Last week there was a fair amount of buzz about WordPress security issues. Here’s an Information Week article and also a short blurb from IT World in case you’re not a WordPress user. And, here’s a rant about lazy admins from a long-time user of WordPress.

Two things jump out at me here: 1) WordPress is being described as a “self-hosted” application, and 2) upgrading WordPress is surprisingly clumsy, given the assumption in 1).

That’s not entirely fair – there is an “automatic” upgade path, but it presupposes that you have the necessary access permissions to whatever server is running WordPress, which may not be true if you are running from an ISP. The manual upgrade gets tricky: install a new version of WordPress, move your custom files over to the new version, run the upgrade script, oh and do backups before you start in case you forget something.

I tweeted a few days ago about how the WordPress subversion upgrade didn’t work – it turns out I may not have done things correctly. If you install WordPress via svn, the initial install looks like:

svn co http://core.svn.wordpress.org/tags/2.8.4 .

and then the upgrade should just be the svn “switch” command:

svn sw http://core.svn.wordpress.org/tags/2.8.4/ .

Of course this implies you have svn installed on your WordPress server, and that you’re comfortable working with svn. Is this a realistic profile of the average WordPress user? I dunno.

Finally, here’s a page about hardening off your WordPress installation. It implies a fair amount of sys admin experience. Again, is this a realistic assessment of the typical WordPress user?

Having said all this, I continue to be a WordPress user myself, because it’s got a lot of great features, and I really don’t want to burn my personal time creating yet another CMS app. But it does seem like there is an expectation disconnect between the WordPress development community and the end users who actually blog with the product. The WP developers are saying loud and clear “Keep your WordPress app up to the current release”. OK, but the WordPress upgrade path needs to be quick, transparent and bullet-proof. Right now, that’s not the case.