WordPress has released a new version, 2.6.2 to solve some security problems affecting users that allowed open registration. You can read the full details in the release post or go directly to the download page.
The main culprit was that when open registration was enabled, attackers could craft a username to allow resetting another user’s password to a randomly generated password, which isn’t a security problem in itself. If the attacker uses this with a weakneess in the random number seeding in mt_rand(), he or she could predict the randomly generated password, granting access to your blog (potentially under your members’ user names).
mt_rand()
There are several other security updates/changes/additions to the code, so it may be necessary to perform backups of your current installation, database, and other files associated with your blog before performing the update.
Again, this is mandatory as long as you are running a blog with user accounts enabled and are not using the Suhosin plugin/work around for the vulnerability.
Further developments can be followed on the main WordPress blog.
Additional, Useful Links
Update: After completing several updates/installs of WordPress 2.6.2, everything went well. No new problems as far as I can see. I strongly recommend the WordPress Automatic Upgrade Plugin, it alleviates any hassle of replacing files or doing a manual update.
The wordpress auto upgrade plugin is nice, but it seems like every other time It corrupts my database on the upgrade…
I am happy with current 2.6.1 version but Wordpress 2.6.2 contains a handful of bug fixes. I’ve just upgraded my blog to this new.
Your email is never published nor shared. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Please subscribe to this site through RSS to receive the latest articles delivered directly to your feed reader.
Follow us through Twitter for more frequent updates.
You're new to blogging, right? Then, you'll need to check out these tutorials on how to start your blog off on the right foot.
2 Comments
The wordpress auto upgrade plugin is nice, but it seems like every other time It corrupts my database on the upgrade…
I am happy with current 2.6.1 version but Wordpress 2.6.2 contains a handful of bug fixes. I’ve just upgraded my blog to this new.