It’s time to upgrade WordPress
I logged in to my blog today only to find a disturbing little message at the top of the screen: “A new version of WordPress is available! Please update now.”
Yes folks, despite the goal of not releasing any new versions until 2.3, we now are faced with WordPress version 2.3.2, which fixes the draft vulnerability we wrote about recently, as well as “suppress[ing] some error messages that can give away information about your database table structure and limits and stops some information leaks in the XML-RPC and APP implementations” (from the WordPress blog).
An added bonus in this upgrade is the ability to create a custom template page that will display when users encounter database errors. Instead of some WordPress page filled with database mumbo jumbo, you can have a user-friendly page appear at times of database troubles with a message explaining the problem. This page is called db-error.php, and should be placed in your wp-content folder.
So let’s go upgrade everybody…Fantastico users will have to wait, since Fantastico hasn’t upgraded their WordPress installation yet.
Category: News & Views
Miriam – I think you meant 2.4 above, not 2.3.
The customised error template sounds like a great idea. I’ve meaning to figure out how to hack that thing for a while now, but this should make it much easier.
Perhaps WordPress needs to setup a tier of upgrade levels? Perhaps green, yellow, orange and red where red means upgrade fast or your site will get hacked, orange means upgrade due to minor security problems, yellow means upgrade if you use the specific functions of WordPress which have security problems and green means there’s no security updates, but upgrade if you want the extra functions they’ve added.
Under that system I’m assuming this latest update would be a yellow, in which case we could just go check what’s wrong with our current installs and if the security problems aren’t major then wait till the upgrade reaches orange, or red if we’re really keen. Just an idea …
Ryan, that is such a good idea! But I’m guessing that would cause a lot of problems for WordPress since you’d have people running different versions and there would have to maybe be all sorts of branches of WordPress. But I am getting sick of upgrading for every little thing, especially when we’re managing so many WordPress sites.
I’m not looking forward to this, every time I try anything with this blog something goes terribly wrong! Oh well, what choice do I have?!
Sadly, this one is a compressed archive full of PHP files. If you’ve made changes to some of the core files, outside your template – like I have – this is a much more complicated upgrade than others have been…
Forrest – what do you mean by "compressed archive"? And what makes it different from previous WordPress upgrades?
Looks like 2.3.3 is upon us!
According to WordPress it is an urgent security release due to other registered users of your blog having the ability to edit any page on your blog.
http://wordpress.org/development/2008/02/wordpress-233/
Of course, if you don’t allow people to register then it shouldn’t matter and you won’t need to upgrade – although they haven’t mentioned that in the official release.
In case my interpretation is wrong …
“A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog.”
My impression from the above quote was that the user would need to be registered with your blog to do any damage.