WordPress 2.9.1

After over a million downloads of WordPress 2.9 and lots of feedback from all of you, we’re releasing WordPress  2.9.1.  This release addresses a handful of minor issues as well as a rather annoying problem where scheduled posts and pingbacks are not processed correctly due to incompatibilities with some hosts.  If any of these issues affect you, give 2.9.1 a try.  Download 2.9.1 or upgrade automatically from the Tools->Upgrade menu in your blog’s admin area.

WordPress 2.9.1 Release Candidate 1

Thanks to everyone who tested 2.9.1 Beta 1.  We’re following that up with Release Candidate 1.  RC1 contains a few more fixes, bringing the number of fixed tickets up to 23.  If you are already running Beta 1, visit Tools->Upgrade in your blog’s admin to get RC1.  You can also  download the RC1 package and install manually.  If all goes well, 2.9.1 will be here soon.

WordPress 2.9.1 Beta 1

Unfortunately, the recent 2.9 release triggered a bug in certain versions of PHP’s curl extension.  With these versions of curl, scheduled posts and pingbacks are not processed correctly.  To fix this problem as well as a handful of other, lesser issues, we are quickly releasing 2.9.1, the first maintenance release of the 2.9 line.  Help us get 2.9.1 ready to go by testing 2.9.1 Beta 1.  The easiest way to test Beta 1 is to install the WordPress Beta Tester plugin, elect to get on the point release development track, and then perform an automatic upgrade via the Tools->Upgrade menu.  You can also download the Beta 1 package and install manually.  Fourteen tickets have been fixed in 2.9.1 Beta 1.  Since the curl problem and a couple of other problems are dependent on specific hosting configurations, any and all testing help is greatly appreciated.

WordPress 2.9, oh so fine

I want to make you mine, all the time… oh wait. Hello. I’m here on behalf of the entire WordPress development team and community to announce the immediate availability of WordPress version 2.9 “Carmen” named in honor of magical jazz vocalist Carmen McRae (whom we’ve added to our Last.fm WP release station). You can upgrade easily from your Dashboard by going to Tools > Upgrade, or you can download from WordPress.org. And of course, it wouldn’t be a major release without a short video summarizing some of the cool things about the new version:

The coolest new stuff from a user point of view is:

1. Global undo/”trash” feature, which means that if you accidentally delete a post or comment you can bring it back from the grave (i.e., the Trash). This also eliminates those annoying “are you sure” messages we used to have on every delete.
2. Built-in image editor allows you to crop, edit, rotate, flip, and scale your images to show them who’s boss. This is the first wave of our many planned media-handling improvements.
3. Batch plugin update and compatibility checking, which means you can update 10 plugins at once, versus having to do multiple clicks for each one, and we’re using the new compatibility data from the plugins directory to give you a better idea of whether your plugins are compatible with new releases of WordPress. This should take the fear and hassle out of upgrading.
4. Easier video embeds that allow you to just paste a URL on its own line and have it magically turn it into the proper embed code, with Oembed support for YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).

2.9 provides the smoothest ride yet because of a number of improvements under the hood and more subtle improvements you’ll begin to appreciate once you’ve been around the block a few times. Here’s just a sampling:

• We now have rel=canonical support for better SEO.
• There is automatic database optimization support, which you can enable in your wp-config.php file by adding define('WP_ALLOW_REPAIR', true);.
• Themes can register “post thumbnails” which allow them to attach an image to the post, especially useful for magazine-style themes.
• A new commentmeta table that allows arbitrary key/value pairs to be attached to comments, just like posts, so you can now expand greatly what you can do in the comment framework.
• Custom post types have been upgraded with better API support so you can juggle more types than just post, page, and attachment. (More of this planned for 3.0.)
• You can set custom theme directories, so a plugin can register a theme to be bundled with it or you can have multiple shared theme directories on your server.
• We’ve upgraded TinyMCE WYSIWYG editing and Simplepie.
• Sidebars can now have descriptions so it’s more obvious what and where they do what they do.
• Specify category templates not just by ID, like before, but by slug, which will make it easier for theme developers to do custom things with categories — like post types!
• Registration and profiles are now extensible to allow you to collect things more easily, like a user’s Twitter account or any other fields you can imagine.
• The XML-RPC API has been extended to allow changing the user registration option. We fixed some Atom API attachment issues.
• Create custom galleries with the new include and exclude attributes that allow you to pull attachments from any post, not just the current one.
• When you’re editing files in the theme and plugin editors it remembers your location and takes you back to that line after you save. (Thank goodness!!!)
• The Press This bookmarklet has been improved and is faster than ever; give it a try for on-the-fly blogging from wherever you are on the internet.
• Custom taxonomies are now included in the WXR export file and imported correctly.
• Better hooks and filters for excerpts, smilies, HTTP requests, user profiles, author links, taxonomies, SSL support, tag clouds, query_posts and WP_Query

All of this and more is reflected in the over 500 tickets, bugs, and enhancements that WP developers in this release cycle.

