The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

The upgrade is as usual available through various means with the two most popular ones being through an automatic update in the Wordpress admin interface and the second trough a download from the official Wordpress website. The first is faster and more comfortable while the second offers more control to the user especially if something goes wrong.

This Wordpress update does not require an update of the Wordpress database. It is however recommended to perform a backup of both the Wordpress files on the web server and the MySQL database to be prepared if the update should fail for any reason.

Related posts

• Wordpress 2.8.5 Security Update (4)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)
• Wordpress 2.8.3 (1)

The most important changes in Wordpress 2.8.5 are therefor:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

Wordpress blogs are currently not announcing the new release. It is expected that this will change in the next hours so that the automatic update option becomes available for Wordpress webmasters who use it to update their website. Webmasters who manually update their blog can visit the Wordpress page to download the latest version of Wordpress. Additional information about the security release are available in the blog post that announced the upgrade.

Related posts

• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)
• Don’t upgrade to Wordpress 2.3 yet (3)

According to Mashable there are two clues that your blog has been successfully attacked by the computer worm:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

Webmasters are asked to update their blogs to the latest version of Wordpress immediately. Those that have been hit by the computer worm should backup all files, export their settings, and do a clean install of Wordpress. More help is offered at the Wordpress website.

Rant:

It’s Sunday and it is time for a little rant. Webmasters who do not update their blogs as soon as a new version of their blogging software is released are acting stupid. A Wordpress update usually takes less than ten minutes and ensures that the blog and server is protected from attacks like these. Webmasters who do not have the time to perform these updates should consider switching to a hosted blogging platform like that at Blogger or Wordpress.com. The automatic update option that has been introduced in recent Wordpress versions makes it even easier to update the blog as soon as a new version is released. Webmasters who cannot do this should not operate a self hosted blog, period.

Related posts

• Wordpress Remote Admin Password Reset Vulnerability (13)
• Wordpress 2.8.4 Security Update (7)
• Wordpress 2.8 (5)
• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)

The upgrade fixes a few security issues that have been overlooked in the Wordpress 2.8.1 release but discovered by security researchers in the Wordpress community.

Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended.

Point your web browser to the official Wordpress download page to download the release if you want to perform a manual upgrade.

Related posts

• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)
• Wordpress 2.7 (7)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)

The XSS vulnerability could be used to create comment author urls that would redirect the system administrator away from the blog’s website to another site to exploit the situation. Wordpress webmasters are encouraged to update their blogs as soon as possible to patch the security vulnerability.

Updates are available directly from within the Wordpress interface if the correct server login information are supplied or by updating the traditional way which would mean to download the Wordpress release from the Wordpress website, upload it to the web server and run the upgrade command manually. The release information should also be displayed prominently in the Wordpress admin interface with a link to the automatic update script of Wordpress.

Related posts

• Wordpress 2.8 (5)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)
• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)

Some changes that Wordpress admins will notice right away are speed improvements in the admin interface and the ability to change more aspects of the layout than before. Wordpress will for instance automatically adjust the layout according to the screen size of the web browser window with options to change the amount of columns and what is being displayed on the screen.

It is now possible to remove or add information when viewing posts, pages or comments in the admin interface with the additional option to change the number of items that are displayed on the screen. It is now therefor possible to change the default number of comments that are displayed on screen which could have been achieved before only by hacking system files.

Other improvements include a new theme installer which allows the webmaster to search for and install themes right from the Wordpress admin interface without leaving the website. This is a similar feature to the automatic plugin installation that was added in earlier versions.

The Wordpress Codex contains a list of all changes and additions that have been added to Wordpress 2.8. The new version can be downloaded from the main Wordpress site.

Related posts

• Wordpress 2.8.2 Security Patch (1)
• Computer Worm Attacks Not Updated Wordpress Blogs (20)
• Wordpress 2.8.3 (1)
• Wordpress 2.7 (7)
• Wordpress 2.6.5 Security Update (0)

You can download the latest version of Wordpress from the official website or apply the upgrade manually in the Wordpress interface. You can take a look at in depth file changes by following this link or at the 68 tickets that have been closed here.

The update includes six tickets with a high rating and more than 50 rated as normal. While the update does not list many security fixes it is still recommended to update as soon as possible. The update will not alter the database and should not break anything including plugins or themes.

