I have said this many times before: UPGRADE WORDPRESS WHEN PROMPTED. This one is in the style of “beating you about the head and body and then caning you across the eyeballs“. Why? Because a hack has been discovered that makes your older, more stable, more comfortable WordPress.org install very insecure and really you may as well make the password
Pa55w0rd – because your older version can and will be pwned.
Now that I have your attention…. Go to Lorelle‘s site, Robert Scoble‘s site and the WordPress Dev Blog to see details of this new exploit. If you have version 2.8.4 (like what I do), you are more secure. As well as upgrading, remove the default admin account and create a new one (reverse order, is good on that one), check for phantom admin accounts and make sure you are using a strong password. There are other things to do, but that will keep you going for now.
I regularly get comments such as “if I upgrade it breaks all my plugins”, “my theme doesn’t work if I upgrade now” and so on. You now get to make a value judgment: if you don’t upgrade you could end up no longer owning your blog vs giving up or changing a few plugins or a theme. Which of these is the worst case scenario for you?
Upgrade now. You know it makes sense.
So, if you are running WordPress 2.6.2 or earlier (especially if you are running an earlier version) then you should upgrade soonest.
Another quick heads up peeps.Â WordPress 2.6.2 is out and you should update ASAP – especially if you
allow registrations on your blog.
See the WordPress Dev Blog for details, but in short the new update fixes the SQL Column Truncation vulnerability and the weakness of mt_rand().Â Apparently other PHP apps are vulnerable too – read the WP Dev Blog entry.
This version also fixes a bunch of new bugs.Â I’ll be updating in the next 24 hours and would advise you to do the same.Â Don’t forget to deactivate and then reactivate your plugins – and if you haven’t upgraded for a few versions, check their compatibilities.