WordPress Security: Critical 0-Day Upgrade Released Today for 2.2 and 2.0.

Upgrade Wordpress Right Away

WordPress released upgrades today to both the 2.2 development path ( WordPress 2.2.2 ) and the 2.0 legacy path ( WordPress 2.0.11 ).

Both of these releases contain some important security fixes, so you really need to get your WordPress installation upgraded.

Read the Upgrade Release Notice, and Download the New Version appropriate to your chosen actively maintained path.

I want to take a minute to point out something I think is very important that you understand.

There are a number of people out there telling people that they are Okay as long as they are using the latest version in their path. This is being put out most frequently by people using and recommending version 2.1.3. I'm not naming any names or calling out any one individual. I've heard this argument from a handful of people, and most of them I actually respect. They aren't being malicious, they are simply mistaken.

Consider this direct quote from the WordPress Release Archive.

None of these are safe to use, except the latest in the 2.0 or 2.2 series, which are both actively maintained.

Does anything in that quote make you feel all warm and fuzzy about running a 2.1.3 install? I can tell you that when I got hacked that's the version I was running, and the vulnerabilities are still there. Knowing is only half the battle though. I strongly encourage you to get onto an upgrade path that is in current development.

Notes About The Update

IT Damager points out that "every single update to WordPress over the last 2 years has been security related", and calls for the WordPress community to demand better security coding practices from the developers. He also points out that if you are running a WPMU blog network, you are giving all of your users access to admin accounts, and that WPMU has not been updated.

mybeNi has posted 7 zero-day cross site scripting vulnerabilities that todays upgrade fixes. These can be some nasty stuff and could cost you your whole blog if you ignore them.

Beginners Guide to Upgrading WordPress?

I have previously written a WordPress installation guide for beginners. I did this because some of the instructions seemed a little vague for beginners.

I fully intended to take this opportunity to write another guide for beginners on the upgrade process. As I was preparing to write it, however, I took a look at the xtended instructions on upgrading at WordPress.org and I really had second thoughts about just how needed such a guide would be. I know a few people have asked me to write one, but I think the resource that is already there does the job pretty well. The only thing missing is the screen shots, and perhaps a discussion of putting your site into a maintenance mode while you delete and upload the files.

Let me know what you think. Check out the guide there, and if anyone still thinks they need even more basic steps, let me know and I'll go ahead and write it.

Trackback URL for this post:

http://danemorgan.com/trackback/29
None
Login or register to tag items
 
Submitted by Dane Morgan on Sun, 08/05/2007 - 19:11.
Posted In
Tagged With
Like this?
Bookmark & Share:
StumbleUpon Submit to Mixx Save to Google Bookmarks Save to del.icio.us
Click, Copy and Link:
<a href="http://danemorgan.com/blog/wordpress/wordpress-security-critical-0-day-upgrade-released-today-22-and-20">WordPress Security: Critical 0-Day Upgrade Released Today for 2.2 and 2.0.</a>

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Great. That's usually the

Great. That's usually the cause, and the first place to look. I was starting to think we had a different case on our hands here. I hadn't found any problems in your plugin list, but there were two I hadn't found yet, and the rest I probably had the latest versions since I neglected to ask you which versions you were using when I asked for your list.

Glad your back up and running, or managing as it were. ;)

Dane Morgan (not verified) | Wed, 08/08/2007 - 05:58

Yay It WAS a plugin!

Yay

It WAS a plugin! Updated to the latest plug-in version, and it's now fixed! Thanks so much for all your help Dane. :)

Meg (not verified) | Wed, 08/08/2007 - 00:18

I'm pretty sure the plugins

I'm pretty sure the plugins were deactivated. Did you have to remind me it was "all the way from 2.1.3" ;)

It was working before, but I do vaguely remember seeing something pop up recently about a javascript update. I'll investigate that.

Meg (not verified) | Mon, 08/06/2007 - 07:43

Hi Meg, Did you deactivate

Hi Meg,

Did you deactivate your plugins? That's going to be the most likely culprit. Espcially coming all the way from 2.1.3, and also if it's been that long since you've updated some of the plugins as well.

Also keep in mind that there is a lot of AJAXy stuff, so while I'm sure you do, I have to mention that you need to make sure you have javascript enabled.

Dane Morgan (not verified) | Mon, 08/06/2007 - 06:24

[...] got the latest

[...] got the latest Wordpress Upgrade(s) installed today (2.2.2) - it was way overdue, as Dane at BlogStrokes keeps reminding [...]

Wordpress Upgrade | Dipping into the Blogpond (not verified) | Mon, 08/06/2007 - 05:27

Hi Dane I finally got the

Hi Dane

I finally got the latest updates installed (you convinced me that 2.1.3 was not secure). I chickened out at the last minute, and didn't end up doing it myself :( Just too scary!

But now I'm having problems with my "manage" page. I can't get into "manage posts".

I can hunt around and see if I can find anything in the forums, but I thought you (as a "guru") might have some ideas?

Meg (not verified) | Mon, 08/06/2007 - 04:59

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Restrict text by wrapping in [restrict:roles=<comma separated roles>] and [/restrict]

  • Links to specified hosts will have a rel="nofollow" added to them.

  • Highlight terms in this textarea.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>. Beside the tag style "<foo>" it is also possible to use "[foo]".
  • Use <fn>...</fn> to insert automatically numbered footnotes.
  • You may link to webpages through the weblinks registry

More information about formatting options

CAPTCHA
Please fill out this captcha to demonstrate your humanity.
5 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
Niche Marketing / Blog / WordPress / WordPress Security: Critical 0-Day Upgrade Released Today for 2.2 and 2.0.