Related posts

• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.5.1 released (1)
• Wordpress: Your attempt to edit this post has failed (8)
• Wordpress Issues (16)
• Wordpress Incorrect Password (2)

The development focus was usability as Wordpress 2.7 brings in a few exciting new features to the table. The long awaited option to moderate comments from the admin interface, mass editing of posts or automatic upgrades of plugins and the blog software itself are just a few of the new features.

Another new and exciting option is the ability to remove and position elements on the screen. This streamlines the Wordpress admin interface quite a bit by bringing the needed elements closer together while removing everything that is not needed. Well, almost everything. Some elements cannot be removed obviously like the post form.

It will take some time getting used to the new Wordpress admin interface as it moves the menu entries from the header to the left menu.

The update should not pose to many difficulties. The only problem that you can encounter are plugin incompatibilities. The Simple Tags plugin was one out of a dozen plugins that was not working with Wordpress and you might have noticed display problems here at Ghacks earlier thanks to that. There is however an easy temporary fix for that to make the plugin compatible.

All that needs to be done is to edit the simple-tags.php file. Look for the line

if (version_compare($wp_version, '2.5', '>='))

and replace it with the following

if ( strpos($wp_version, '2.5') !== false || strpos($wp_version, '2.6') !== false )

This should ensure compatibility.

Related posts

• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)

Alternatively only the files wp-includes/feed.php and wp-includes/version.php can be copied from the new release over the old files to update the blog. The security vulnerability is unlikely to affect a large number of Wordpress blogs though as it only only affects IP-based virtual servers running on Apache 2.x.

There might also be some confusion about the versioning of Wordpress. The last official Wordpress version was Wordpress 2.6.3. Wordpress 2.6.4 was skipped because of a fake malicious release that made its round. The official new release is therefor Wordpress 2.6.5.

Related posts

• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.7.1 Update (3)
• Wordpress 2.6.1 released (1)
• Wordpress 2.5.1 released (1)
• Wordpress: Your attempt to edit this post has failed (8)

Over 60 fixes have been introduced in the new Wordpress version, several of them critical and some security related. You can check out the complete list of fixes in Wordpress 2.6.1 by following the link to Wordpress Trac.

I’m usually not that interested in what has been fixed than to apply the updates to all of my blogs immediately. It does not look like as if new features have been introduced in Wordpress 2.6.1, more of a bug fix release it seems.

The next big release will be Wordpress 2.7 which will introduce several new features and options to Wordpress. Looking forward to that. It is however recommended to update the blog as soon as possible.

Related posts

• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.6.5 Security Update (0)
• Zoundry Raven portable Blog Editor (6)
• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)

Wordpress 2.6 introduces quite a few new features and some of them do sound interesting. They introduce revisions in this new Wordpress version which gives the user the option to restore and compare previous revisions of a text. Gears is another interesting feature that might especially appeal to users with slower connections. For now Gears is being used to store data in a local cache on the users’ computer to speed up the Wordpress blog.

The most appealing change for me is without doubt the new plugin interface which finally divides active and inactive plugins, something that I wanted for years.

There have been many minor changes as well. A bookmarklet called Post It that can be used to embed objects, like text, videos or images, from a website directly into a Wordpress post that opens in a new window, a word count, the ability to force SSL, shift-click selection of checkboxes, editor updates and customizable default avatars.

I’ll be busy the next few hours updating my blogs and websites with this new version. The developers claim that there should not be any troubles updating to that version. We will see how it goes.

Related posts

• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)
• Wordpress 2.7 (7)
• Wordpress 2.6.5 Security Update (0)

Included in the seventy fixes are several performance improvements for blogs with many categories and in the admin interface of Wordpress especially on the Dashboard, Write Post, and Edit Comments pages. I’m currently in the process of updating all my blogs and have not run into any problems yet. I usually do overwrite all files without disabling all plugins prior to this and I seldom encounter problems when updating Wordpress this way.

Most of the time it’s plugin related though. One note for all webmasters who are running Wordpress for some time now. Wordpress have added a new variable in the wp-config file called Secret Key. That variable introduces a little permanent randomness into the cryptographic functions used for cookies in WordPress. I suggest to update the Wordpress blogs as soon as possible, at least by uploading the files that are security related.

