then this guide is for you.
This guide is for those running Windows and with no shell access to their server.
Before you begin please backup your WordPress database.
Step 1: Get hold of an SVN Client
Firstly, get hold of TortoiseSVN. This is an SVN client which will help you to download the latest 1.5 release of WordPress via SVN. Once downloaded, install and reboot you computer.
You can use another SVN Client, but since I use this, the tutorial will stick to it.
Step 2: Downloading WordPress files
Create a folder where you wish you download the files. I’ve made mine and called it wordpress
Right-click on the folder and select SVN Checkout
Enter the URL of the repository as http://svn.automattic.com/wordpress/branches/1.5/
The checkout directory should be correctly filled in.
Update: To upgrade to 2.0, the URL should be http://svn.automattic.com/wordpress/branches/2.0/
On clicking OK, TortoiseSVN will download all the files and store it in the wordpress folder.
TortoiseSVN creates .svn folders with files in each and every subfolder. You will not need this if you don’t plan on updating your WP Install regularly, so the next step would be to delete all these folders.
In explorer search for .svn and select and delete all the folders. The files will automatically get deleted.
Step 3: Uploading WordPress to your site
Before you go ahead uploading all the files, remember that if you have modified any files in your wordpress install, they will get overwritten. So back them up before you do anything.
While you can use FTP or cPanel or any of your usual methods of uploading files, I prefer using Net2FTP as it allows me to zip and upload and extract the files.
Create a zip file from within the wordpress folder using WinZip or any other archiving software.
Enter the wordpress folder and select all the files and right-click and under WinZip select Add to wordpress.zip
Now goto Net2FTP.com and login to your site using your FTP Information.
After logging in click on the Upload button in the top toolbar.
In the new page browse and select the wordpress.zip file that we created. Ensure that Use folder names is checked.
In the Upload to directory: enter the path to your blog. My blog resides in /public_html. Click the green tick mark to submit.
The zip file will be upload and its contents will be extracted and already existing files will be overwritten. This process may take a while and Net2FTP may give you a “Task has been stopped error”. Ignore it if the last file in the transferred list is license.txt.
Logout from Net2FTP.
Step 4: Finishing off
Now we need to run the upgrade script in wp-admin.
Goto http://[yourblogurl]/wp-admin/upgrade.php and click Upgrade WordPress.
With this last step, your blog will be upgraded to the latest revision of 1.5.x (currently 1.5.3-beta1 at the time of this guide).
It contains all the security patches that are present in 2.0.2.
BTW if you like this tutorial, please do Digg it.
[...] If you are running WordPress 1.5.x, your blog may be vulnerable. If you do not wish to upgrade to 2.0.2 but still want to ensure that you have the security fixes in place then this guide is for you. Includes a step by step tutorial along with pictures. Technorati Tags: svn wordpress [...]
Hello,
I suppose that not all the files have been modified : can you give the list of the changed files ? I made loads of tweaks and wouldn’t want to lose them…
Cheers
The only way that you will be able to find out which files have been modified, you may need to check out the 1.5 branch in the trac or through the changesets.
Thanks Ajay - the trac browser link was spot on
Your welcome
[...] I have written a guide for the same, so that you can get your blog secured. Quick Bookmark this post at: [...]
[...] Intanto se volete aggiornare il vostro blog con le ultime patch vi consiglio di seguire questa breve guida. [...]
I did a checkout and diff’d against my current wordpress installation (1.5.2) and the following files were changed:
wp-comments-post.php
wp-mail.php
wp-register.php
wp-settings.php
wp-admin/admin.php
wp-admin/profile.php
wp-admin/user-edit.php
wp-includes/class-snoppy.php
wp-includes/functions-formatting.php
wp-includes/pluggable-functions.php
wp-includes/template-functions-links.php
wp-includes/version.php
Hope this may help someone…
Pat
Thanks Pat
Am I reading correctly that this is a patch for 1.5.x, and that it’ll be superceded by the full 1.5.3 release?
And for that matter, what’s the story with the development of 1.5.3? Is this a forking-off of WP, with the main developers going forth with 2.x?
[...] Ajay D’Souza has put together a great tutorial explaining how to keep your 1.5.x copy of WP up to date with the latest security fixes and whatnot. [...]
Yes that is right CT.
The main WordPress developers are actively developing 2.x
However, a few individuals in the community keep track of changes in 2.x and if any security fixes are found, apply them to 1.5.x fork as well.
1.5.3 may be released soon to fix the security problems in 1.5.2
However, I can’t give you a date nor can I tell you its surety since I am not in the development team.
This guide ensures that your blog secured until the release.
[...] Also wrote the highly hit upon A Picture Guide to securing your WordPress 1.5.x Blog. [...]
Interesting. I would have thought 1.5 would have been abandoned once 2.0 rolled out; it’s not like anyone was/is keeping 1.2.x versions alive. Is this a serious effort to keep the 1.5 version going?
I’m still on 1.5, and have no intention to upgrade until/unless I have to. So any continuation of the old version is great with me.
CT,
You just answered your own question. Many users are still on 1.5.
And it is but expected that the build remain secure.
The jump from 1.2 to 1.5 was major and very welcome and hence everyone was asked to upgrade to 1.5.
Regarding 2.0, many of us users still prefer 1.5 to it.
IS WORDPRESS FORKING?
A few days ago, I came upon Ajay D’Souza’s guide for upgrading the security features on WordPress 1.5.x installations.
I was a little surprised to find something like this. With the release of WP 2.0 (since upgraded a couple of times, to …