Please note that this is not a security release, which means you have got more time than usual to update your WordPress site to the new version of the blogging script.

WordPress Trac lists all the changes in the new release. If you look at the list you will notice that most are design related. Many fix or improve the Twenty Eleven default theme that ships with WordPress, while others do the same for the new admin interface introduced in WordPress 3.2.

Still no option to change the default font for the admin interface easily, unfortunately.

Updates are makinguse of the new “fast” update mechanism which only updates files that have been changed, instead of all files of a WordPress installation. Users who update via their WordPress Dashboard should notice that the procedure is speedier than before.

Updates are available via Dashboard > Updates. WordPress administrators can download the new version of WordPress from there or update directly if their blog has been configured properly for that.

The new version is alternatively available at the official WordPress website.

I have updated six blogs so far and did not notice any problems with the new updating mechanism or the new version of WordPress itself.

WordPress 3.1.4. has just been released and the developers refer to it as a security and maintenance upgrade. The new version fixes one known vulnerability that “could allow a malicious Editor-level user to gain further access to the site”. If you are running a single author blog you are safe from this.

I’d still recommend to update the blog as soon as possible because of security hardening additions to the blogging platform.

The update is as usually available as a direct download, install and update from within the WordPress admin interface, and as a separate download from the official WordPress website. I have updated a total of five blogs so far – including Ghacks Technology News – and encountered no problems or issues after the update. While it may be to early to tell, it is relatively safe to say that the update won’t break the blog.

WordPress admins who are interested in all changes in the WordPress 3.1.4 release find them listed on WordPress trac.

The developers have furthermore released the third and final release candidate of WordPress 3.2 which will be released in the near future. While I would not suggest to update a public blog to that version yet, it is clear that it won’t be long until the final version is released. Likely again before my bedtime.

You find additional information about the features and changes in WordPress 3.2 on the official beta announcement post over at the WordPress website.

Have you updated your blogs yet? If so, have you encountered any issues with this update?

The WordPress blog lists the following security enhancements and fixes in WordPress 3.1.3.

• Various security hardening
• Taxonomy query hardening
• Prevent sniffing out user names of non-authors by using canonical redirects.
• Media security fixes
• Improves file upload security on hosts with dangerous security settings.
• Cleans up old WordPress import files if the import does not finish.
• Introduce “clickjacking” protection in modern browsers on admin and login pages.

Interested users can consult WordPress trac for detailed information on all fixes that have been applied to this release.

The developers have added quite some security hardening to the new release as you can see from the list of changes above. It is still recommended to update WordPress installations as soon as possible to improve security and close the security and privacy vulnerabilities fixed in the release.

Self-hosted WordPress blogs are already picking up on the update and notifying administrators in the dashboard about the update.

It is as usual possible to apply and install the WordPress update right from the admin dashboard, or by downloading the new release from WordPress to install it manually by uploading file to the server.

The WordPress Codex lists the file changes in this new release.

According to the developers, WordPress 3.0.5 is a ” security hardening update for all previous WordPress versions” that fixes two moderate security issues and one information disclosure issue, and adds two security enhancements to the blogging application.

The security issues could have allowed “a Contributor- or Author-level user to gain further access to the site”, the information disclosure issue “could have allowed an Author-level user to view contents of posts they should not be able to see”.

The two security enhancements “improved the security of any plugins which were not properly leveraging our security API” and “offer additional defense in depth against a vulnerability that was fixed in previous release”. (via)

The summary lists the following changes:

• Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
• Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.
• Fix potential information disclosure of posts through the media uploader. Affects users of the Author role.
• Enhancement: Force HTML filtering on comment text in the admin
• Enhancement: Harden check_admin_referer() when called without arguments, which plugins should avoid.
• Update the license to GPLv2 (or later) and update copyright information for the KSES library

WordPress 3.0.5 is available for download at the official WordPress site as well for users who want to install the update manually on their server.

The update is currently not announced on the frontpage of the admin interface which means that WordPress admins need to click on Updates to see the update options.

It is as usually possible to install the update right away by downloading it directly to the server running the blog. The script handles the download, unpacking and installation of the new version automatically.

Users who want to test the release first can also download it instead to do just that.

The vulnerability reads:

Fix XSS vulnerabilities in the KSES library: Don’t be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url()

WordPress rates the vulnerability as critical which means that webmasters should update their blogs as soon as possible to protect it from possible exploits of the issue.

WordPress is also available directly at the official website.

So what’s the security vulnerability about? The WordPress blog states that it is about issues “in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts”.

That in turn means that single-author blogs are not affected by the vulnerability directly. Webmasters should still consider updating right away to prevent future damage or indirect damage if someone manages to get access to user accounts on the blog or the ability to create them.

The issue affects sites that have remote publishing enabled. Sites that do not have it enabled are not affected. Then again, it is always a good idea to update to the latest release to close potential security issues right away.

WordPress admins can check if remote publishing is enabled by going to Settings > Writing in their WordPress admin interface.

The update is as usually available directly in WordPress. Users can update their blogs from within WordPress which is the fastest and most convenient solution, or by downloading WordPress from the official website and installing the update manually.

It is recommended to backup the blog before performing the update to be able to restore to a previous version in case something goes wrong during the update.

The official release notes mention that a moderate security issues have been fixed where “a malicious Author-level user could gain further access to the site”. In addition to that bugs have been fixed and security hardening added to the blog.

