WordPress 2.3.3 Available for Download

Our favorite blogging software, WordPress, has released an urgent security update that everyone should upgrade to.

If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.

Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available from its author.

Since we are talking security, remember to use strong passwords and change them regularly. While you’re updating WP and your plugins, consider refreshing your passwords.

The part about changing your passwords often is a good idea. I’m going to update both blog and passwords now.

39 thoughts on “WordPress 2.3.3 Available for Download”

  1. xanete says:

    It sounds interesting. I will try it. 😉

    1. This is the first update I’ve applied in a year, that was one serious security risk. I also took the chance to go for a new design whilst I was upgrading.

  2. RacerX says:

    Blogger is so FUBAR right now it is tempting to jump…

    Picture loader doesn’t work after you spell check…which isn’t working!

    1. Neil Duckett says:

      You’ll never look back, WordPress rocks.

    2. WordPress rocks…the best blogging platform on the market at the moment

  3. Syed Balkhi says:

    yes this is a major issue … i am in process of updating Balkhis.

    1. yea you should, its worth the upgrade whenever one is released.

  4. WordPress is the best blogging software available – for sure. I also
    love using it as CMS for midsized websites.

  5. This was sorta stupid of WP to release another update so late. Why didnt they just fix it in the last release which came out about a week ago!

    1. Maybe it wasn’t identified then?

  6. Duckeldanny says:

    sure, wordpress is the best blog software ever

  7. Well, I guess I’ll check it out… 😉

  8. Heidi says:

    I will have to make sure to have my hosting company look into this. Thanks for the heads up.

  9. Will do. Thanks for the update.

  10. Saw it on my WP dashboard. Updating now!

  11. Miley Cyrus says:

    Major security update.. yeah I don’t know how people who have 5+ blogs manage these updates because it’s such a hassle. I only have 3 blogs at the moment and I’ve so far postponed this update to next time I’ll have some free time and feel like backing up/ updating.

    By the way, how often do you backup your sites?

  12. It’s amazing how many critical updates are the result of security concerns in WordPress. WordPress is written in PHP4 and this is not the best choice for secure applications. A rewrite in PHP5 is necessary.

    1. No because PHP5 isn’t universally used yet.

  13. Louis says:

    Well on the other side, PHP5 isn’t as widely used as PHP4 right now, but I’m sure things will evolve over time. I glanced at the WordPress post about upgrading, and jumped at downloading/updating. When I re-read it, it did say it would allow an existing user to edit other users’s post. So if you had only 1 user, it wasn’t as crucial as initially thought. Always good to upgrade though.

  14. Saw it on my dashboard before and upgraded :mrgreen:

  15. Tyler Cruz says:

    I believe I was just a victim of this exploit. I was washing dishes when I got a message on my Blackberry stating my blog was down.

    _All_ my posts were deleted… Fortunately, I have an insane amount of backup measures in place, and was able to restore my blog, and then upgrade to 2.3.3.

    So… UPGRADE TO 2.3.3 ASAP. I’m not positive if this was what caused my blog to have all of the posts erased, but I’m thinking it’s a likely reason.

  16. Penny Raine says:

    And if we don’t have registration enabled is this upgrade still needed? I have customized my theme, is there any danger of losing those customizations when I upgrade?

    1. Miley Cyrus says:

      Was wondering the same thing and I came to the conclusion it’s not needed but guess I’ll still upgrade it eventually.

  17. thanks for the update, and Penny Raine, no worries, no danger of losing customizations, …… i think. 😆

  18. Haroon says:

    ahh already upgraded 😉

  19. Katie says:

    Nice post :) I want to get WordPress Someday when I get hosting with a good host other than Blogger. I can’t wait. It will be exciting. 😉

    ~Katie 😛

  20. Yeah, I’m updating today on both my sites. Always, backup!
    Take care,
    Mark 😀

  21. Haroon says:

    Tyler – I just want to tell you that your lucky man you had backup. I was not that lucky as you, my other blog was cleaned out and i couldn’t do anything about that. 😥

  22. another update i only just updated to 2.3.2

    i belive with this one you only need to update the xmlrpc.php file

  23. Fahmishah says:

    i have already update it

  24. Some strong tips there about passowrds guys. I forgot to mention before but updating your passwords regularly is the best form of defense, any one can have against hackers!

  25. David Chew says:

    Thanks for the post john. 😀

  26. spidro says:

    thanks for the update , i stared to use wordpress few weeks ago and this is the first update for me

  27. Feed Flare says:

    Thanks John for the heads up!

  28. mack goodman says:

    I just copied the file xmlrpc.php over and that was easy instead of the full update, but I couldn’t get rid of the update notice. BUT I FOUND THE WAY!! 😛 Just get the new version 2.3.3 and locate the “version.php” file and copy that to the wordpress/wp-includes directory and that does it… Thanks John!

  29. Looks like it’s time to update! thanks for the heads up! – I must be living under a rock, because I didnt even hear about this until now.

Comments are closed.