Category Archives: WordPress and other CMS

WordPress updates

WordPress 3.8.3 was released on April 14, and WordPress sites with Auto Updates enabled should have been silently updated. In some cases, the 3.8.3 update may not have had time to auto-update before WordPress became available yesterday.

WordPress 3.8.3 fixes a minor bug that was introduced in the previous release, 3.8.2.

WordPress 3.9 makes several significant changes to the handling of media files, and makes it a bit easier for developers to experiment with widgets.

Neither release apparently includes any security fixes.

WordPress 3.8 released

The latest version of WordPress includes a style and responsiveness overhaul of the dashboard, sharp new vector-based icons, better support for mobile platforms, improved responsiveness features, better theme and widget management, better RTL (Right To Left) suport, some bug fixes, and a new theme, TwentyFourteen. An entry in the WordPress Codex lists all the changes in the new version.

WordPress 3.7.1 released

Version 3.7.1 fixes several minor issues that arose in the recent version 3.7 release, including some issues with the new auto-update feature. The official announcement of version 3.7.1 lists the changes.

The release of WordPress 3.7.1 provides a useful test of the new auto-update feature. I administer five WordPress sites, which I updated to version 3.7 the day it became available. Of those five sites, only two have updated themselves to 3.7.1 in the two days since its release. I will continue to update this post as the other three update themselves. Then I’ll decide whether to leave auto-updates enabled or continue to handle updates manually. Update 2013Nov01: two more sites updated themselves in the last day or so. One remains at version 3.7. Update 2013Nov04: one of the sites never updated itself, despite passing the auto-update tests. I updated it manually. I’ve concluded that the auto-update feature is useful, but not to be relied upon – at least not yet.

There have been a lot of reports of problems with the new auto-update feature. Most of these problems relate to hosting providers and limitations they impose on WordPress sites. Some of those problems were resolved in 3.7.1. In any case, you can diagnose auto-update problems using the new plugin Background Update Tester.

Another new plugin named Update Control allows you to control the way auto-updates work, including disabling them completely.

WordPress Tavern has a useful post about the new auto-update feature, titled “WordPress Automatic Updates – No Options For You!” There’s also a post on “The definitive guide to disabling auto updates in WordPress 3.7.”

WordPress 3.5.2 released

WordPress 3.5.2 fixes several security vulnerabilities. Given the recent worldwide attacks against WordPress-based web sites, all WordPress sites should be upgraded to the new version as soon as possible.

One of the vulnerabilities fixed in version 3.5.2 is CVE-2013-2173, a Denial-of-Service (DoS) vulnerability recently disclosed on the VND blog. The vulnerability and a Proof of Concept were disclosed on that site one week after the author reported the issue to the WordPress security team. Concerned that a single email might have been caught in a spam filter, I posted a link to the report in two of the WordPress IRC channels (#wordpress and #wordpress-dev), and soon after that I was told that the security team had been notified. It was later disclosed that the original report had indeed been caught by a spam filter, even though the reporter had received a ‘we received your report’ auto-response. The lessons here are: 1) security email inboxes should not have spam filters; 2) don’t use an auto-responder on security email inboxes; and 3) don’t stop reporting a security issue until you’ve heard back from a human being, confirming receipt of your report.

Massive attack against WordPress web sites underway

Ars Technica reports on evidence of a worldwide attack on WordPress web sites.

The attack seems to focus mainly on brute-force login attempts using the WordPress ‘admin’ account. Successful password guesses allow the attacker to gain full control over the site and install back-door software.

Anyone who operates a WordPress web site should quickly check their admin password and change it to something complex: no dictionary words; use of mixed case letters, numbers and punctuation; at least 10 characters long.