WordPress Urgent Upgrade

Two days ago WordPress announced an urgent security update.

WordPress 2.3.3 is an urgent security release. If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.

Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available from its author.

Since we are talking security, remember to use strong passwords and change them regularly. While you’re updating WP and your plugins, consider refreshing your passwords.

From WordPress

Don’t you just love YouTube? I found this after searching for “wordpress upgrade.”

Upgrade Advice

Deactivate plugins before upgrading WordPress. Usually, even if you forget to deactivate plugins everything will be OK. However, once in a while a plugin will conflict with an upgrade, and reactivating them one by one will help indicate the culprit.

My opinion is that it is better to drop a plugin than put off a security upgrade. Plugin authors who are actively maintaining their plugin are usually pretty good about speedy updates.

Protect customization. If you use a customized version of WordPress Default or Classic, consider naming your version and moving it into a folder of its own. No matter how careful we all are, there will come a day when something important gets copied over. If your theme folder is not part of a standard WP install, there is no way that upgrading can accidentally copy over your work.

In case you’re interested, I wrote a brief guide about how to use WP Default to start a new theme.