Wordpress 2.3.3 Available for Download
Our favorite blogging software, Wordpress, has released an urgent security update that everyone should upgrade to.
If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.
Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available from its author.
Since we are talking security, remember to use strong passwords and change them regularly. While you’re updating WP and your plugins, consider refreshing your passwords.
The part about changing your passwords often is a good idea. I’m going to update both blog and passwords now.
- Posted in Wordpress
- 39 comments what's your take?
Sorry, the comment form is closed at this time.
Loading ...
It sounds interesting. I will try it.
Reply to this commentThis is the first update I’ve applied in a year, that was one serious security risk. I also took the chance to go for a new design whilst I was upgrading.
Reply to this commentBlogger is so FUBAR right now it is tempting to jump…
Picture loader doesn’t work after you spell check…which isn’t working!
Reply to this commentYou’ll never look back, Wordpress rocks.
Reply to this commentWordpress rocks…the best blogging platform on the market at the moment
Reply to this commentyes this is a major issue … i am in process of updating Balkhis.
Reply to this commentyea you should, its worth the upgrade whenever one is released.
Reply to this commentWordpress is the best blogging software available - for sure. I also
Reply to this commentlove using it as CMS for midsized websites.
This was sorta stupid of WP to release another update so late. Why didnt they just fix it in the last release which came out about a week ago!
Reply to this commentMaybe it wasn’t identified then?
Reply to this commentsure, wordpress is the best blog software ever
Reply to this commentWell, I guess I’ll check it out…
Reply to this commentI will have to make sure to have my hosting company look into this. Thanks for the heads up.
Reply to this commentWill do. Thanks for the update.
Reply to this commentSaw it on my WP dashboard. Updating now!
Reply to this commentMajor security update.. yeah I don’t know how people who have 5+ blogs manage these updates because it’s such a hassle. I only have 3 blogs at the moment and I’ve so far postponed this update to next time I’ll have some free time and feel like backing up/ updating.
By the way, how often do you backup your sites?
Reply to this commentIt’s amazing how many critical updates are the result of security concerns in WordPress. WordPress is written in PHP4 and this is not the best choice for secure applications. A rewrite in PHP5 is necessary.
Reply to this commentNo because PHP5 isn’t universally used yet.
Reply to this commentWell on the other side, PHP5 isn’t as widely used as PHP4 right now, but I’m sure things will evolve over time. I glanced at the Wordpress post about upgrading, and jumped at downloading/updating. When I re-read it, it did say it would allow an existing user to edit other users’s post. So if you had only 1 user, it wasn’t as crucial as initially thought. Always good to upgrade though.
Reply to this commentSaw it on my dashboard before and upgraded
Reply to this commentI believe I was just a victim of this exploit. I was washing dishes when I got a message on my Blackberry stating my blog was down.
_All_ my posts were deleted… Fortunately, I have an insane amount of backup measures in place, and was able to restore my blog, and then upgrade to 2.3.3.
So… UPGRADE TO 2.3.3 ASAP. I’m not positive if this was what caused my blog to have all of the posts erased, but I’m thinking it’s a likely reason.
Reply to this commentAnd if we don’t have registration enabled is this upgrade still needed? I have customized my theme, is there any danger of losing those customizations when I upgrade?
Reply to this commentWas wondering the same thing and I came to the conclusion it’s not needed but guess I’ll still upgrade it eventually.
Reply to this commentthanks for the update, and Penny Raine, no worries, no danger of losing customizations, …… i think.
Reply to this commentahh already upgraded
Reply to this commentNice post
I want to get WordPress Someday when I get hosting with a good host other than Blogger. I can’t wait. It will be exciting. 
~Katie
Reply to this commentYeah, I’m updating today on both my sites. Always, backup!
Reply to this commentTake care,
Mark
Tyler - I just want to tell you that your lucky man you had backup. I was not that lucky as you, my other blog was cleaned out and i couldn’t do anything about that.
Reply to this commentanother update i only just updated to 2.3.2
i belive with this one you only need to update the xmlrpc.php file
Reply to this commenti have already update it
Reply to this commentSome strong tips there about passowrds guys. I forgot to mention before but updating your passwords regularly is the best form of defense, any one can have against hackers!
Reply to this commentThanks for the post john.
Reply to this commentthanks for the update , i stared to use wordpress few weeks ago and this is the first update for me
Reply to this commentThanks John for the heads up!
Reply to this commentI just copied the file xmlrpc.php over and that was easy instead of the full update, but I couldn’t get rid of the update notice. BUT I FOUND THE WAY!!
Just get the new version 2.3.3 and locate the “version.php” file and copy that to the wordpress/wp-includes directory and that does it… Thanks John!
Reply to this commentLooks like it’s time to update! thanks for the heads up! - I must be living under a rock, because I didnt even hear about this until now.
Reply to this comment