Category Archives: WordPress

Version 2.9 of WordPress was released on Saturday. The new version includes a trash feature, a built-in image editor, plugin compatibility checking, and support for the embedding content using the oEmbed standard. With trash feature posts and comments that are deleted will be placed in a trash folder instead being completely deleted. The image editor allows images to be  cropped, edited, rotated, flipped, and scaled and the post announcing the new version indicated that this is the first of “many planned media-handling improvements”. To help the users planning to upgrade to newer versions, WordPress will now present data compiled from other users as to whether installed plugins are compatible with the new version. Support for oEmbed standard allows for embedding of images, video, and other content by pasting an URL into a post. The standard is supported by YouTube, Flickr, Hulu, Scribd, PollDaddy and other websites.

The new version requires that your server run MySQL 4.1.2 or higher, previously versions only required 4.0 or higher. WordPress will check if the server has a supported version of MySQL during the auto upgrade process.

A full lists of changes in 2.8 is available at the WordPress Codex.

WordPress 2.8.5 was released yesterday, which includes a fix for a denial-of-service (DoS) attack and a number of changes that removed code that could potentially be used to hack into WordPress. The denial-of-service attack utilizes specially crafted trackbacks that cause WordPress to use a significant amount of processing power when they are processed which could lead WordPress becoming unresponsive.  The code removal changes were originally developed for the upcoming version 2.9 and were backported to improve security as soon as possible.

Following less than two weeks after the release WordPress 2.8.1, which fixed a potentially serious security vulnerability, a new version has been released to patch another potentially serious security vulnerability. In versions before 2.8.2, comment author URLs were not fully sanitized which could lead to a cross-site scripting (XSS) attack. When viewing a page in the administrative interface that contains a specifically crafted comment author URL the user would be automatically redirected to another web page. That other web page could try to infect the user’s machine with malware or try to perform some other harmful activity.

WordPress 2.8.1, which fixes a number of problems with 2.8 and addresses a potentially serious security vulnerability, was released yesterday. The problems that were fixed were causing serious problems for some users.  A work around was created so that some templates that were not working due how they called get_categories(). Dashboard memory usage was reduced to alleviate an issue where some people were receiving an incomplete page when they attempted to view the dash board. And an issue that caused the rich text editor not load was worked around. The security vulnerability allows any user of the blog, including subscribers, to view and in some cases modify plugin files if they did not explicitly check permissions.  In Corelabs advisory about the vulnerability, they mention one plugin whose features could be disabled and another that could be modified to run arbitrary code when the blog administrator visits the plugins page. Extra security has been put in place to better protect plugins from this.

The finalized version of WordPress 2.8 was released today. The changes made include better widgets, a theme browser/installer, performance upgrades, and over 790 bug fixes. The widget admin interface has been changed to allow for making immediate edits to widgets, having multiple copies of widgets, and the ability to save settings for inactive widgets. A new widget API should allow for developers to create improved widgets.

On the security front, changes were made that should improve plugin security from cross-site scripting (XSS) attacks. An empty index file has been added to the plugin directory so that servers that are configured to show the contents of directory when no index file exist will no longer show potential hackers what plugins are located in the directory that they could attempt to exploit.

A full lists of changes in 2.8 is available at the WordPress Codex.

According to a post by Matt Mullenweg on the WordPress Blog possible improvements in versions 2.9 and 3.0 include “improved media handling, better dependency checking, versioning of templates and themes, and of course the fabled merging of WordPress and MU.” Version 2.9 will also requireMySQL 4.1.2 or higher, up from the current requirement of 4.0.

The first beta of WordPress 2.8 was released on Saturday according to a post on the WordPress Blog. The new version features a new widget API that should lead to better widgets, a theme browser/installer and performance upgrades. Only minor changes have been made to the interface, following the major changes that occurred in the previous version. You can see a full lists of changes in 2.8 at the WordPress Codex.

The finalized version of WordPress 2.7 was released yesterday, coming one day after the second release candidate. The most visible change in 2.7 is the admin interface, which has received a new look and is highly customizable. The new Quick Edit option in the Edit Posts page allows for changing quickly changing posts titles, categories, publishing status, and other post options without having to open each individual post. The new version also adds the ability to automatically update WordPress and to install plugins from inside WordPress. Some of the other new features include comment threading, sticky posts, and replying to comments in the dashboard. According to a post by Matt Mullenweg on the WordPress Blog, the high volume of feedback during the testing of 2.7 led to the delaying the release for a month to incorporate revision based on the feedback. Matt also said that he expects the interface remain largely the same during 2009 and that changes to WordPress next year to revolve around other areas including media handling, widgets, theme changes, and improved help.