A worm has been spreading that breaks sites running out of date versions of WordPress by attacking a vulnerability fixed nearly a month ago. If you have a web site, you have a responsibility to keep the software that runs it up to date. Period.

I will admit that I have not always followed this rule, but one of the reasons I use WordPress is that it’s so easy to keep up to date. In looking at the built-in method for updating versions of WordPress or plugins, I’ve never really trusted it. That’s nothing against the guys at Auttomatic, I’m just old school. But my sites are usually updated within 24 hours of a new release. How do I do this?

Each upgrade begins with downloading the latest version of WordPress. I then prune the stuff I don’t want copied to my sites folders, such as the wp-config-sample.php sample file, and from the wp-content folder, such as the Hello Dolly plugin. Sometimes I also add common plugins that may have been updated in conjunction the update to the version of WordPress I’m upgrading to.

Then I update one of my development site folders. If there aren’t any problems there, then I compress and upload the pruned WordPress folder to my server, and then uncompress them so I copy them to my various WordPress installation’s folders.

Here’s a simple shell script that I run after uploading this new version of WordPress to my server and backing up the databases of the sites I want to upgrade.

#!/bin/sh

# path where you'll want new WordPress files copied
wp_files="/path/to/public_html"
# path to the name of the folder containing the new WordPress files
wp_version="wordpress_2.8.4"

# Perform the upgrade for mydomain.com
# this is the folder name for mydomain.com's wordpress file
path2wp="www.mydomain.com"
rm -R $wp_files/$path2wp/wp-admin
rm -R $wp_files/$path2wp/wp-includes
cp -R $wp_files/$wp_version/* $wp_files/$path2wp/

echo "Completed mydomain.com wordpress upgrade"

This I run this command line script ( ./upgrade_wp.sh ) on my server.

On all the servers I’m responsible for, running this script doesn’t take much more than a second, including one server that has more than 20 WordPress sites installed on it. I always test out the new version on my development sever, but by using the built-in APIs and trying to limit the third-party plugins I use, I’ve never had this method break one of my sites. This has worked well for the nearly 200 installations I’ve done in more than three years of using WordPress.

This isn’t all that original and there are many instructions for upgrading from a Subversion server. I just prefer this method. As always, your mileage may vary and this shell script and technique comes with no warranty whatsoever.

Be serious about your web site and its security by staying up to date.