I was on a vacation when I received an email from Matt Mullenweg. At first, I thought it’s just a simple holiday greeting message from the founder of WordPress, but soon I’ve learned that it’s about the critical update for WordPress.

You may ask, is this an important update? Will it affect my blog running in WordPress? My short answer is YES.

Back up all site content & files

What if you don’t want feel like updating? By not updating, you are compromising the security of your blog or site running in WordPress platform. If left not updated, hackers can attack your blogs using XSS Techniques (cross site scripting). To put it simply, a cross site scripting can injects malicious code to gather valuable information from the user. It can be a account hijacking, changing of user settings, cookie theft, session hijacking and more.

Matt Mullenweg of WordPress advises you to upgrade immediately.

Upgrading will just take few minutes via dashboard. My recommendation, is to backup your database and files before updating. WordPress dashboard will also remind you on this if you’re using the automatic update.

Why is it important to backup your database and files prior to updating?

This is to ensure your blogs or sites are safe and secure just in case anything goes wrong during the update process.  You don’t want to end up having a blank page after upgrading, do you?

Backup and Restore your entire WordPress...fast

This update is rated as “critical”, so it’s important to help spread the word.

As promised, WordPress 2.9 was released as scheduled. The new version, code named “Carmen” named in honor of magical jazz vocalist Carmen McRae is now available for download.

WordPress 2.9

This is not just an upgrade but a major release. This new version comes with over 500 bug fixes and enhancements which makes it a recommended download and install.

Over 140 developers contributed on this released version.

New Features include:

1. Undo – you can now undo or unerase a post or comment if you accidentally deleted them. No more annoying  “are you sure” messages on every delete.

2. Built-in image editor – no more Adobe Photoshop for me.  This is a basic image editor that  allows you to crop, edit, rotate, flip, and scale your images

3. Batch plugin update – It’s now possible to upgrade up to 10 plugins at the same time, and it will check the compatibility too. No more surprises if a plugin will work or not

Best WordPress Theme

4. Oembed(Easier video embeds) – allows you to just paste a URL on your post and WordPress will magically turn it into the proper embed code. It supports popular sites such as YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).

5. Improved theme and plugin Editor - When you’re editing files in the theme and plugin editors it remembers your location and takes you back to the exact line after you save.

6. Automatic repair database – This is one of my favorite enhancements. Just enable it in your wp-config.php file by adding define(‘WP_ALLOW_REPAIR’, true).

7. Sidebar description – put a nice description  on your sidebar on what they do.

You can upgrade easily from your WordPress Dashboard by going to Tools > Upgrade, or you can download from WordPress.org

Here’s short video summarizing some of the cool things about the new released version:

Just a quick update here.

This new version of WordPress is not showing on my dashboard yet and probably not even on your site as well. I think this is a record breaker version also for the fastest security update since the previous version (23 days after the 2.8.5 upgrade).

It is always recommended to update to a new version of WordPress as soon as possible and especially so for a security release .

This update  fixes two security problems.

1. XSS vulnerability in Press This.

2. Sanitizing uploaded file names that can be exploited in certain Apache configurations.

Is this version really for you?

Here’s the straight fact: If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

Really it’s up to you. This update was really unexpected.

There’s no harm in upgrading, though.

Image from www.blogohblog.com

This new WordPress update is called “hardening version”.

I’m waiting for the 2.9 version but according to WordPress developers, they need to back-port some security fixes they are working for 2.9 into 2.8. This is to make all previous versions as secured as possible.

I guess the most important headline among the changes is the fix for DOS or Denial of Service. This trackback remote denial of service vulnerability is a nasty bugs that could exploits the core files of WordPress.

DOS attacks can render your blog inaccessible. This kind of attack will consume your blog bandwidth resources and there is big possibility that your web host provider will cut your connection even if your site is providing you “unlimited bandwidth”. DOS attacks violate the “acceptable user policy” of virtually all internet service providers including web host companies.

WordPress developers are recommending that all sites shall upgrade to this version to ensure the best protection available.

Additional recommendation in this release that you should read:

If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then we would recommend that you take a look at the WordPress Exploit Scanner. This is a plugin which searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames. You can read more about this plugin here – “WordPress Exploit Scanner“

The WordPress Exploit Scanner works by scanning all your files and directory in your site. It will try to find the code that it’s inserted into a hacked site. It uses a lot of memory during scanning so better check the readme.txt before running it.