WordPress 3.0: Security Upgrades Overview & How To Install It

June 19, 2010


WordPress 3.0 “Thelonious” came out this week and like usual, everyone is encouraged to upgrade. Down below I’ll show you a video on how to manually install WordPress 3.0, but before we get to that, I just want to address a question I’ve been asked a few times already in regards to WordPress 3.0 security.

An online buddy of mine, Keith Davis, asked me a great question in regards to WordPress 3.0 security. He asked:

Hi John

I notice that WordPress 3.0 has now been released and we are all urged to upgrade.
I would have to make changes to my theme to make it compatible with WP 3.0 and since I’m not looking for additional functionality, the only reason I would upgrade is for added security.

The only reference I can find to increased security in version 3 is the ability to change the default username from admin – but most of us will have done that anyway as per your advice.

Would you say that an upgrade to version 3 is essential on security grounds?

Great question… and here’s my response.

It seems the security enhancements in WordPress 3.0 really only apply to those end-users who are installing WordPress for the first time (manual install).

For better WordPress security and help keep malicious hackers locked out, it’s a good idea to do the following three things:

  • Choose a different username than the default “admin”
  • Change the default database table prefix to something other than wp_
  • Add WordPress security keys

As Keith mentioned, I’ve shown him (and others) how to do those things in my ebook, WordPress Defender. WordPress 3.0 just makes it easier for you to do those things all during the setup process; in fact, the security keys are created automatically for you (see the video below).

So Keith, to answer your question about upgrading, no it’s not necessary in my opinion to upgrade right away; however, realize that although WordPress says they aren’t planning on a 3.1 right away, you never know. Tomorrow we might all discover one major security hole and every one must upgrade immediately.

If I were you or someone else in your position, I’d start planning how I’m going to upgrade real soon. You might contact your theme’s author and see what their plans are.

How To Install WordPress 3.0 Manually

Don’t forget, before you do a WordPress upgrade, it’s important to first fully back up your blog.

, , ,

BTC Newsletter Signup
Improving blogging experiences one lobe at a time.

About John Hoff

John is the lead instructor inside the Blog Training Classroom Video Course. He's been blogging since 2007, authored a WordPress Security ebook, and was recently featured at Niche Profit Classroom as an affiliate rising star.

View all posts by John Hoff

11 Responses to “WordPress 3.0: Security Upgrades Overview & How To Install It”

  1. Keith Davis Says:

    Hi John
    Looks as though you are well ahead of the game.. as usual.
    Thanks for a super reply and a great video.

    My theme has already been updated by the theme author so at some stage I will have to bite the bullet.

    Notice that on the subject of security keys, WordPress say….

    “Security Keys
    Beginning with Version 2.6, three (3) security keys, AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY, were added to insure better encryption of information stored in the user’s cookies. Beginning with Version 2.7 a fourth key, NONCE_KEY, was added to this group.”

    Does that mean that if you installed WordPress using 2.7 or later, you already have the 4 security keys.
    Or should you change them occassionally?

    BTW – I would recommend your eBook to anyone who has a WordPress blog. The book is a fantastic example of how to make a highly technical subject understandable to those of us who have no coding skills, but can cut and paste.
    I also enjoy reading it for the bits of humour. Can’t say that about many technical books.


  2. John Hoff Says:

    Hi Keith. First, thanks for the wonderful comments on my ebook. Can I use that as a testimonial?

    About the security keys.

    Check in your wp-config.php file and make sure you have all 4 keys. If you only have 3, then head over to the WordPress security keys api and get the 4th one.

    These keys will help to encrypt your cookie sessions when you log into WordPress.

    There is, however, a slight performance drain because these keys must access the database to work. Glad you’re on the WordPress Defender Newsletter, because my next email is going to show you how to get around this performance drain.


  3. Keith Davis Says:

    Hi John
    Please feel free to use my comment as a testimonial.

    Just got your newsletter link to video on “how to speed up your WordPress blog by adding defined constants.”

    Like you say… “as easy as cut and paste”.


  4. Aaron Says:

    Hi John.. as mentioned in my previous comment on gzipping. Using a compression/caching plugin such as W3 Total Cache or WP Super Cache can really increase the loading time of your site and make any security-patch impact unnoticeable. That all being said, I find that WP 3.0 stock is faster than WP 2.9 stock, at least navigating around the admin interface. Not sure what they did, but it sure seems zippier for me.


  5. John Hoff Says:

    @Aaron – I’m sure it’s with the efficiency of PHP coding. When I was in college I learned how to program using C++. You could write the same program multiple ways and some would take a lot longer to resolve than others. Just a simple thing as how a list of numbers are sorted can greatly increase or decrease how fast a program works.

    That’s why it’s always nice to find Themes which are coded well. A poorly coded theme (or plugin) can severely slow things up.


  6. Anthony Says:

    I upgraded one of my accounts to 3.0 and had to do a lot of changing to the theme. Not worth changing all the other ones as long as the other security measures are put in.


  7. John Hoff Says:

    Hi Anthony. Sounds like you’re kind of in the same situation as Keith above.

    Some themes seem to be having a little trouble with the upgrade. Just as long as you’ll eventually be able to upgrade… that will be important.


  8. Keith Davis Says:

    Hi John
    I have tried a couple of times to send you an email regarding .htaccess via your contact page but can’t read the captcha.
    Captcha looks really messed up.

    Question was about a standard .htaccess file that covers all security items. Lots of sites are showing “the perfect .htaccess file” but is there one that you recommend?


  9. John Hoff Says:

    Without a doubt… The Perishable Press 4G Blacklist by Jeff Starr.

    Just make sure to test everything after installed. I found that one line was making it so I couldn’t edit my widgets in my Dashboard area. To figure out which line it was, I commented out blocks of code/lines until I narrowed it down to the one line which I commented out but still let me edit my widgets.

    Unfortunately, I don’t remember what line that was as I ended up deleting it.


  10. Constanta Says:

    Realy great work and video.
    All the best!
    Thank you!


Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.