WordPress 2.8.5 was released yesterday, which includes a fix for a denial-of-service (DoS) attack and a number of changes that removed code that could potentially be used to hack into WordPress. The denial-of-service attack utilizes specially crafted trackbacks that cause WordPress to use a significant amount of processing power when they are processed which could lead WordPress becoming unresponsive. The code removal changes were originally developed for the upcoming version 2.9 and were backported to improve security as soon as possible.
Following less than two weeks after the release WordPress 2.8.1, which fixed a potentially serious security vulnerability, a new version has been released to patch another potentially serious security vulnerability. In versions before 2.8.2, comment author URLs were not fully sanitized which could lead to a cross-site scripting (XSS) attack. When viewing a page in the administrative interface that contains a specifically crafted comment author URL the user would be automatically redirected to another web page. That other web page could try to infect the user’s machine with malware or try to perform some other harmful activity.
WordPress 2.8.1, which fixes a number of problems with 2.8 and addresses a potentially serious security vulnerability, was released yesterday. The problems that were fixed were causing serious problems for some users. A work around was created so that some templates that were not working due how they called get_categories(). Dashboard memory usage was reduced to alleviate an issue where some people were receiving an incomplete page when they attempted to view the dash board. And an issue that caused the rich text editor not load was worked around. The security vulnerability allows any user of the blog, including subscribers, to view and in some cases modify plugin files if they did not explicitly check permissions. In Corelabs advisory about the vulnerability, they mention one plugin whose features could be disabled and another that could be modified to run arbitrary code when the blog administrator visits the plugins page. Extra security has been put in place to better protect plugins from this.
The finalized version of WordPress 2.8 was released today. The changes made include better widgets, a theme browser/installer, performance upgrades, and over 790 bug fixes. The widget admin interface has been changed to allow for making immediate edits to widgets, having multiple copies of widgets, and the ability to save settings for inactive widgets. A new widget API should allow for developers to create improved widgets.
On the security front, changes were made that should improve plugin security from cross-site scripting (XSS) attacks. An empty index file has been added to the plugin directory so that servers that are configured to show the contents of directory when no index file exist will no longer show potential hackers what plugins are located in the directory that they could attempt to exploit.
A full lists of changes in 2.8 is available at the WordPress Codex.
According to a post by Matt Mullenweg on the WordPress Blog possible improvements in versions 2.9 and 3.0 include “improved media handling, better dependency checking, versioning of templates and themes, and of course the fabled merging of WordPress and MU.” Version 2.9 will also requireMySQL 4.1.2 or higher, up from the current requirement of 4.0.
The first beta of WordPress 2.8 was released on Saturday according to a post on the WordPress Blog. The new version features a new widget API that should lead to better widgets, a theme browser/installer and performance upgrades. Only minor changes have been made to the interface, following the major changes that occurred in the previous version. You can see a full lists of changes in 2.8 at the WordPress Codex.
The finalized version of WordPress 2.7 was released yesterday, coming one day after the second release candidate. The most visible change in 2.7 is the admin interface, which has received a new look and is highly customizable. The new Quick Edit option in the Edit Posts page allows for changing quickly changing posts titles, categories, publishing status, and other post options without having to open each individual post. The new version also adds the ability to automatically update WordPress and to install plugins from inside WordPress. Some of the other new features include comment threading, sticky posts, and replying to comments in the dashboard. According to a post by Matt Mullenweg on the WordPress Blog, the high volume of feedback during the testing of 2.7 led to the delaying the release for a month to incorporate revision based on the feedback. Matt also said that he expects the interface remain largely the same during 2009 and that changes to WordPress next year to revolve around other areas including media handling, widgets, theme changes, and improved help.
The first release candidate of WordPress 2.7 was released today according to a post on the WordPress Development Blog. According to the post, 2.7’s new administrative interface has been polished and 2.7’s new icons have been added since the third beta version of 2.7 was released. The post also says that this version is ready for everyone to use. The release candidate was previously targeted for release on November 10.
The first beta of WordPress 2.7 was released on Saturday according to a post on the WordPress Development Blog. The most significant change in 2.7 is a redesigned administrative interface, which according to the posting is almost in its final form in the first beta. The new version will also include automatic updating, comment threading, and other new features. More information about 2.7 is available at the WordPress.org Codex. The final 2.7 was previously scheduled to be released on November 10, but according to the posting it is two weeks behind schedule. Instead, on the 10th a release candidate will be made available that is “intended to be a high-quality, almost-finished release that we are comfortable recommending for broad use.” A new release date will be set as the development moves further along.
The developer of WordPress, Automattic, has acquired enhanced comment tool IntenseDebate according a article by CNET News. IntenseDebate replaces a blogs standard comment system with a system that allows for email replies, reputation, ranking, and centralized control across several sites. The tool will likely be integrated into self-hosted and WordPress.com hosted WordPress blogs in the near future. The co-founder of IntenseDebate, Jon Fox, told CNET News that the tool would continue to support other blogging platforms including Blogger and MovableType.
WordPress announced today that their free app for the iPhone is now available for download in the App Store. The app allows editing of self-hosted or WordPress.com hosted WordPress blogs from the iPhone. New post can be created and old post can be edited. Tags, categories, and publishing status are accessible from the main editing screen. Images taken by the iPhone can be embedded into posts and posts can be previewed from an embedded Safari browser.