There's a new release of WordPress available this morning: 2.8.4 is labelled a security release, so you should upgrade as soon as possible. If there's not a link on your dashboard, you can upgrade automatically through Tools > Upgrade.

A word also about what this upgrade is for. Late yesterday (if you're in my time zone), a vulnerability was discovered: it was possible to generate a new password on WordPress, even if you had no back-end access to the blog itself. A specially-crafted URL would allow anyone to reset the password on any WP blog; the new password created by the WordPress installation would then be emailed to the email address associated with the admin account (so the person doing the mischievous resetting would never actually see it). This morning's release stops this happening.

Though some people on Twitter were calling this "a huge security hole in WordPress", that's rather overstating the case. As the official WP blog puts it, it "doesn’t allow remote access, but it is very annoying." (Unless of course your email were compromised; then you might have more of a problem.)

Nevertheless, this is probably a good day to read WPTavern's excellent 5 WordPress security tips you most likely don't follow.

Tags: 2.8.4, new release

Posted by Sue on August 12, 2009 in Security, WordPress.