Theme Lab

Breaking news. It’s only been a month and WordPress 2.5.1 has already been released. It’s recommended to upgrade soon for “one very important security fix.” In addition, it also addresses over 70 other bug fixes including various fixes to the administration panel and media uploader.

This is literally breaking news. I was browsing through the WordPress.org website and was surprised to see the new design out of nowhere. I’m happy to announce WordPress 2.5 has been released. So far there have been 34,051 downloads and counting. You can download it here. Hopefully our installing WordPress tutorial is still up-to-date. If you saw my previous post you’ll know this is an especially exciting release.

Just in case you didn’t see this screencast of WordPress 2.5 RC2, I suggest you take a look. Matt from WordPress created a video that demonstrates the new photo gallery feature in the new version of WordPress. RC2 is available for download now as well if you want to test it out for yourself. Like the last release candidate, it is not recommended for a live blog as there still may be a few issues that need to be worked out before the final release.

I just stumbled upon this post about an exploit which allows a hacker/spammer to inject links and HTML into your WordPress installation. If you see a /wp-content/1/ directory in your FTP, you have likely been affected. Over 9000 other WordPress blogs are in the same boat.

As you can see, ringtones, gambling, the usual spammy stuff. I’m not going to directly link to these results as some of these links have been reported to be malware-infested. Definitely not a good idea to visit them. Google will likely penalize you if these spam links on your exploited site are crawled, so you should delete this directory ASAP along with all files under it if you see it.

As of yet, no official word from WordPress developers on this vulnerability has been released. Until then, it’s best to use good security practices (which should apply to all websites, not just WordPress-powered ones). Password protect your directories, don’t publish the version of the script you’re using, disable indexes on WordPress core directories - to name a few. I’ll be posting some general WordPress security tips up on Theme Lab soon.

Note: More information available on this WordPress.org support topic, where the exploit was initially reported.

Yes, I know I’m a couple days on this story, like my last news story. Anyway, the release WordPress 2.5 has been hyped up for a while now. Being scheduled, postponed, rescheduled, and postponed some more. Matt from WordPress recently announced the release of WordPress 2.5 RC1 on the WordPress development blog. There have been a lot of layout changes to the admin panel, focusing more emphasis on common tasks (like writing) and less emphasis on menial tasks such as activating plugins. WordPress 2.3.3 is still the latest stable release. If you want to try it out for yourself I’d recommend it be installed locally or an otherwise “non production” blog.

In case you were wondering, RC stands for release candidate. This basically means it isn’t an officially “stable” release yet, although it will probably work okay. The purpose of releasing this version first is to work out any last few bugs that may be present before the final 2.5 release. This is why it’s probably a good idea to stick with 2.3.3 until then.