It is as usually possible to update the blog right away from within the admin dashboard if it has been configured for that, or via file transfer clients if the former option is not available.

The blog post that announces the new version of WordPress mentions 15 maintenance related fixes and one security related fix that have been applied to the new version. It fails to go into detail but links to the bug tracker listing which details every fix except for the security issue.

At least one of the issues that have been fixed in WordPress 3.3.1 seem to have affected this site. I was recently noticing issues with the author biographies not being displayed anymore on article pages, and it took a whole day to find a working workaround. It appears now that this was a bug that got fixed with this new WordPress release.

The security vulnerability is only briefly mentioned in the blog post where it is described as a cross-site scripting vulnerability that is affecting WordPress version 3.3.

The WordPress Codex lists all files that have been revised in the new version. It is theoretically possible to only upload those files to the site to save time and bandwidth.

I have already updated several WordPress sites to version 3.3.1 and did not notice any odd behavior or issues with the updating or site operation.

WordPress admins are encouraged to update their blogs as soon as possible to protect it from the security vulnerability and to resolve the stability issues that have been fixed with the update.

The What’s New page at the WordPress Codex highlights the – many – changes of the new version. WordPress admins will instantly notice several changes to the applications admin interface. A new toolbar is displayed on top of the dashboard that combines the features of the admin bar and the admin header.

The new bar links directly to plugin and theme updates, comments awaiting moderation and the New menu with options to create new content on the blog. (There is a function to remove some of the elements that are shown in the admin bar. Credits to Sergej Müller)

Another change are “fly-out” menus in the admin interface. All submenus of a menu are displayed when you hoover the mouse over the menu. This saves a click and improves the admin’s workflow.

WordPress editors will notice a new file uploader. The developers have done away with the four upload buttons for specific type of media, and replaced it with a single button. The new uploader supports drag and drop operations and file browsing to select files to upload. Support for rar and 7z files have been added to the file uploader.

WordPress admins who switch between themes regularly will notice that widgets are not lost anymore when they do that.

A video has been created that highlights several of the new features.

The WordPress backend has been updated as well with hundreds of bug fixes and performance improvements. It is to early to tell if the improvements will have a significant impact on the blog’s server resource usage or loading times.

Have you updated your blog to WordPress 3.3 yet? If so, what do you think of the new version?

Please note that this is not a security release, which means you have got more time than usual to update your WordPress site to the new version of the blogging script.

WordPress Trac lists all the changes in the new release. If you look at the list you will notice that most are design related. Many fix or improve the Twenty Eleven default theme that ships with WordPress, while others do the same for the new admin interface introduced in WordPress 3.2.

Still no option to change the default font for the admin interface easily, unfortunately.

Updates are makinguse of the new “fast” update mechanism which only updates files that have been changed, instead of all files of a WordPress installation. Users who update via their WordPress Dashboard should notice that the procedure is speedier than before.

Updates are available via Dashboard > Updates. WordPress administrators can download the new version of WordPress from there or update directly if their blog has been configured properly for that.

The new version is alternatively available at the official WordPress website.

I have updated six blogs so far and did not notice any problems with the new updating mechanism or the new version of WordPress itself.

That’s good because the new version introduces new system requirements that webmasters should make sure their server supports, before they upgrade. WordPress 3.2 requires as a minimum MySql 5.0.15 and PHP 5.2.4. That’s a big step from MySQL 4.1.2 and PHP 4.3. Contact your hoster if you are not sure if you server supports the minimum requirements.

Experienced webmasters can also create a php file with <? PHPINFO(); ?> as the content and upload it to their server. The file displays the information, among many others, in the browser when opened there.

The highlights of WordPress 3.2 in 40 words or less: WordPress comes with a refreshed admin design, a full screen editor for distraction free blogging, a new default HTML5 theme and an extended admin bar.

There are other things, largely under the hood that will make webmasters happy. This includes faster page loading times, dropped support for Internet Explorer 6, additional performance and speed improvements and caching of admin dashboard widgets to reduce the site’s memory footprint.

The new admin interface seems to use new typography as well, at least in some parts. Especially the font in HTML editing mode feels strange with its white space between words and a new line height. Editors who switch to the visual mode on the other hand seem to get a default font (does anyone know if it is possible to change the font in WordPress admin?)

The update notifications are as usual available right on the admin backend of the blog. Webmasters can update their blogs from within their, if configured this way. This is the fastest update option. An alternative is the download of the new version from the official website and updating via ftp or sftp.

