WordPress released a mandatory security update to the public on November 30, 2010. Please be advised that you need to upgrade your WordPress version to 3.0.2 immediately.
WordPress Security Issues / Enhancements
According to WordPress.org, a moderate security risk was found that could allow a malicious Author-level user further access into your website. This issue has been fixed in WordPress 3.0.2.
WordPress 3.0.2 also addresses a handful of bugs and provides some additional security enhancements such as:
- Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
- Fix canonical redirection for permalinks containing %category% with nested categories and paging.
- Fix occasional irrelevant error messages on plugin activation.
- Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin.
- Clarify the license in the readme.
- Multisite: Fix the delete_user meta capability.
- Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins.
- Multisite: Fix ms-files.php content type headers when requesting a URL with a query string.
- Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs.
Were there any files deleted in this release?
WordPress 3.0.2 uses all the same files and nothing became obsolete, but 12 files were changed.
Here is a list of WordPress Files that were Revised in 3.0.2:
- readme.html
- wp-admin/includes/file.php
- wp-admin/includes/plugin.php
- wp-admin/includes/update-core.php
- wp-admin/plugins.php
- wp-includes/canonical.php
- wp-includes/capabilities.php
- wp-includes/comment.php
- wp-includes/functions.php
- wp-includes/load.php
- wp-includes/ms-files.php
- wp-includes/version.php
Upgrading to WordPress 3.0.2
We tested the automatic upgrade from the Dashboard > Updates and also did a manual upgrade. Both were successful.
For WordPress security, please upgrade to WordPress 3.0.2 immediately.
Plugin Conflicts:
After upgrading to WordPress 3.0.2, we noticed an intermittent error message when creating a new post caused from the MaxBlogPress Ping Optimizer Plugin. This error comes and goes:
Warning: Missing argument 1 for PingOptimizer::__mpoFetchPostDetails(), called in /PATH/WORDPRESS/wp-content/plugins/maxblogpress-ping-optimizer/maxblogpress-ping-optimizer.php on line 503 and defined in /PATH/WORDPRESS/wp-content/plugins/maxblogpress-ping-optimizer/mpo-lib/include/mbp-ping-optimizer.cls.php on line 135
Leave Your Feedback
How was your upgrade experience with WordPress 3.0.2? Did you have any issues with this release? Let us know by leaving your comment below.
Securely yours,
Regina Smola
WordPress Security Specialist
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
Additional Resources:
updates went smoothly for ghettohacker.org and pcmagicrepairs.org. Thanks for the heads up, and I love what you’er doing here, keep it up!
Glad it worked Andy. Thanks for your kind words.
BTW, pcmagicrepairs.org doesn’t work, but .com does. A typo maybe?
Hello,
Thank you for giving the heads up about updating wordpress. I decided to let wordpress do everything for me, so automatic upgrade it went. The only thing that went wrong was that I needed to re-upload my index.php file that a wordpress plugin is using. (http://www.wp-united.com/) Other than that, it all fine 🙂
Daniel Fenn, MTA
Hi Daniel,
Thanks for your feedback. Glad to see that the automatic upgrade worked okay. Glad you caught the index.php file upload.
If you don’t mind me asking, which plugin causes you to use a different index.php file for WP?
Keep us informed if you notice any plugins acting up.
Hello,
I’m using a plugin called WP-united (http://www.wp-united.com/), It more of a plugin for phpbb, but it does have a wordpress part as well. Just a small quote from their home page:
“WP-United glues together phpBB forums and WordPress blogs.
From simple single sign-on, to fully automatic template integrations, WP-United can help you create a fully-featured, compelling community site.”
Hopes this help 🙂
Daniel Fenn, MTA
Great, thanks for sharing. That’s the first plugin I have heard of that requires you to manually change the WP index.php file.
I upgraded today and now I can’t “edit” posts, it shows me a 404 error 🙁
Hi Jorge,
Wow that’s not good. Did you do an automatic or manual upgrade? And do you have a backup?
