Yesterday marked the second bug fix and security update for WordPress 3.0, and it brought to mind one of the arguments I’ve repeatedly heard against using WP: that it has frequent security updates. Some might argue these are frequent enough to be annoying and eat up considerable amounts of time for enterprise users who are using separate installations across a variety of their web properties.
WordPress 2.0 stands as the most updated, with 11 releases over the course of 17 months. More recently, WP 2.8 went through six bug fixes in just four months.
No piece of software is perfect, and I take comfort in that WordPress developers recognize weaknesses in the software, inform their community of users and quickly release updates that can be installed with one click.
With the 3.0.2 release, quickly took on a whole new meaning. As WordPress core developer Andrew Nacin pointed out, the update took less than four hours from disclosure to final release. I can think of a few companies I pay for services who don’t even respond to help tickets in less than four hours, let alone solve the problem before it was one for millions of users.
[…] we have to really look at how responsive the WordPress community is to addressing security risks and coming out with timely security patches that are EASY to implement. If a security update is going to be time consuming, difficult, or costly to implement, then it’s less likely that you will do it. If you’re running a more obscure CMS or one that doesn’t have a robust support community, will you have access to timely updates and will it be easy for you to perform these updates?
Just like the adage that WordPress and other open source software is not secure enough for enterprise use, I’m just not buying that frequent security updates are a good enough reason to steer clear of using WordPress.