I have updated five blogs yesterday evening and the update went well without difficulties. I will now continue to upgrade my other twenty or so blogs, such fun..

WordPress 3.1.4. has just been released and the developers refer to it as a security and maintenance upgrade. The new version fixes one known vulnerability that “could allow a malicious Editor-level user to gain further access to the site”. If you are running a single author blog you are safe from this.

I’d still recommend to update the blog as soon as possible because of security hardening additions to the blogging platform.

The update is as usually available as a direct download, install and update from within the WordPress admin interface, and as a separate download from the official WordPress website. I have updated a total of five blogs so far – including Ghacks Technology News – and encountered no problems or issues after the update. While it may be to early to tell, it is relatively safe to say that the update won’t break the blog.

WordPress admins who are interested in all changes in the WordPress 3.1.4 release find them listed on WordPress trac.

The developers have furthermore released the third and final release candidate of WordPress 3.2 which will be released in the near future. While I would not suggest to update a public blog to that version yet, it is clear that it won’t be long until the final version is released. Likely again before my bedtime.

You find additional information about the features and changes in WordPress 3.2 on the official beta announcement post over at the WordPress website.

Have you updated your blogs yet? If so, have you encountered any issues with this update?

The WordPress blog lists the following security enhancements and fixes in WordPress 3.1.3.

• Various security hardening
• Taxonomy query hardening
• Prevent sniffing out user names of non-authors by using canonical redirects.
• Media security fixes
• Improves file upload security on hosts with dangerous security settings.
• Cleans up old WordPress import files if the import does not finish.
• Introduce “clickjacking” protection in modern browsers on admin and login pages.

Interested users can consult WordPress trac for detailed information on all fixes that have been applied to this release.

The developers have added quite some security hardening to the new release as you can see from the list of changes above. It is still recommended to update WordPress installations as soon as possible to improve security and close the security and privacy vulnerabilities fixed in the release.

Self-hosted WordPress blogs are already picking up on the update and notifying administrators in the dashboard about the update.

It is as usual possible to apply and install the WordPress update right from the admin dashboard, or by downloading the new release from WordPress to install it manually by uploading file to the server.

The WordPress Codex lists the file changes in this new release.

The WordPress developers suggest to update immediately, especially if users can register as contributors on the blog. WordPress 3.1.2 fixes several non-security related issues which you can see a list of at the issue tracker over at the WordPress website.

Nothing to spectacular fixed though, take a look below for the list.

• It’s tricky to drag metaboxes
• Apostrophe in first/last/nickname causes JS error on user profile page
• Missing closing </fieldset> in user-edit.php for “show admin bar”
• Multiple tag queries broken
• WP_User_Query ordered by post_count doesn’t work if prefix is not wp_
• WordPress 3.1.1 breaks date archive filtering by tag or category
• Walker_PageDropdown doesn’t filter titles correctly
• Too much escaping for pages when using Quick Edit

WordPress administrators can update their blogs either directly from the WordPress Dashboard with a click on the Update Automatically button, or by downloading the new release from the official WordPress website, uploading the files manually to the server and running the upgrade script afterwards.

I have just updated more than a dozen WordPress blog to version 3.1.2 and the automatic update worked without difficulties in every instance. WordPress admins should not encounter any page display problems on the frontend or backend after applying the update.

That alone should be reason enough to update WordPress to the latest version. The post mentions performance improvements without going into further details. It is therefor not clear if the improvements are measurable, and which areas of the platform have been improvement. The remaining changes list fixes for IIS6 support, taxonomy and pathinfo permalinks and various “query and taxonomy edge cases that caused some plugin compatibility issues”.

Update notifications are not displayed on all WordPress blogs yet. Webmasters should click on Dashboard > Updates to force WordPress to check for new updates. The WordPress 3.1.1. release should be listed on that page then. It is then possible to update the WordPress blog automatically from within the admin interface, or to download the new release and update the blog manually by uploading all files to the server and running the wp-admin/update.php script afterwards.

I have just finished updating 20 different WordPress blogs and the automatic updating worked on all but one without errors or problems. The one blog is a special case and it is likely that a plugin or special script interfered with the update.

The latest version of WordPress can be downloaded from this page.

The update is not a security update which means that there is no rush to install it directly.

Among the new features is the option to link to existing content easier. This is done via the standard link button in the WordPress writing panel and the selection of “Or link to existing content”.

