By now, most WordPress sites that have auto-updates enabled should be running version 3.8.2. This is a security release, meaning that changes in the new version are either bug fixes or related to security.
Please check your WordPress sites and update them to the new version if they have not already been updated.
An update for WordPress was announced yesterday. Version 3.8.1 fixes 31 bugs in 3.8, most of them being minor issues. None of the fixes appear to be related to security vulnerabilities.
If your WordPress site is enabled for automatic updates, it should update itself over the next day or so. If you don’t want to wait, you can install the update manually from the WordPress dashboard.
The latest version of WordPress includes a style and responsiveness overhaul of the dashboard, sharp new vector-based icons, better support for mobile platforms, improved responsiveness features, better theme and widget management, better RTL (Right To Left) suport, some bug fixes, and a new theme, TwentyFourteen. An entry in the WordPress Codex lists all the changes in the new version.
Version 3.7.1 fixes several minor issues that arose in the recent version 3.7 release, including some issues with the new auto-update feature. The official announcement of version 3.7.1 lists the changes.
The release of WordPress 3.7.1 provides a useful test of the new auto-update feature. I administer five WordPress sites, which I updated to version 3.7 the day it became available. Of those five sites, only two have updated themselves to 3.7.1 in the two days since its release. I will continue to update this post as the other three update themselves. Then I’ll decide whether to leave auto-updates enabled or continue to handle updates manually. Update 2013Nov01: two more sites updated themselves in the last day or so. One remains at version 3.7. Update 2013Nov04: one of the sites never updated itself, despite passing the auto-update tests. I updated it manually. I’ve concluded that the auto-update feature is useful, but not to be relied upon – at least not yet.
There have been a lot of reports of problems with the new auto-update feature. Most of these problems relate to hosting providers and limitations they impose on WordPress sites. Some of those problems were resolved in 3.7.1. In any case, you can diagnose auto-update problems using the new plugin Background Update Tester.
Another new plugin named Update Control allows you to control the way auto-updates work, including disabling them completely.
WordPress Tavern has a useful post about the new auto-update feature, titled “WordPress Automatic Updates – No Options For You!” There’s also a post on WordPress.org: “The definitive guide to disabling auto updates in WordPress 3.7.”
The latest version of WordPress adds a few new features, including automated security and plugin updates. Although there are no security fixes in this release, overall security is improved through security auto-updates and improved password complexity requirements. Highly recommended for anyone running a WordPress site.
A new version of WordPress was announced yesterday. Version 3.6.1 fixes several security vulnerabilities.
Anyone managing a WordPress site is strongly encouraged to install this update as soon as possible. WordPress sites are already popular targets for nefarious hackers; there’s no point in making things easy for them.
Here’s the full list of changes in this update.
Improved revision control and autosave, post locking, and an improved menu editor highlight the changes in WordPress 3.6. There’s also a new theme (Twenty Thirteen), better media support, and better integration for various online services.
WordPress 3.5.2 fixes several security vulnerabilities. Given the recent worldwide attacks against WordPress-based web sites, all WordPress sites should be upgraded to the new version as soon as possible.
One of the vulnerabilities fixed in version 3.5.2 is CVE-2013-2173, a Denial-of-Service (DoS) vulnerability recently disclosed on the VND blog. The vulnerability and a Proof of Concept were disclosed on that site one week after the author reported the issue to the WordPress security team. Concerned that a single email might have been caught in a spam filter, I posted a link to the report in two of the WordPress IRC channels (#wordpress and #wordpress-dev), and soon after that I was told that the security team had been notified. It was later disclosed that the original report had indeed been caught by a spam filter, even though the reporter had received a ‘we received your report’ auto-response. The lessons here are: 1) security email inboxes should not have spam filters; 2) don’t use an auto-responder on security email inboxes; and 3) don’t stop reporting a security issue until you’ve heard back from a human being, confirming receipt of your report.
Ars Technica reports on evidence of a worldwide attack on WordPress web sites.
The attack seems to focus mainly on brute-force login attempts using the WordPress ‘admin’ account. Successful password guesses allow the attacker to gain full control over the site and install back-door software.
Anyone who operates a WordPress web site should quickly check their admin password and change it to something complex: no dictionary words; use of mixed case letters, numbers and punctuation; at least 10 characters long.
A new version of WordPress was made available today. Version 3.4.2 contains several bug fixes, including some related to security.
Anyone running a WordPress site/blog should install the new version as soon as possible. WordPress is a popular target among site hackers and malware purveyors.