WordPress 2.3.3 Security Upgrade: A simple upgrade technique
Today’s announcement of an insecurity in Wordpress 2.3.2 may have spooked a few people:
WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. … If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php.
I have already applied the patch the blog, to ease my mind. To apply the patch, I’d recommend the following five steps:
- Step 1: Download the patch directly from Wordpress.org.
- Step 2: FTP to your account and login.
- Step 3: Find the xmlrpc.php file in the /yourblog.com folder and rename it as xmlrpc.old.
- Step 4: Upload the new file to the same folder.
- Step 5: Once everything’s working, move the file to the root of your FTP User account out of harm’s way.
- (If things go wrong: rename the new file you just uploaded as xmlrpc.new. Then rename the xmlrpc.old as xmlrpc.php until you can fix the problem. Of course, this is a good technique but the patch is a SECURITY patch, so you really OUGHT to upgrade the xmlrpc.php to the latest one.
If you’re ever upgrading plugins or even themes, renaming a current file or directory as *.old is a good way to give you a Plan B, just in case things go wrong when you install the new theme or plugin or file. You can simply revert to the old versions, provided you haven’t updated the database. CAUTION in upgrading is ALWAYS advised.
And, just in case you think hacking can’t happen to you, read several postings on MattCutts blog about his true but less severe hacking. There’s also a post on John Cow’s blog that got me thinking about this issue.
If you know any other great posts about blog security, do add them in the comments!
If you like this post, subscribe to the RSS feed or email newsletter 
Read these related posts...
And now for your comments!
5 Responses to “WordPress 2.3.3 Security Upgrade: A simple upgrade technique”
Leave a Reply
Products and Services
Advertise Here
-
Other Useful Things
[...] WordPress 2.3.3 Security Upgrade: A simple upgrade technique [...]
[...] Of course, I’m really eager to try the new software out but it’s unlikely I will be trying it on this blog any time soon. Why? Caution. There are likely to be bugs in the software that cause problems, and I don’t want to be the first to find them on InvestorBlogger. I WILL be trying it out on my new blog though, because the blog is basically a standard install without many frills. You can read more about upgrading WordPress. [...]
[...] Dot Com had a very simple suggestion on how to go about updating Wordpress, that even a second guesser such as myself could not convolute, no matter how strong the instinct [...]
Frig… that is a scary thought. We actually had a problem with that, I bet this was the problem. I’m gonna mention it to our webguy now.
Thanks, I think that WP is just developing a little TOO fast these days… so basic problems aren’t being covered as well. There are other quite serious bugs that haven’t been fixed in WP2.5.1 (that IS the latest version).
Kenneth