Backporting WordPress Security Fixes

Austin Matzko — Wed, 07 May 2008 03:14:29 +0000

Alex Schleber so dislikes WordPress 2.5 that he’s worked out how to patch version 2.3.3 with 2.5’s security patches instead of upgrading. It’s an approach I would recommend against. For one thing, there’s a good chance that one won’t recognize all of the patches via changelogs, if for no other reason than that sometimes new features—not just fixes—have obviated bugs. Also, 2.5 introduced a number of features on the back-end that I would miss.

I am curious about his antipathy towards version 2.5, something he promises to blog about later. My guess is that it has to do with the design of the administrative back-end. That just confirms my opinion that the WordPress admin should be template-able. After all, no one ever decided not to upgrade WordPress because they didn’t like Kubrick.

Serious Security Flaw: Upgrade Immediately

Austin Matzko — Sun, 03 Feb 2008 05:04:44 +0000

Today a serious security flaw in the current version of WordPress surfaced in the support forums. Basically, a user with login rights but not editing capabilities can edit any post using XML-RPC. A quick fix is to delete the xmlrpc.php file, although you should be aware that this will also keep your site from receiving pingbacks. WordPress 2.3.3 should be released shortly, so be sure to upgrade once it does.

You can see a proof of concept here.

UPDATE: WordPress 2.3.3 has been released, so I recommend that you upgrade as soon as possible.

Pressed Words » 2.3.3

Backporting WordPress Security Fixes

Serious Security Flaw: Upgrade Immediately