There's never been a better time to upgrade WordPress

When is the best time to upgrade your blog software?

  1. After the latest release has been out for a few weeks?
  2. When a release is so new it’s burning a hole in the ftp servers?
  3. When there have been a couple of releases because idonthavethetimetoupdateeverysingletime?
  4. Now?

The best time is right now. Spammers are taking advantage of exploits in old versions of WordPress and inserting hidden spam links in posts and using WordPress powered blogs to distribute viruses and malicious software. They’re also using these exploits to run their own code on your server.

This morning I spotted an Irish blog in my feedreader that had hidden links added to it. I contacted the blog owner and she’s going to upgrade her blog soon.

The best way of stopping them is by downloading the latest version of WordPress which at the moment is 2.3.3 2.5 and if you use use WordPress MU you should download version 1.3.3 of that. Once you’ve upgraded change the passwords of all your users. On WordPress MU sites, it’s probably enough to ask any user with site_admin access to change their password. To make your life easier, try the WordPress Automatic Upgrade plugin. I haven’t used it yet but it works for a lot of people.

If you suspect that your blog has been compromised and you have already upgraded then please change your passwords and overwrite your current install with the files from a newly downloaded copy of WordPress. It’s worth checking that no extra php files have been added too.

Running your own blog is about more than just writing and contributing to the blogosphere conversation. You also have an important responsibility to be a good ‘net citizen by keeping your software up to date.

If you absolutely cannot upgrade straight away then adding a .htaccess file in your wp-admin/ directory and adding another username and password level of authentication might help. This page describes how to do that, but it is no substitute for upgrading to WordPress 2.3.3 2.5. You should delete you xmlrpc.php too, thus depriving yourself of pingbacks and desktop blog posting abilities.

Go on, upgrade. After you do it once it doesn’t seem so scary.

Update! To find any posts with hidden links search your posts for any of the following:

  1. display:none;
  2. height:0

You can use the Search box on the posts edit page, or phpMyAdmin.
Open up phpMyAdmin, go to wp_posts, click Search and in the box next to post_content type %string% where string is one of the two options above.
That may return posts that don’t have any hidden links but it’s better to be safe than sorry.


WordPress MU 1.2.5

A new release of WordPress MU, the multi-user, multi-blog version of WordPress is now available.

This is a security release to address issues brought to our attention by Alexander Concha who I must thank for his unfailing patience while we sorted out this release.

Edit: this release is based on WordPress 2.2.3. Unfortunately a last minute bug crept in where post titles looked like post slugs when viewed on your blog. I quickly rolled together a new minor release, 1.2.5a which has an updated wpmu-functions.php. The download page has been updated too. If you have already updated your install, all you have to do is go to this page and download a new wpmu-functions.php and place it in your wp-includes directory. Apologies for the mix up!

Edit 2: I forgot to mention yesterday that a lot of the functions that were in the files in mu-plugins/ have been moved into wp-includes/wpmu-functions.php so move those files out of the way if you get errors about functions already existing. As stated previously on the forum, kses.php is synced with the one in WordPress which means class and id will be stripped from posts. If you’re happy for your users to use the class and id tag attributes then the following function will come in handy. Put it in mu-plugins/kses.php where it will be activated automatically.

function addabitofclass( $tags ) {
    global $allowedposttags;
    foreach( $allowedposttags as $tag => $attr ) {
        $attr[ 'class' ] = array();
        $attr[ 'id' ] = array();
        $allowedposttags[ $tag ] = $attr;
    return $allowedposttags;
add_filter( 'edit_allowedposttags', 'addabitofclass' );

The observant among you will notice I forgot to assign the result of the filter in wp-includes/kses.php. This has since been fixed but it was too late for this release. Making it a global in the function above was a suitable work around.


You didn't hear? Upgrade now!

On the off chance that you haven’t heard the news yet. You should upgrade your WordPress install straight away. Don’t hesitate, do it now. Don’t pause to grab a cup of coffee. If you’re just waking up then rub the sleep from your eyes and jump to the download page and grab WordPress 2.1.2.

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Users running from svn code aren’t affected, but then you probably already knew that already didn’t you? You should be subscribed to Hackers and Testers lists.