Let me know if you need my help.
False alarm. I think it was a coincidence between the upgrade and a couple of words in the post blacklisted by mod_security.
All seems to be running fine now 🙂
Jorge, I’m so glad you got it fixed.
I had some issues with the upgrade. Seems as if it put my site into Maintenance Mode for about 20 to 30 minutes before finally failing the upgrade, but when I tried the automatic upgrade again, it went through fine. I’m guessing the servers were quite busy this morning!!
Yes, sounds like the server was having a timeout issue. Glad that it worked for you!
Thanks for sharing.
Regina, I just updated about ten sites using the automatic option. They all use either Thesis 1.7 or 1.8, and about half of them have custom-designed themes.
No problems!
Awesome. Thanks for your input John.
Hey Regina –
Thanks for the heads up! No issues on the upgrade. Automatically upgraded in less than 5 seconds. Love it when it works.
Hi David,
Thanks for your comment. I love when it works and quickly too!
Hi Regina,
Thank you for a wonderful site, has anyone moved WP 2.8 straight up to WP 3.0.2? Or must this be stepped up one level at a time? I have been nervous to make the move due to the horror stories you hear.
Hi Joan,
When upgrading from an older version, such as 2.8, you should make sure you have a working backup of your server files and also your database.
My suggestion would be to make a new database and copy your current database into it, then change your wp-config.php file to the new database before upgrading. That way if something goes wrong you can quickly switch back to your old database.
Since your version of WordPress is so outdated, there are many files that are now obsolete and vulnerable if they are left on the server. So you should follow the Upgrading WordPress Extended instructions.
If you need any help, just ask 🙂
Did the recent WP 3.0.2 security update drop fresh copies of Askimet and Hello Dolly plugins on every site I updated? I had previously deleted them for security reasons. Now a few days after the WP core file update there is a black update button on all my dashboards saying there is a new version of Askimet. I am dreading the thought of it but do I have to go into all my sites now and delete them again manually? Regards –
Hi Mal,
Good question. Unfortunately, the answer is yes. If you use the automatic update it will always install any files included in that update, which happens to be those two plugins.
When I upgrade, I do it manually so that I can pick what I want to upload. For instance, I remove the readme.html file, so when I do a manual update I skip that file.
However, if you enjoy the automatic update feature, you have to always remember to delete want you want removed from your WP site.
I hope that helps.
After getting 30 sites pwned by a sql injection during the summer, I did everything I could to minimize exposure, including evolving into a minimalist when it comes to plugins. I have all my sites spread out in smaller CPanel container groups now too so hopefully I won’t loose everything with a cross site script attack (again). But I have to think now about the best way to do these updates. Updating dozens of sites is a lot of work… there has to be a way to script part of the operation and run it like a cron job after the updates… thanks for your reply Regina !! Have a great week ! Mal
Hey Mal,
I understand your frustration, believe me I can relate. LOL I update WordPress sites all day every day for others and my own.
Not to rain on your parade, but there is no script that I know of to do what you’re asking.However, if you find one, please please let me know. It would cut my workload way down. 🙂
Regina I have WP Genius theme from Solostream. I updated yesterday via my dashboard with no hassles. Everything is working normally. Thank you for putting together this post.
Hey Joe,
Awesome! It’s so nice when updates run smoothly.
Well. I updated a few and have had no issues so far.
i do have a question. In the updates section on some of my blogs, it gives the version number and says whether there is an update avail or not and others have ”
You are using a development version of WordPress. You can update to the latest nightly build automatically or download the nightly build and install it manually: ” This message shows all the time. Do you know why I get this on some blogs and others I get the “normal” update message?
Thanks for your question Kathy. You are receiving this message because you’re using the developer’s version of WordPress on those sites.
For more information see: http://codex.wordpress.org/Using_Subversion.