The recent attacks on older versions of WordPress have made security a hot topic in the community. There has been finger-pointing and mud-slinging from many different directions, but there has also been some good discussion about how to move the project forward. I agree with Jeff, David, and others that responsibility ultimately lies with web site owners. While the official WordPress development blog states that the WordPress team is doing everything they can, others have been wondering if more could be done. I would like to get a discussion going here at the tavern about something that I think would help: a supported legacy branch.
What’s A Legacy Branch?
Newer versions of WordPress currently come with security fixes, but also with added functionality, database changes, and redesigned interfaces. Many users are quite happy with the functionality of their existing version of WordPress, but there is currently no way for them to get only the security fixes without also getting all the other changes. According to the existing WordPress release strategy, only the current branch is supported. When a security issue was found in WordPress 2.8.2 this summer, the new version 2.8.3 was released to fix it. Older versions like WordPress 2.6.5 were also vulnerable to this issue, but no fix was released for them because they were no longer supported. Many software companies and projects do choose to support older versions, and I would like to suggest that the WordPress team supported one legacy branch for around 18 months.
How Might It Work?
Looking back through WordPress’s release history, WordPress 2.2.x and 2.6.x could have been supported legacy branches. Imagine a site built on WordPress 2.2 in June 2007. Under my suggested system, the site owner would have applied only security fixes (2.2.x) for the next eighteen months — not needing to upgrade to 2.3 in September 2007, to 2.5 in March 2008, or to 2.6 in July 2008. When WordPress 2.7 was released in December 2008, the 2.2.x legacy branch could have been deprecated and 2.6.x could have then become the supported legacy branch: the site owner would only then need to upgrade to 2.6.5.
Under my suggested system, someone building a new WordPress site would have the choice between installing the most recent branch (e.g., 2.8.4) or the legacy branch (e.g., 2.6.x). The most recent branch would have all the latest features, but it would also need to be upgraded every three or four months. The legacy branch would not have all these new features, but it would need only security fixes applied until it was deprecated: it would not need to be upgraded to the next supported legacy branch (e.g., 3.0.x) until the version after it (e.g., 3.1) was released.
Many patrons here at the tavern no doubt remember that WordPress used to support the legacy branch 2.0.x. The branch was supported for almost four years, but the WordPress team abandoned it in back in July. I have talked with WordPress team members about this in the past, at WordCamps and over email, and I have received the following objections to such a system:
1. It’s too much work to maintain.
There is no way for me to deny it: it’s definitely more work to support a legacy branch than not to support one. But it is a known quantity of work. How much work does it take to recover from the negative press generated from large attacks? If a supported legacy branch increases the number of users who keep their WordPress installations secure, the project team could spend less time responding to the latest round of “WordPress is Insecure!” blog posts and more time working on the software.
2. There’s no demand for one.
I certainly believe that there was no demand for the 2.0.x legacy branch. WordPress then had a fairly limited set of features compared to WordPress today. Since the web is constantly evolving, I wouldn’t expect there to be a demand for software three or four years old. But WordPress today is a very mature product, and the current version will be more than adequate for many web site owners for another eighteen months. In fact, WordPress 2.6 was a very good product: many users would have preferred to stay on a secure WordPress 2.6.x instead of upgrading so quickly to a completely new interface.
As the WordPress community grows, many users are not as technically savvy or as anxious to get upgraded features every few months as in the earlier days of the project. They simply want their sites to work, and they rightly fear that an upgrade may break custom themes or plugins. A supported legacy branch would not let them completely off the hook — they would still eventually need to upgrade — but it would greatly ease the burden of maintaining a WordPress web site.
I build business web sites for clients in WordPress. If the WordPress team adopted a system like the one I am suggesting, I would build new web sites on the most recent branch. I would then upgrade my clients every few months until they reached what would become a supported legacy branch. After that, I would be able to upgrade them every eighteen months. I think many WordPress users would be thrilled to have something like this upgrade plan available to them: it would be great if it could be available starting with WordPress 3.0.x.
3. It’s too confusing for users.
This is a legitimate concern, but I have no doubt that a system like this could be adequately explained — and I’m more than willing to help the project team in designing this user experience. Here are my initials thoughts about what could be done:
- Two buttons would be needed on the “Download” page, with descriptive text beneath them something like the following:
[Download WordPress 3.2]
Contains the newest features but requires more frequent upgrades:
security patches only available until 3.3 release
[Download WordPress 3.0.x]
Legacy branch: security patches available until 3.5 release
- The upgrade notifications in the administrative interface could be modified for users on a supported legacy branch. They might see something like this:
[Red] WordPress 3.0.3 fixes a security issue found in this version of WordPress. Update Now
… or this:
[Yellow] WordPress 3.1 adds new features to this version of WordPress. Learn More | Update Now
… or this:
[Red] This version of WordPress is no longer supported. You must update to WordPress 3.4.2 to remain secure. Update Now
This is a tavern, and I have already monopolized the conversation for far too long. I want to hear from the other patrons: What do you think? Would you be interested in a legacy branch for your own sites? For your clients’ sites? How many users do you think would use such legacy branches? Would existing users feel less upgrade fatigue? Would more people be comfortable staying on or switching to WordPress? Could this help WordPress overcome the recent negative press about security?