Don’t worry if you’re running a WordPress MU site. That isn’t affected, although you should upgrade to the latest 1.1.1 release as that fixes a number of problems with 1.0 as well as merging in some security fixes from WordPress core. users have nothing to worry about.

When-in-Ireland WordPress

Ask the developer

On January 20th I’ll be speaking at BarCamp South East on the subject of and WordPress MU. The talk is titled, “ – running the biggest wpmu site in the world” which is vague enough that I could talk about anything but I’d like to know what you want to hear.

Public speaking isn’t my strong point, I prefer to be behind the keyboard, or looking through a camera lens but sometimes you have to push yourself to do unfamiliar things. Here’s my go at public speaking.

Talks will be in 45 minute slots and I would like to make mine more of a discussion forum like the WPMU talk we had at WordCamp way back in August last year. It went really well and everyone got something out of it.

Subjects I’m considering include:

  • Merging code from WP core which is horribly exciting, have you ever seen vimdiff in action?
  • Site stats – did you know we publish them?
  • Hardware – server porn. How do we handle the load generated by Slashdots, Diggs, and almost 600,000 blogs?
  • Hooks and plugins – new hooks in the signup process and wpmu admin backend.
  • Anyone interested in working from home and virtual company issues? Automattic has employees in at least four countries.

So, if you’ll be there I want to hear from you. If you won’t, I still want to hear from you because I’m sure Bernie or someone will record the talk and put it up online.


WordPress MU Feedback

Matt took time out to update the feedback form in WordPress MU and today! Here’s a taster of what it looks like:

See the “Feedback” link above there? Hit that to send feedback to the admins of your WPMU site.

This is the feedback form that appears. It’s already being used on to great affect, reporting bugs and suggestions from users to the admins.

Thank you for your feedback. The great thing about this is that you can send feedback about the current page without disturbing what you’ve been doing. It’s sent to the server via an AJAX request and happens without refreshing the page!


What's this thing anyway?

Lots of people are asking about, fortunately for them there has been lots said about it already, both on the wp-hackers list, and on the WPMU blog. Usually without much feedback which I have found strange, but there you go!
The question comes up on IRC frequently, and here’s what I said a short while ago:

<donncha> it’s just WordPress.. if you already run a WordPress blog then you know a lot about what will be 🙂

It’s that, but also more. is going to be a great site and a shining example of what can be built on GPL software!


WPMU Update – Improved Caching

Hopefully you should see this site run a little faster, I’ve moved most database accesses to inside the cache loop.
For most users caching and processing of requests should be faster as the whole WordPress posts-loop is now cached, however there is a trade off. I can’t check if there are multiple or single posts on a page so every page, including the front page, is cached with your comment credentials and user login (if any). In other words, if I visit the front page and then you do, the front page won’t be cached for you, but if two anonymous users visit the second visitor will get a completely cached copy.
If you see any problems please leave a comment on this post, or email me at donncha @!

A bit later…I’m watching the logs and I’m glad I made that change. We’re being hit by 240 280 attempts at referer spamming from sex After the first hit, all they get served is static html! 🙂


Spam Spam Spam, Come on up and get your spam!

Here’s an updated list of recent spam to this list. It’s updated every few minutes so you can see a snippet of the spam that’s being deleted automatically here by Kitten’s Spaminator and diligent updating of keywords. Go wild!

I need to think about this a bit more. WPMU supports multiple blogs, run by multiple different people, all of whom can update their spam word lists. Wouldn’t it be useful to have a “I trust the following blogs” list so that spam words can be shared between blogs?

Slightly related, I started using PEAR Cache to cache frequently used database calls. Stuff like the “last posts” and other plugins now use that. It’s working very well and load on the server has gone down!

Oh, and when you’re updating to the latest CVS version of WordPress, a database table has changed. I ran the following to update my tables:
cd wp-inst/wp-content/blogs; for i in *; do echo "ALTER TABLE wp_"$i"_users CHANGE dateYMDhour user_registered DATETIME DEFAULT '0000-00-00 00:00:00' NOT NULL "| mysql wordpress_db; done