Related posts

• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)
• Wordpress 2.7.1 Update (3)

Webmasters have two choices on how to secure and update their blog. The first is to use the official update process described on the Wordpress homepage which involves downloading the full distribution and replace the old files with it. A faster way which webmasters with a lot of blogs will probably prefer is to replace the xmlrpc.php with the updated one which will fix the security vulnerability but leave the minor bugs in place.

That’s probably the better solution if you never encountered them. The bugs will automatically be fixed with the next big release of Wordpress. Just make sure you update at least the security vulnerability in xmlrpc.php.

Related posts

• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)
• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)

The new version fixes more than 20 bugs and security vulnerabilities. Some of the most important fixes include tagging support for Windows Live Writer, a login fix for blogs that have different Wordpress and Blog addresses, faster taxonomy database queries, that emailed posts can now be assigned to the author if the email uses a hyphen and link importer fixes.

I had no troubles overwriting the files of my Wordpress installation to speed up the process. A suggestion would be to backup your blog before you start the process.

Read More:

Wordpress 2.31
Wordpress Release Notes

Related posts

• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)
• Wordpress 2.7 (7)
• Wordpress 2.6.5 Security Update (0)

The new version of Wordpress introduces some elementary changes to certain functions which can very well break a few plugins that are installed on the blog in question. Mostly plugins that deal with categories are affected. One that I’m using for instance is the plugin Simple Tagging but a handful of other plugins like Ultimate Tag Warrior, Popularity Contest and Ajax Comments are affected as well.

Those plugins display error messages when opening the website which does not look great and could limit the display of the blog as well. I tried to update one of my minor blogs first which has all the plugins installed that I use at Ghacks as well and found out that the only possibility for me was to deactivate the plugin in question.

I suggest you build a local version of your blog and see if the upgrade to Wordpress 2.3 breaks the design or displays errors messages. If that is the case I would wait for plugin updates to be released before making the switch.

Read More:

wordpress 2.3 Plugin Compatibility
wordpress 2.3 download

Related posts

• Wordpress 2.8.5 Security Update (4)
• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)

Wordpress 2.2.2 is one of those updates that should be applied as soon as possible to make sure that your blog does not get compromised. Several of the vulnerabilities are those that have been mentioned earlier by the guy who created the first Wordpress worm who fixed those vulnerabilities. Those are now the official updates from the Wordpress team.

4452 wpx can include invalid named entities in comment author name
4477 Unfiltered post titles in Recent Comments widget
4510 “WordPress requires at least 4.1″ expression in wp-settings.php
4522 Template: default broken
4587 Restore comment editing fix that disabled rich text editing
4629 deleted_link action is never called
4683 category dropdown javascript wrong location after moved blog
4692 Wordpress /edit-comments.php Database Error (Bug)
4429 add_option followed by update_option not always working
4689 Wordpress uploads.php Cross-Site Scripting Vulnerability

Related posts

• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)
• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)

The online security script Wordpress Scanner is a great tool which can be used to scan your Wordpress blog for several vulnerabilities such as outdated versions of Wordpress or single files and XSS vulnerabilities in themes. All you need to do is add the line in the header of your blog so that the Wordpress Scanner cgi script can access the information and knows that you are indeed the owner of the blog.

This tool is not perfect but it analyzes the versions of your Wordpress files which is probably the dominant attack vector when it comes to Wordpress hacking and basic XSS vulnerabilities in the themes. The tool gives advice if vulnerabilities have been found on how to fix them.

Just make sure you run the script, follow the guidelines and remove the wpscanner entry from your header again. You would not want someone else to be able to check your blog for vulnerabilities, would not you ? This is a great little script which should become even better when the author adds checks for plugins.

Related posts

• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)

The more important part of this update is that it also fixes several security holes making it a required update for every webmaster. The vulnerabilities that have been fixed, they are:

• Remote shell injection in PHPMailer
• Remote SQL injection in XML-RPC Discovered by Alexander Concha.
• Unescaped attribute in default theme

I’m currently updating all my blogs with the new version which always takes a while. Make sure you download the official new version of Wordpress and update your blog at once.

As a sidenote. I’m going on a short trip to Stockholm, Sweden tomorrow where I will stay until Monday. I’m really excited about this trip and if you got any last minute tips for me then let me know. I will update my blog in the coming days as well but it could be that i write less than usual.

Related posts

• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)
• Wordpress 2.8.3 (1)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.8 (5)