It is possible to search for related content or select one of the most recent items. The writing interface has been overhauled. The developers have many interface elements that were shown by default of the screen which should be beneficial to new users. All writing elements can be added again via the Screen Options at the top of the page.

Another addition is the new admin bar that is displayed to WordPress administrators when they navigate the WordPress frontend. The bar is actually not displayed on all of my blogs right now. I’m not sure why that is the case (likely because of CSS minifying or merging) but there is thankfully a way to disable the admin bar.

Open Users > Your Profile and locate Show Admin Bar near the top.  Remove the checkmark from “when viewing site” to disable it.

Other noteworthy features are:

• post formats, meta information used by themes
• network admin, moves the Super Admin menu out of the regular admin interface
• list-type admin screens, now sortable by column, better pagination
• exporter / importer, was overhauled.
• advanced queries, again something for developers
• custom content type improvements, again developer related
• refreshed blue admin color scheme

Interested users can visit the WordPress Codec for an in depth overview of all the features that have been added, improved or changed in the recent release.

WordPress administrators can upgrade their blog to WordPress 3.1 either directly from within the admin interface or by downloading WordPress 3.1 from the official website and installing the new version manually.

According to the developers, WordPress 3.0.5 is a ” security hardening update for all previous WordPress versions” that fixes two moderate security issues and one information disclosure issue, and adds two security enhancements to the blogging application.

The security issues could have allowed “a Contributor- or Author-level user to gain further access to the site”, the information disclosure issue “could have allowed an Author-level user to view contents of posts they should not be able to see”.

The two security enhancements “improved the security of any plugins which were not properly leveraging our security API” and “offer additional defense in depth against a vulnerability that was fixed in previous release”. (via)

The summary lists the following changes:

• Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
• Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.
• Fix potential information disclosure of posts through the media uploader. Affects users of the Author role.
• Enhancement: Force HTML filtering on comment text in the admin
• Enhancement: Harden check_admin_referer() when called without arguments, which plugins should avoid.
• Update the license to GPLv2 (or later) and update copyright information for the KSES library

WordPress 3.0.5 is available for download at the official WordPress site as well for users who want to install the update manually on their server.

The update is currently not announced on the frontpage of the admin interface which means that WordPress admins need to click on Updates to see the update options.

It is as usually possible to install the update right away by downloading it directly to the server running the blog. The script handles the download, unpacking and installation of the new version automatically.

Users who want to test the release first can also download it instead to do just that.

The vulnerability reads:

Fix XSS vulnerabilities in the KSES library: Don’t be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url()

WordPress rates the vulnerability as critical which means that webmasters should update their blogs as soon as possible to protect it from possible exploits of the issue.

WordPress is also available directly at the official website.

So what’s the security vulnerability about? The WordPress blog states that it is about issues “in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts”.

That in turn means that single-author blogs are not affected by the vulnerability directly. Webmasters should still consider updating right away to prevent future damage or indirect damage if someone manages to get access to user accounts on the blog or the ability to create them.

The issue affects sites that have remote publishing enabled. Sites that do not have it enabled are not affected. Then again, it is always a good idea to update to the latest release to close potential security issues right away.

WordPress admins can check if remote publishing is enabled by going to Settings > Writing in their WordPress admin interface.

The update is as usually available directly in WordPress. Users can update their blogs from within WordPress which is the fastest and most convenient solution, or by downloading WordPress from the official website and installing the update manually.

It is recommended to backup the blog before performing the update to be able to restore to a previous version in case something goes wrong during the update.

The official release notes mention that a moderate security issues have been fixed where “a malicious Author-level user could gain further access to the site”. In addition to that bugs have been fixed and security hardening added to the blog.

Remove pingback/trackback blogroll whitelisting feature as it can easily be abused. (#13887)
Fix canonical redirection for permalinks containing %category% with nested categories and paging. (#13471)
Fix occasional irrelevant error messages on plugin activation. (#15062)
Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin. (r16367, r16373)
Clarify the license in the readme (r15534)
Multisite: Fix the delete_user meta capability (r15562)
Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins (#15122)
Multisite: Fix ms-files.php content type headers when requesting a URL with a query string (#14450)
Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs (#14536)

The WordPress devs recommend to update the blog immediately even if no additional authors are registered on a blog.

I have updated around 20 WordPress blogs by now and there were no plugin incompatibilities or other issues related to the update.

WordPress 3.01 has been released a few minutes ago. The update is maintenance related, according to the blog post over at the official WordPress website. The new version fixes 50 minor issues in the blogging platform. The only – somewhat – security / privacy related issue that was fixed was a bug that allowed logged in users to view trashed articles of other users.

