Say No to Technorati’s Forced Upgrades - Bad Information Spreads Like Wildfire

by Scott Allen

Today I read an article on Sphinn that I have to strongly disagree with. (Original article source here.) According to Technorati’s official blog, they will be de-listing WordPress blogs that have not upgraded to either version 2.3.3 or version 2.5. They are issuing strong warnings to bloggers that they either upgrade or risk getting canned. I want to go on record as saying that I dislike strong-arming tactics like this, and think it’s dangerous, for several reasons.

The author of the article is lauding Technorati’s decision, and also encouraging users to blindly upgrade. The comments on Sphinn and the sheer number of votes for the article are what sparked this post. I first noticed the article went hot this morning, and I thought, “My God, people are naively Sphinning this without realizing the dangers of promoting this type of thinking!” There were a couple interesting comments, including one by John Andrews:

For Technorati to get specific about the WP exploits suggests Technorati’s business plan is in trouble (it can’t handle the spam links). Awareness campaigns are fine, but strong-arming like this has to be resisted.

If Technorati actually drops 85-90% of the blogs published on WP, will Technorati be relevant?

My response was that I agree 100%! I don’t like strong-arming tactics like this at all. That’s exactly right - If Technorati starts dropping a lot of key blogs, THEIR relevance will be in question, not the relevance of the blogs. Blog owners need to realize that the potential risks of blindly upgrading could be worse than losing a little traffic from Technorati.

Every time a major version of a CMS, blog platform, or operating system is released, there ARE bugs, and it takes time to fix them, so it’s rarely wise to upgrade right away.

There are a lot of problems with WordPress 2.5 that need to be fixed. For example, it’s broken many themes and plugins (for a LOT of bloggers) due to some standard WordPress hooks being broken. (Being a plugin developer, I have to stay on top of it.) Keep in mind, upgrading before these issues are fixed could damage business websites that depend on WordPress if custom themes are broken, etc. It may cause costly downtime for businesses, along with many other problems…that’s not a joke. (Not to mention security vulnerabilities that could be introduced from a broken theme or plugin.)

Now, Technorati is saying that anyone with WordPress 2.3.3 is fine, so it might not seem like a big deal. The problem is, that for most bloggers, it’s not easy for them to upgrade to that specific version. For most it’s only practical to upgrade straight to WordPress 2.5, through use of automatic upgrade plugins, etc.

Just because WP 2.5 is new doesn’t mean it’s more secure - it’s just that the security flaws haven’t been discovered yet. There could be a whole slew of new security flaws waiting to be exposed.*

There are lot of other security measures to help prevent exploits, and it is important to understand that although upgrading can be an important element in security, upgrading alone does not mean your blog is secure! And, upgrading prematurely is downright dangerous.

Anyone who reads this blog knows that I am extremely security-minded. Upgrading when appropriate is a good thing. That means upgrading after there has been time to test the security/performance of a new operating system, CMS, or blog platform. However, I do not advocate blindly upgrading or forcing people to upgrade.

I realize my opinion here may be unpopular, but I feel strongly about this, and it needs to be said. Forcing people to upgrade isn’t the answer. Don’t be lemmings, people - say NO to this.

Am I saying not to upgrade? No. Am I advising you to neglect security? Heck no. By all means…upgrade when WordPress 2.5 has some of the bugs fixed, and definitely take appropriate measures to secure your blog. Just don’t let Technorati drive your decisions.

*UPDATE 04/12/08
After this post was written, I kid you not, less than a day later, it was discovered and made public that there are multiple SQL injection vulnerabilities in WordPress 2.5. Case in point.

MORE INFORMATION:

When to Upgrade your Software | BlogSecurity

QUICK TIP:
If you are concerned about getting kicked out of Technorati, you could always remove the version number from your blog or alter it, using Matt Cutt’s bonus tip on WordPress security:

First, open the header.php file for your blog’s theme (or go into Presentation and Theme Editor in your WordPress Admin.)
Look for a line that looks like:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-– leave this for stats please -->
Change the "WordPress <?php bloginfo('version'); ?>" to "WordPress" or "WordPress 2.5" (if you want to be devious).
The ease of doing this shows how ridiculous and ill-conceived Technorati’s policy is.

Tags:
Technorati | blogging | WebGeek