Blog Archives

Older WordPress Versions Are Insecure

Image representing WordPress as depicted in Cr...
Image via CrunchBase

I have said this many times before: UPGRADE WORDPRESS WHEN PROMPTED.  This one is in the style of “beating you about the head and body and then caning you across the eyeballs“.  Why?  Because a hack has been discovered that makes your older, more stable, more comfortable WordPress.org install very insecure and really you may as well make the password Pa55w0rd – because your older version can and will be pwned.

Now that I have your attention….  Go to Lorelle‘s site, Robert Scoble‘s site and the WordPress Dev Blog to see details of this new exploit.  If you have version 2.8.4 (like what I do), you are more secure.  As well as upgrading, remove the default admin account and create a new one (reverse order, is good on that one), check for phantom admin accounts and make sure you are using a strong password.  There are other things to do, but that will keep you going for now.

I regularly get comments such as “if I upgrade it breaks all my plugins”, “my theme doesn’t work if I upgrade now” and so on.  You now get to make a value judgment: if you don’t upgrade you could end up no longer owning your blog vs giving up or changing a few plugins or a theme.  Which of these is the worst case scenario for you?

Upgrade now. You know it makes sense.

Reblog this post [with Zemanta]
Advertisements

WordPress 2.6.3

When I dipped in to upgrade some plugins this evening, my dashboard kindly told me that I needed to upgrade from WordPress 2.6.2 to WordPress 2.6.3. Get the latest version here.

In short, it seems that the library used to fetch the dashboards feeds, named Snoopy, has a vulnerability and this upgrade fixes that.

So, if you are running WordPress 2.6.2 or earlier (especially if you are running an earlier version) then you should upgrade soonest.

WordPress 2.6.2

Another quick heads up peeps.  WordPress 2.6.2 is out and you should update ASAP – especially if you

WordPress.org

WordPress.org

allow registrations on your blog.

See the WordPress Dev Blog for details, but in short the new update fixes the SQL Column Truncation vulnerability and the weakness of mt_rand().  Apparently other PHP apps are vulnerable too – read the WP Dev Blog entry.

This version also fixes a bunch of new bugs.  I’ll be updating in the next 24 hours and would advise you to do the same.  Don’t forget to deactivate and then reactivate your plugins – and if you haven’t upgraded for a few versions, check their compatibilities.