This release included code from over 140 contributors, here’s everyone we were able to identify: aaroncampbell (Aaron Campbell), abackstrom (Adam Backstrom), aldenta (John Ford), alexkingorg (Alex King), [amilanov], antonylesuisse (Antony Lesuisse), apeatling (Andy Peatling), apokalyptik (Demitrious Kelly), arena (André Renaut), batmoo (Mohammad Jangda), Ben Dunkle, BenBE1987, Benjamin Flesch, bookchiq (Sarah Lewis), brianwhite, c0nstruct, caesarsgrunt (Caesar Schinas), CalebKniffen (Caleb Kniffen), chrisbliss18, chrisscott (Chris Scott), christoph179, coffee2code (Scott Reilly), [cross country flight], Curioso, davecpage (Dave Page), dcole07 (Dan Cole), dd32 (Dion Hulse), demetris (Δημήτρης Κίκιζας), Denis-de-Bernardy, dj-wp, dwright, eddieringle (Eddie Ringle), error (Michael Hampton), ewestp, fabifott, filosofo (Austin Matzko), greenshady (Justin Tadlock), gsnedders/link92 (Geoffrey Sneddon), hailin (Hailin Wu), hakre, hanilovesme, Harald Nesland, harrym, holizz (Tom Adams), ikonst, jacobsantos (Jacob Santos), janeforshort (Jane Wells), jamescollins (James Collins), jdub (Jeff Waugh), jeff_ (Jean-François “Jeff” VIAL), jeremyclarke (Jeremy Clarke), JeremyVisser (Jeremy Visser), jikamens, jmulley, Joern_W, johanee (Johan Eenfeldt), johnbillion (John Blackbourn), johnjamesjacoby (John James Jacoby), johnjosephbachir (John Joseph Bachir), JonathanRogers, joostdevalk (Joost de Valk), Jose Carlos Norte, josephscott (Joseph Scott), junsuijin, kevinB (Kevin Behrens), kometbomb, lilyfan (IKEDA Yuriko), [lostinlafayette], madhyde, MattyRob, mdawaffe (Michael Adams), Mittineague, miqrogroove, morfiusx, mrmist (David McFarlane), mtdewvirus (Nick Momrik), mysz, nacin (Andrew Nacin), nanochrome, nao (Naoko McCracken), nathanrice (Nathan Rice), nbachiyski (Николай Бачийски), niallkennedy (Niall Kennedy), nickohrn (Nick Ohrn), ninjaWR (Ryan Murphy), noel (Noël Jackson), Otto42 (Samuel Wood), pairg, peaceablewhale (Franklin Tse), prettyboymp (Michael Pretty), ProDevStudio, ramiy, redsweater (Daniel Jalkut), ruslany, sambauers (Sam Bauers), scribu, Sewar, Simek, simonwheatley (Simon Wheatley), sirzooro (Daniel Frużyński), sivel (Matt Martz), skeltoac (Andy Skelton), snakefoot, stephanreiter (Stephan Reiter), strider72 (Stephen Rider), taco1991, takayukister (Takayuki Miyoshi), tellyworth, tenpura, usermrpapa, utkarsh, Viper007Bond, vladimir_kolesnikov (Vladimir Kolesnikov), VoxPelli (Pelle Wessman), [voyou1], wahgnube, waltervos, westonruter (Weston Ruter), wnorris (Will Norris), xenlab (Eric Marden), yoavf (Yoav Farhi). Wowza!

2.9 has been an exciting development cycle, and I must say it has whetted our appetite for 3.0, which is coming next (probably this spring) and will include at the very least the merge of MU with the WordPress core, and a new default theme. We can’t wait to start working on it. But first, some Carmen McRae tunes and a beer. Join us!

(After you upgrade, of course!)

I hope everyone is having a wonderful holiday season.

WordPress 2.8.6 Security Release

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges.  If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch.  The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

Get WordPress 2.8.6.

WordPress 2.8.5: Hardening Release

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

The headline changes in this release are:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

We would recommend that all sites are upgraded to this new version of WordPress to ensure that you have the best available protection.

If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then we would recommend that you take a look at the WordPress Exploit Scanner.  This is a plugin which searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.  You can read more about this plugin here – “WordPress Exploit Scanner“

WordPress 2.8.4: Security Release

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.