Saturday evening I spent several hours upgrading erinmduncan.com, saraduncan.com, richandrobynn.com, and drotedogg.com to the latest and greatest versions of Wordpress and Gallery. The upgrades themselves were relatively painless (especially the Gallery one, which I won't even mention here), but I did jot down some notes that might be useful to anyone else who has to do this kind of upgrade.
Tip #1: Try and stay current with your version of WordPress. All of the aforementioned pages were running Wordpress 1.2 which, besides being chock-full of vulnerabilities (that were expoited at least once), doesn't have an immediate upgrade path to WordPress 2.0. The WordPress 2.0 upgrade instructions recommend upgrading from WordPress 1.2 to WordPress 1.5 before upgrading to WordPress 2.0. Unfortunately, the WordPress download page only links to the latest release, and it wasn't immediately apparent from the instructions how to obtain a copy of WordPress 1.5. Fortunately, a bit of digging turned up this page, which has every release of WordPress since the dawn of time. There are at least two other pages indexed by Google with WordPress 184.108.40.206 tarballs, but both have incorrect MD5 checksums, and at least one had some a code change (which, upon inspection, appeared to be a bug fix). To be safe, I stuck with the version from the legitimate WordPress archive.
I also switched all of the pages to a much simpler form of comment
spam filtering. Previously, the spam filtering was of a
convoluted combination of a phrase blacklist ("penis", "poker",
"viagra", etc), hacked in AuthImage support, and a tweaked
xmlrpc.php. In fact, one of the reasons I was hesitant about
upgrading to WordPress 1.5 was that I wasn't too optimistic about
duplicating all that nonsense.
As of WordPress 2.0, all that hackery has been replaced by the built-in WordPress 2.0 plugin for Akismet. I haven't tested it, I have a feeling it's something blog spammers can circumvent, and I don't see how the company can stay afloat providing this as a free service. But hey, I'm lazy. Akismet requires zero administration, zero tweaking, and, most importantly, zero patching, so I'm willing to give it a try and see what happens. Plus, the API is relatively straightforward, so if there are any hijinks on the their part, then it's easy enough to switch to a comparable open system. There are even Akismet bindings for Ruby, although my initial perusal of the source code tells me they won't work in Linux without a bit of tweaking (hint: case-sensitive filesystems mean case-sensitive file names). The only real Akismet annoyance is that in order to get an API key, you have to sign up for a WordPress.com account. It's free, but it means I have yet another throw-away account, not to mention a blog that I'll never update (everyone say hello to http://pablotron.wordpress.com/!).
Overall though, I have to hand it to the WordPress developers. It looks like there are a fair number of changes under the hood, and I'm impressed by how seamless they made the both of the upgrades. Or maybe I'm just excited about not spending Sunday afternoons sitting at the MySQL console deleting comment spam any more. Either way, I'm happy.