WordPress 3.02 Security Update Released

The WordPress developers have just released a security update to the popular blogging platform. WordPress admins should see the update notification in the admin interface. To install the WordPress update they can either download it manually from the WordPress website, upload it to their ftp and perform the necessary steps to update the platform or perform a direct update from within WordPress.

It is recommended to backup the blog before performing the update to be able to restore to a previous version in case something goes wrong during the update.

The official release notes mention that a moderate security issues have been fixed where “a malicious Author-level user could gain further access to the site”. In addition to that bugs have been fixed and security hardening added to the blog.

Remove pingback/trackback blogroll whitelisting feature as it can easily be abused. (#13887)
Fix canonical redirection for permalinks containing %category% with nested categories and paging. (#13471)
Fix occasional irrelevant error messages on plugin activation. (#15062)
Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin. (r16367, r16373)
Clarify the license in the readme (r15534)
Multisite: Fix the delete_user meta capability (r15562)
Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins (#15122)
Multisite: Fix ms-files.php content type headers when requesting a URL with a query string (#14450)
Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs (#14536)

The WordPress devs recommend to update the blog immediately even if no additional authors are registered on a blog.

I have updated around 20 WordPress blogs by now and there were no plugin incompatibilities or other issues related to the update.

Related Articles:

Author: Martin Brinkmann, Wednesday December 1, 2010 -
Tags:blog, wordpress, wordpress security, wordpress update