Have you ever seen this before?
If you use self-hosted WordPress, you have. You know what baffles me? People who ignore this message. Sometimes for years.
Yes, I’ve seen some people using WP versions that are YEARS out of date.
Isn’t that just completely baffling? Let’s put aside all the “big” reasons to update WordPress (like security). There’s one thing that I just don’t get… That little, red-ish orange-ish updates bubble on the left bugs the shit out of me. I can’t stand to be inside a WordPress installation that has that little bubble. It just irks me.
Same goes for the “WordPress x is available! Please update now.” message. If it were me, I would be annoyed if I saw that every single time I logged in. So what would I do? Click the button and perform the update.
I just don’t understand how some people can ignore that message! For years!
I recently (after WP version 4.x) came across a person who was still using the old WordPress interface. You know, the one that looked like this:
That means they looked at that annoying little bubble for about 2.5 years. TWO AND A HALF YEARS.
But it’s not just an annoying bubble—outdated WordPress is insecure.
There are two reasons why WordPress gets updated:
- To introduce new features.
- To fix things.
#1 isn’t necessary. It’s nice, and it’s what helps WordPress compete with other platforms, but ultimately it’s not required. You can live without extra features.
But #2 is super important. Some things that get fixed are things you may never notice, like little glitches that only happen under certain circumstances. But other things are huge security vulnerabilities. Just look at this big list of WordPress security vulnerabilities. That’s a list of all the things that have been wrong with WordPress. Here are just a few:
wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.
WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string.
wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 126.96.36.199 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.
Those are all ways that hackers can get into your site, destroy your site, change your site, or take down your site. By not updating WordPress, you’re leaving yourself vulnerable to those attacks.