WordPress Security PSA

WordPress PSA: 3.1 Ruined My SEO – 3.1.1 Fixed It

by Ben Cook on April 5, 2011

WordPress 3.1.1 has been released and addresses three security issues, and one major SEO issue.

According to the official announcement, “the first [of the three security fixes] hardens CSRF prevention in the media uploader. The second avoids a PHP crash in certain environments when handling devilishly devised links in comments, and the third addresses an XSS flaw.”

Another aspect of the update that seems to be getting very little press thus far is a fix for the handling of category & tag URLS.

I actually encountered this problem one of my own sites after noticing a dramatic drop in search engine traffic. I finally tracked the issue down to my category and tag pages and only last night discovered the URLS had all been changed! After eliminating all plugin interactions as a possible cause, some quick searching turned up a few other people experiencing the same issue.

Apparently when using permalinks (as everyone should) the structure of the URL was being stripped out of category and tag pages for “a handful of people, MOSTLY on IIS” (I’m not on IIS so I guess I was one of the lucky ones). As far as the search engines were concerned, when updating to 3.1 I had effectively removed dozens of pages that ranked well that now served up 404 errors. Needless to say, this had a HUGELY negative impact on my search engine rankings.

Unfortunately, all of the advice I found for fixing the issue focused on changing the URL structure, not making the URLs which had previously been ranking work. I finally gave up trying to find a real “fix” and simply redirected the URLs that had magically disappeared, so the search engines could at least find the new ones. Naturally, I was greeted this morning by the news of the 3.1.1 update which thankfully fixed the issue.

There’s no doubt that I should have paid more attention to my site, it’s rankings, and the search engine traffic I was receiving (I mean it’s my job for crying out loud). However, issues like this one, are exactly why many people are loath to update their WordPress installations. While WordPress has made tremendous strides in making updates easier to implement, there’s still the risk of things breaking your site, even in a way that’s not readily apparent right away.

{ 7 comments… read them below or add one }

Michael VanDeMar April 5, 2011 at 2:11 pm

and the third addresses an XSS flaw.

This isn’t directed to you, but wtf kind of security bulletin is that? Is this in the wild, and if so, under what circumstances are people vulnerable? I have been inundated with site owners who have been hacked in the past 24 hours… it would be really nice if I could tell them why.

Dawn Wentzell April 5, 2011 at 2:42 pm

Well, am I glad I only updated like 1 of my sites then.

Ben Cook April 5, 2011 at 2:56 pm

Michael, I’m guessing they don’t want to publicize the hack so that people who haven’t upgraded yet aren’t hit by it? I dunno. I looked through the trac changes and didn’t see any mention of an XSS flaw.

john andrews April 5, 2011 at 4:36 pm

Remains one of the big cautions about using Wordpress for anything more serious than a personal blog. It comes up constantly in discussions on projects. Don’t adopt WP unless you’ve got enough development team/talent on board to tear it apart and rebuild it for your own project (like the NYT likely did).

Until WP finds religion and decides to help save their stability (and their customers) instead of their public image, they will continue to fail on adoption by the big projects.

Nasif April 6, 2011 at 12:13 am

Great to know that your SEO was fixed by the update 🙂

Andrew Nacin April 6, 2011 at 2:04 pm

Michael: No, we haven’t seen these in the wild, and they’re all not only minor but also tremendously difficult to exploit. We actually don’t have a record of a core vulnerability being exploited in quite some time. The ones we fix are far more often theoretical, or require a user account, or inside knowledge of the site, or an alignment of the stars, and then some. A site being hacked is far more likely going to be a server issue, and less likely a plugin issue.

John: It wasn’t torn up, but besides the point, any large, active open source project will have its share of security releases. Rather, these discussions happen due to damage to its public image from years ago, and recovery from that has taken time.

Michael VanDeMar April 6, 2011 at 2:14 pm

Andrew, thanks, I eventually found the release notes and looked at the individual changesets.

Btw, the actual changelog is empty:


The one for 3.1 seems a little sparse as well, for that matter.

Previous post:

Next post: