WordPress MU 2.6

Version 2.6 of WordPress MU is now out! WordPress MU is the multi blog version of the popular blogging software WordPress. It’s the engine behind and many other blogging sites.

This version of WordPress MU is based on WordPress 2.6. There’s a long and interesting post on the new features in 2.6 so get over there to read up on post revisions, “Press This!”, Gears, Theme Previews, and the long list of developers who helped make this release a reality.

Some of the new features in this release of MU:

  1. Version number is 2.6 rather than 1.6 because it just makes sense to synchronise the major version numbers.
  2. Signup page now has a nonce which should help in the fight against spammers, for a short while anyway.
  3. Redirecting to the signup page for 404s and for unknown blogs is not enabled by default. Check out wp-config-sample.php for instructions.
  4. “allowed_themes” filter, much like the plugins filtered added previously.
  5. New functions: get_id_from_blogname(), is_main_blog().
  6. get_blog_details() can now take a blogname as well as a blog_id.
  7. Custom first posts didn’t always work. Now they do.
  8. Blognames in the “Add blog” form in wpmu-blogs.php are now sanitized.
  9. Added “pre_site_option_*” and “site_option_*” filters like the similar option filters.
  10. Meta fields will be passed on signup again.
  11. Added an “admin_header_navigation” filter so the top right navigation in the backend can be customised.
  12. The signup page uses “blogname” instead of “blog_id” to avoid confusion with the global variable of the same name. Plugins will break if not updated!

That last change is quite a major one. If you have any plugins that interact with the signup form they will need to be updated!

This release also addresses some security issues spotted by Alexander Concha and Juan Galiana. Thank you both for alerting us and for your patience while this release was prepared!


Sitewide tags pages for WordPress MU

For WordPress MU only. My latest plugin is the sitewide tags pages plugin.

This is the initial release of a plugin that creates a set of pages like the Hot Topics pages. It’s a lot more simplistic, but by feeding posts into one blog it also creates a sitewide feed of all posts plus feeds of any tags and categories too.

Sitewide Tags Options

WordPress MU is a multi blog version of WordPress that runs on If you use the regular version of WordPress this plugin is not for you and you can ignore this post.

PS. In other MU news. Raanan has a new post on the Publisher Blog about Nationen! blog, a new Danish blog site based on WordPress MU that looks rather nice!
The site was developed by Incsub who are also the guys behind where you’ll probably find all sorts of useful nuggets of MU goodness on a regular basis!


Anti spam-blog plugin for WordPress MU

The very popular WP Hashcash plugin for WordPress has been modified to work on the WordPress MU signup page.

WP Hashcash is an anti spam plugin that protects blogs from comment spam. It does this with Javascript and is quite successful. I worked on it over the last few days and the plugin now offers the same protection on the WordPress MU signup form!

This is the first release of the code so handle with care. Grab the latest version (version 4.2 as of this moment) from the download page. Unzip it and copy wp-hashcash.php into wp-content/mu-plugins/ and visit “Site Admin” -> “WordPress Hashcash” to confirm it’s working.

Now logout and create a new blog, just to make sure everything is working ok. Occasionally some users will have problems registering, and those that have Javascript turned off won’t be able to create a new blog at all. That’s the downside of using this plugin unfortunately.

Keep an eye on the stats counter on the admin page. I want to hear how well this works on your site!


WordPress MU 2.6 beta 1

Edit: The release candidate is now online. Here’s the forum thread on it. Grab the zip file to test!

WordPress MU 2.6 beta 1 is now available. WordPress 2.6 is due for release shortly and it’s already on it’s third beta so it’s times for WordPress MU to be updated.

This release has many new features as well as a few security fixes. In his beta 1, beta 2 and beta 3 posts Ryan listed some of the main features, including post revisioning, gears support for faster loading, theme previews, better SSL support and much much more.

WordPress MU specific changes include:

  • The version number is being bumped to 2.6 rather than 1.6 because of version confusion. Minor MU versions will probably append a letter to the version.
  • Signup page now has a nonce to help defeat spammers.
  • Plugins in wp-content/plugins/ are version checked like in WordPress. mu-plugins isn’t covered just yet.
  • Major object cache changes.
  • And many more bug fixes. Check the timeline for a list of changes.



Fifty years with WordPress

Ah yes, them were the days when we had to type blog posts on quaint old keyboards. Can you imagine it? You actually had to write everything letter by letter. Today’s thought entry systems are so much more convenient don’t you think?

That there Matt fella is still the youngster he always was. He may not be quite as fast on his feet but that embedded camera in his skull sure takes some snazzy photos. My camera gives me a headache, especially when the lens doesn’t focus fast enough. Great to see that mind blog integration stuff working out for him though. I can’t believe blogging has come so far in such a short time.

Oh wait! Fifty? It’s only been five. Where have the years gone? Matt noticed that I officially joined the WordPress team 5 years ago today! At the time I was working on the predecessor to WordPress MU, b2++ that was running on Blogs. It was a sometimes hard slog. MU was always on the sidelines of the WordPress community and somehow it escaped the attention of the vast majority of people online. I noticed many surprised voices when people found out what was running on!

Two years later and Matt starts Automattic and I come on board to work on and I’ve never looked back. The GPL licensed WordPress and WordPress MU go from strength to strength.

As a final note on this rambling post, if you enjoy using WordPress, head over to and read their philosophy page to find out what influences Matt and Alex and everyone else who contribute to GPLed software projects.


WordPress MU 1.5.1

The long delayed version 1.5.1 of WordPress MU has just been released. If you don’t want to read the rest of this post head to the download page and grab the zip file or tarball but make sure you come back here to read the upgrade docs.

This release of the popular multi-blog version of WordPress is synced with WordPress 2.5.1 and so has all the great features as well as bug and security fixes that went into that release.

Upgrading from a previous release
As long as you haven’t modified any core files, you can copy the files in 1.5.1 over your current install. Database upgrades will happen transparently in the background. The new salted hashing on passwords requires two constants, SECRET_KEY and SECRET_SALT to be defined in wp-config.php. If you upgrade and you don’t change wp-config.php your users will appear logged out when they go to a different blog. That’s why MU will display an ugly warning message to site admins with the two lines when they log in to the backend.

secret key

If you run into trouble, remember to check the forum and Trac. Someone else may have already answered your question.


WordPress MU 1.5 RC1

The first release candidate of the new WordPress MU 1.5 has just been released. The obvious major change is the new admin interface and password salting introduced in WordPress 2.5, but apart from them many bugs have been fixed.

There is also experimental support for CSS styles, something that has been missing from MU for quite some time due to XSS concerns. This function does the work of filtering out bad stuff and I would appreciate feedback, both positive and negative, especially with security concerns.

This release is quite stable, but there will probably be bugs still. Please only test it on a development server, and if you’re brave enough to put it live, make sure you have backed up everything first.

Check out the WordPress MU timeline for further information, and download the zip file here if you’d like to test it.


WordPress MU 1.3.2

WordPress MU 1.3.2 was tagged earlier today. This is a major security update that brings together the fixes in WordPress 2.3.2 and a number of critical WordPress MU specific security problems.

Details of the fixes will be posted to the WordPress MU forum next week to give administrators time to upgrade. This release should be seen as an urgent upgrade.
Thanks to Alex Concha for his help with this release.

Please note: If you have plugins that uses options.php to save it’s options you must whitelist those options using the new add_option_update_handler() API. More information on this can be found on this forum post.

Download WordPress MU here



What is the significance of “20f1aeb7819d7858684c898d1e98c1bb”? It’s the MD5 hash of the name “Anthony” and was the password used by someone who broke into Searching for the md5 hash was clever, but it won’t work for long because Ryan is working on securing the WordPress cookies and passwords.
In case you’re wondering, the hacker got in because the blog was running an outdated version of WordPress.

Tips to help keep your blog safe:

  • Keep all your software updated, not just WordPress. Make sure your plugins are updated.
  • Use a strong password. Don’t use words or sequences of characters like “12345” as your password. Make it a mix of characters and numbers.
  • Don’t ever store your database dump online in a place Google will index it. It is very easy to use a Google search to find it.
  • If you use public WiFi or a net cafe regularly, use SSL to secure the communication with your blog. Use the secure admin plugin for just this purpose.
  • If you use Firefox, install PwdHash. It’s simple to use and works really well.

WordPress MU admins – Fire up phpmyadmin and look at wp_users. Try these sql queries to find weak passwords in your database:

SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘wordpress’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘12345’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘qwerty’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘anthony’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘Anthony’);
and because of the season:
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘christmas’);

Scary isn’t it how many people still use simple passwords? I must release that “Strong password” plugin we use on soon. That will certainly help avoid account hijacking.


Put WordPress on the map

This WordPress Map on is nicely populated, but I’m feeling rather lonely on the WordPress MU one!


Looks like I’m the only WordPress banner waving fanatic in Ireland. Come on everybody, add yourselves! 🙂
(via Barry)