On Wednesday, December 29, 2010 at 3:50pm, WordPress 3.0.4 was released to the public. Version 3.0.4 is a critical WordPress security update for all previous WordPress versions.
WordPress version 3.0.4 fixes persistent Cross-site scripting (XSS) flaws in the HTML sanitation library, known as KSES.
What is Cross-site scripting?
A type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. ~ source Wikipedia
In an email received from Matt Mullenweg he stated…
My last message to you this year is an important but unfortunate one: we've fixed a pretty critical vulnerability in WordPress' core HTML sanitation library, and because this library is used lots of places it's important that everyone update as soon as possible.
I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.
You can update in your dashboard, on the “updates” tab, or download the latest WordPress here:
http://wordpress.org/download/
The official release announcement is here:
Merry WordPressing in 2011,
Matt Mullenweg
On the WordPress Blog, Matt Mullenweg stated they've given a lot of thought and review on this update, but since this is so core they want as many brains on it as possible. He's requested security researchers to take a look at the changeset and review the update.
List of WordPress Files Revised:
- readme.html
- wp-admin/includes/update-core.php
- wp-includes/formatting.php
- wp-includes/kses.php
- wp-includes/version.php
Resources
- WordPress News: 3.0.4 Important Security Update
- Download WordPress 3.0.4
- Changeset 17172 for branches 3.0
- WordPress Codex Version 3.0.4
Important!
If you're self-hosting WordPress on your own domain, it is important that you upgrade your WordPress as soon as possible.
I haven't tried the automatic update via my “Dashboard,” but I did do a manual upgrade and it worked fine.
Leave your feedback
Have you upgraded to WordPress 3.0.4? Did you use the automatic upgrade or do it manually? If you noticed any glitches in the upgrade or conflicts with any plugins be sure to let us know. Leave your comment below.
Securely yours,
Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan
Wayne Harriman says
Just did the upgrade using WP Automatic Upgrade plug-in, took 4 minutes, no conflicts or glitches in the upgrade!
Robert Nelson says
Get the developer version of WordPress Automatic upgrade available at http://www.wordpress.org and use it for any and all upgrades. It it much better than the upgrade possibility provided by WordPress. After using it and seeing how great it is, donate as much as you can to the developer.
Regina I’m very surprised that you aren’t making reference to this great plugin.
Regina Smola says
Hi Robert,
I will be doing a post about the WordPress Automatic Upgrade plugin soon. Thanks for pointing that out. What I love about it is the fact that it make a backup of your files and your database for you as well as disabling/enabling the plugins after the upgrade. Very convenient.
Personally, for security upgrades, such as this, I only replace the files revised for the new version (from the Codex).
For major core updates (like when WordPress 3.1 comes out), I do the extended manual upgrade so I know exactly which files are going on my server via SFTP and do not upload the ones I don’t want on there for security purposes.
UPDATE: I will no longer be doing a post on the WordPress Automatic Upgrade plugin. It has since been removed from WordPress.org.
Robert Nelson says
Error in my previous comment it should read seeing how great it is.
Yes, both sites are upgraded using the plugin version of Automatic upgrade with no problem. This time I even got an email from Matt Mullenberg telling me about the upgrade as did Willie Crawford.
Regina Smola says
No problem Robert. I edited your comment to read as such.
I received an email from Matt and several others as well. Glad everyone is spreading the word about this important WordPress security update.
Ayush Kumar says
Thanks a lot for this update Smola, I will be updating my all website soon. BTW recently I and my all client is facing a issue. There is one person (john1, john2, [email protected] bla bla) used to send ton of spam mail. Somehow i found his IP address (http://www.stopforumspam.com/ipcheck/188.92.75.82) and there are no. of people facing the same issue. All websites are built in wordpress. Please advice.
Ayush Kumar says
I also tried to block his IP address so that he/she can’t access the website itself and used WP BAN plugin but seems like it didnt work out.
Regina Smola says
Hi Ayush,
Try using the “Defensio” plugin and install the ProjectHoneyPot script and see if that works. Once you install the honeypot, you can get your http:BL Access Key to add to your Bad Behavior plugin.
Note: If you have any other anti-spam plugins like Akismet, you will have to disable them to use Defensio.
All work great to help slow down and/or combat spammers.