Our favorite blogging software, WordPress, has released an urgent security update that everyone should upgrade to.
If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.
Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available from its author.
Since we are talking security, remember to use strong passwords and change them regularly. While you’re updating WP and your plugins, consider refreshing your passwords.
The part about changing your passwords often is a good idea. I’m going to update both blog and passwords now.
Did you enjoy this post? Get John Chow Dot Com updates via email...
Stay up to date with all of John Chow’s tips for making money online and blog posts by subscribing via email. Your email will be kept private and never shared with anyone.
One of the most common complaint (or excuse) I hear from potential new bloggers is they don’t know how to install WordPress. Terms like FTP and CPanel are like a foreign language and setting up a database might as well be setting up the space shuttle for a launch. Because of the technology barrier, many would-be bloggers never start their blogs...
{ 36 comments }
It sounds interesting. I will try it.
This is the first update I’ve applied in a year, that was one serious security risk. I also took the chance to go for a new design whilst I was upgrading.
Blogger is so FUBAR right now it is tempting to jump…
Picture loader doesn’t work after you spell check…which isn’t working!
You’ll never look back, Wordpress rocks.
Wordpress rocks…the best blogging platform on the market at the moment
yes this is a major issue … i am in process of updating Balkhis.
yea you should, its worth the upgrade whenever one is released.
Wordpress is the best blogging software available – for sure. I also
love using it as CMS for midsized websites.
This was sorta stupid of WP to release another update so late. Why didnt they just fix it in the last release which came out about a week ago!
Maybe it wasn’t identified then?
sure, wordpress is the best blog software ever
Well, I guess I’ll check it out…
I will have to make sure to have my hosting company look into this. Thanks for the heads up.
Will do. Thanks for the update.
Saw it on my WP dashboard. Updating now!
Major security update.. yeah I don’t know how people who have 5+ blogs manage these updates because it’s such a hassle. I only have 3 blogs at the moment and I’ve so far postponed this update to next time I’ll have some free time and feel like backing up/ updating.
By the way, how often do you backup your sites?
It’s amazing how many critical updates are the result of security concerns in WordPress. WordPress is written in PHP4 and this is not the best choice for secure applications. A rewrite in PHP5 is necessary.
No because PHP5 isn’t universally used yet.
Well on the other side, PHP5 isn’t as widely used as PHP4 right now, but I’m sure things will evolve over time. I glanced at the Wordpress post about upgrading, and jumped at downloading/updating. When I re-read it, it did say it would allow an existing user to edit other users’s post. So if you had only 1 user, it wasn’t as crucial as initially thought. Always good to upgrade though.
Saw it on my dashboard before and upgraded
I believe I was just a victim of this exploit. I was washing dishes when I got a message on my Blackberry stating my blog was down.
_All_ my posts were deleted… Fortunately, I have an insane amount of backup measures in place, and was able to restore my blog, and then upgrade to 2.3.3.
So… UPGRADE TO 2.3.3 ASAP. I’m not positive if this was what caused my blog to have all of the posts erased, but I’m thinking it’s a likely reason.
And if we don’t have registration enabled is this upgrade still needed? I have customized my theme, is there any danger of losing those customizations when I upgrade?
Was wondering the same thing and I came to the conclusion it’s not needed but guess I’ll still upgrade it eventually.
thanks for the update, and Penny Raine, no worries, no danger of losing customizations, …… i think.
ahh already upgraded
Nice post
I want to get WordPress Someday when I get hosting with a good host other than Blogger. I can’t wait. It will be exciting. 
~Katie
Yeah, I’m updating today on both my sites. Always, backup!
Take care,
Mark
Tyler – I just want to tell you that your lucky man you had backup. I was not that lucky as you, my other blog was cleaned out and i couldn’t do anything about that.
another update i only just updated to 2.3.2
i belive with this one you only need to update the xmlrpc.php file
i have already update it
Some strong tips there about passowrds guys. I forgot to mention before but updating your passwords regularly is the best form of defense, any one can have against hackers!
Thanks for the post john.
thanks for the update , i stared to use wordpress few weeks ago and this is the first update for me
Thanks John for the heads up!
I just copied the file xmlrpc.php over and that was easy instead of the full update, but I couldn’t get rid of the update notice. BUT I FOUND THE WAY!!
Just get the new version 2.3.3 and locate the “version.php” file and copy that to the wordpress/wp-includes directory and that does it… Thanks John!
Looks like it’s time to update! thanks for the heads up! – I must be living under a rock, because I didnt even hear about this until now.