It was just announced yesterday that WordPress 2.8.5 has been released, which is considered a “security hardening” release. Here are some of the updates and fixes:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where PHP code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including admins.
• Retiring of the two importers of tag data from old plugins.

If you’re wondering what the difference between a “hardening release” and a “security release” is, I don’t think there is any. The only difference to me seems that people don’t seem to complain as much about hardening releases as they do security releases.

Anyway, I’m sure you know the drill by now. Make sure you take a backup beforehand (which you should be doing regularly anyway, and use the automatic upgrader or upgrade manually if necessary.

I just upgraded to 2.8.5 yesterday with the automatic upgrader and everything seems to be running smoothly.

There is a security exploit going around, and it could affect anyone not using the most up-to-date version of WordPress at the moment, which is WordPress 2.8.4. Lorelle has a good writeup on how old WordPress versions are under attack. To summarize, here’s what to look out for if you think your WordPress site may have been compromised.

• Unusual additions to your WordPress permalink structure. If you see anything like “eval” and/or “base64_decode” in your URLs, you’ve already been hit.
• This is a real kicker: a hidden admin account. That’s right, the exploit can let the attacker set up a hidden admin account that may not even be displayed in your user list.

This post offers some solutions if you have already been hacked. Remove the extra permalink code in Settings → Permalinks, remove the extra admin account, and (obviously) upgrade to the latest version of WordPress.

Has anyone been affected by this exploit? I’m happy to say out of all of my WordPress sites, I haven’t been hit, although I have still upgraded all of my WordPress installations to the latest version, including Theme Lab, and I highly recommend you do the same (as long as you backup first). Just another reason to keep your WordPress version up-to-date.

As predicted, WordPress 2.8.4 has been released. No surprise here, after news about the admin password reset “exploit” issue surfaced yesterday. Yeah, there’s some arguments over whether it’s a security issue or not, but it can be pretty annoying if you get hit by it.

It’s highly recommended you upgrade immediately. This is a pretty minor upgrade as it’s supposed to only fix the one bug. Anyone know the record of most point releases on a single branch?

By the way, if you ever come across an undiscovered WordPress security issue, make sure you know the correct way to report it. Blabbing about how you used it on sites you don’t own/administer under the guise of “proof-of-concept” is not the correct way,.