WordPress admins who are interested in the bugs that have been fixed in the release can take a look at Buqtraq which lists them all.

Everyone else can download the new version from the official website, or update the WordPress blog automatically from the admin dashboard. Updating the blog should be fast and smooth, considering the nature of the update. It is still advised to create a backup of the blog’s files and database before pressing the update button or starting the manual updating process.

Ghacks has been just updated, all my other blogs have to wait until the morning. Good night everyone.

The vulnerability exploits a new feature that has been introduced in WordPress 2.9: the trash. The trash is a basic trashcan where deleted posts are placed so that they can be restored if they have been deleted by accident. This trash can be disabled but is activated by default on all WordPress 2.9 and later blogs.

Every logged in user, even those with the subscriber role, can access all deleted articles and posts that have been moved to the trash. This might not affect the majority of blogs as there need to be at least two registered users and at least one user that is not trusted by the administrator of the site.

In theory though anyone with a user account at the website can access the trashed articles regardless of which user wrote them.

The WordPress 2.9.2 patch fixes this exploit so that this is no longer possible. WordPress 2.9.2. can be downloaded from the official WordPress website. Users who have configured their blog for automatic updates can also update the blog from within the blog right away.

Scheduled posts would not be published at the time configured by the user but appear as missed in the list of posts forcing the webmaster to reschedule and hope for the best or to publish it manually.

WordPress 2.9.1 fixes this annoying bug and 23 others that are listed in WordPress Trac. Five of the bugs listed have been rated high while the majority received a normal rating. Several updates fix installation and upgrade issues that webmasters might have experienced. Webmasters with those issues might want to install or upgrade straight to WordPress 2.9.1 which might fix the issues experienced by those webmasters.

Our blogs have not picked up the new version of WordPress yet but it is likely that this will happen in the next few hours.

WordPress 2.9.1 can be downloaded at the official WordPress website. The list of bug fixes is available here.

The new version comes with over 500 bug fixes, changes and enhancements which makes it a recommended download and install. Some of the new features include:

• Trashbin: Posts that are deleted are now moved to the trash instead of being deleted irrecoverably. It is possible to recover posts from the trash at a later time.
• Image Editor: A basic image editor that can be used to edit, rotate, scale and crop images.
• Batch plugin support: Update up to ten plugins at once.
• Video Embeds: video embeds for popular sites have become just a tad easier as it is now possible to simply paste the url into the post which will be turned into an appropriate viewer by WordPress automatically.
• Automatic database optimization which can be enabled by adding define(‘WP_ALLOW_REPAIR’, true); to the WordPress config file.
• Post Thumbnails options which can be used to display thumbnails in every post if the theme supports it.
• Better SEO thanks to rel=canonical
• Custom galleries with the ability to add pictures from several posts.

The complete list of changes can be viewed at WordPress Trac. Happy upgrading!

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

The upgrade is as usual available through various means with the two most popular ones being through an automatic update in the WordPress admin interface and the second trough a download from the official WordPress website. The first is faster and more comfortable while the second offers more control to the user especially if something goes wrong.

This WordPress update does not require an update of the WordPress database. It is however recommended to perform a backup of both the WordPress files on the web server and the MySQL database to be prepared if the update should fail for any reason.

The most important changes in WordPress 2.8.5 are therefor:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

WordPress blogs are currently not announcing the new release. It is expected that this will change in the next hours so that the automatic update option becomes available for WordPress webmasters who use it to update their website. Webmasters who manually update their blog can visit the WordPress page to download the latest version of WordPress. Additional information about the security release are available in the blog post that announced the upgrade.

According to Mashable there are two clues that your blog has been successfully attacked by the computer worm:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

Webmasters are asked to update their blogs to the latest version of WordPress immediately. Those that have been hit by the computer worm should backup all files, export their settings, and do a clean install of WordPress. More help is offered at the WordPress website.

Rant:

It’s Sunday and it is time for a little rant. Webmasters who do not update their blogs as soon as a new version of their blogging software is released are acting stupid. A WordPress update usually takes less than ten minutes and ensures that the blog and server is protected from attacks like these. Webmasters who do not have the time to perform these updates should consider switching to a hosted blogging platform like that at Blogger or WordPress.com. The automatic update option that has been introduced in recent WordPress versions makes it even easier to update the blog as soon as a new version is released. Webmasters who cannot do this should not operate a self hosted blog, period.