Remove pingback/trackback blogroll whitelisting feature as it can easily be abused. (#13887)
Fix canonical redirection for permalinks containing %category% with nested categories and paging. (#13471)
Fix occasional irrelevant error messages on plugin activation. (#15062)
Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin. (r16367, r16373)
Clarify the license in the readme (r15534)
Multisite: Fix the delete_user meta capability (r15562)
Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins (#15122)
Multisite: Fix ms-files.php content type headers when requesting a URL with a query string (#14450)
Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs (#14536)

The WordPress devs recommend to update the blog immediately even if no additional authors are registered on a blog.

I have updated around 20 WordPress blogs by now and there were no plugin incompatibilities or other issues related to the update.

WordPress administrators can improve the security of their blog with several standard practices like selecting a secure password, changing the admin username or disabling features in the blog (like preventing registration or remote publishing).

But there are also WordPress plugins that can increase the blog’s security tremendously. The following list contains five WordPress plugins that improve a blog’s security.

1. Login Lockdown

Login Lockdown increases the protection against so called brute force attacks. The plugin will log every login attempt and blog attempts from IP addresses that. The login retries, the retry time interval and the length of the lock out can be configured in the plugins’ options.

The list of blocked IP addresses can also provide the webmaster with information about undergoing attacks.

2. WP Security Scan

WP Security Scan scans several key elements of the blog. The plugin checks the WordPress version, table prefix, if the WordPress version is hidden, if DB errors are turned off, if the ID Meta tag has been removed, if a user admin exists and if a .htaccess file has been placed in wp-admin for extra security.

It can furthermore scan the file permissions of the core WordPress folders (showing what it suggests and the actual permissions), change the WordPress table suffix to protect the blog from zero day attacks and provides access to a password strength checker. Does not need to be active all the time.

3. Antivirus for WordPress

Antivirus for WordPress scans the active theme folder for malicious injections. It protects the blog against certain forms of exploits and spam injections. Runs in the background and can be configured to notify the admin if a scan finds an anomaly in the theme files.

4. WordPress File Monitor

The plugin monitors the files of a WordPress blog and notifies the webmaster if any of them have been changed. It can check the file modification date or compare hashes to find modified files.

Folders can be excluded from the scan, important for cache folders for instance with files that change regularly.

5. Secure WordPress

The plugin performs a series of one-time operations on the WordPress blog, specifically:

1. removes error-information on login-page
2. adds index.php plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update informationfor non-admins (only WP 2.8 and higher)
9. hide wp-version in backend-dashboard for non-admins
10. Add string for use WP Scanner
11. Block bad queries

Secure WordPress can be downloaded from the official WordPress Plugin repository.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

The upgrade is as usual available through various means with the two most popular ones being through an automatic update in the WordPress admin interface and the second trough a download from the official WordPress website. The first is faster and more comfortable while the second offers more control to the user especially if something goes wrong.

This WordPress update does not require an update of the WordPress database. It is however recommended to perform a backup of both the WordPress files on the web server and the MySQL database to be prepared if the update should fail for any reason.

The most important changes in WordPress 2.8.5 are therefor:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

WordPress blogs are currently not announcing the new release. It is expected that this will change in the next hours so that the automatic update option becomes available for WordPress webmasters who use it to update their website. Webmasters who manually update their blog can visit the WordPress page to download the latest version of WordPress. Additional information about the security release are available in the blog post that announced the upgrade.

The XSS vulnerability could be used to create comment author urls that would redirect the system administrator away from the blog’s website to another site to exploit the situation. WordPress webmasters are encouraged to update their blogs as soon as possible to patch the security vulnerability.

Updates are available directly from within the WordPress interface if the correct server login information are supplied or by updating the traditional way which would mean to download the WordPress release from the WordPress website, upload it to the web server and run the upgrade command manually. The release information should also be displayed prominently in the WordPress admin interface with a link to the automatic update script of WordPress.

Alternatively only the files wp-includes/feed.php and wp-includes/version.php can be copied from the new release over the old files to update the blog. The security vulnerability is unlikely to affect a large number of WordPress blogs though as it only only affects IP-based virtual servers running on Apache 2.x.

There might also be some confusion about the versioning of WordPress. The last official WordPress version was WordPress 2.6.3. WordPress 2.6.4 was skipped because of a fake malicious release that made its round. The official new release is therefor WordPress 2.6.5.

Over 60 fixes have been introduced in the new WordPress version, several of them critical and some security related. You can check out the complete list of fixes in WordPress 2.6.1 by following the link to WordPress Trac.

I’m usually not that interested in what has been fixed than to apply the updates to all of my blogs immediately. It does not look like as if new features have been introduced in WordPress 2.6.1, more of a bug fix release it seems.

The next big release will be WordPress 2.7 which will introduce several new features and options to WordPress. Looking forward to that. It is however recommended to update the blog as soon as possible.

The online security script WordPress Scanner is a great tool which can be used to scan your WordPress blog for several vulnerabilities such as outdated versions of WordPress or single files and XSS vulnerabilities in themes. All you need to do is add the line in the header of your blog so that the WordPress Scanner cgi script can access the information and knows that you are indeed the owner of the blog.

This tool is not perfect but it analyzes the versions of your WordPress files which is probably the dominant attack vector when it comes to WordPress hacking and basic XSS vulnerabilities in the themes. The tool gives advice if vulnerabilities have been found on how to fix them.

Just make sure you run the script, follow the guidelines and remove the wpscanner entry from your header again. You would not want someone else to be able to check your blog for vulnerabilities, would not you ? This is a great little script which should become even better when the author adds checks for plugins.