WordPress 2.8.6 Released and a 2.9 Preview

I got the notice last night that WordPress 2.8.6 was released to fix a pair of security holes.  So I hopped right into the admin console from my Iphone and in 2 minutes, it was updated.  If you have a WordPress installation, I urge you to update right away as well.

This will almost certainly be the last release prior to the much anticipated release of 2.9 which is our next major (feature related) release.  Aaron Brazell had a great preview on his site yesterday, and since I’m not currently running the beta, I’ll leave the full on feature review to him.  Here are the major bits to expect:

  • Enhanced image handling – scaling, cropping, and thumbnail sizing on a per picture basis.
  • Trash Can – this really goes back to the old notion we saw in newspaper editorial systems, delete doesn’t really delete, it just hides.  This will come in handy.
  • The_post_image – if you’ve ever tried to add an image to an excerpt of a post you will know why this is important.
  • oEmbed – video support, which I’ve had for years using Vipers Video Tag Plugin.
  • Custom Post Type – this is one of those CMS type functions.  It’ll make my life easier, although honestly in the past I’ve been able to make categories do my bidding with little trouble in WordPress CMS settings.
  • Comment Meta – I have no idea what to think about this one.
  • Metadata API – Another feature I’m sure I’ll use, but currently I can’t think of anything I’d use it for.  I guess this is like custom fields for everything, not just limited to posts.
  • Theme System Modification – this will allow developers to work on one theme, while real users look at another.  This has been needed for some time.
  • Rel=Canonical Optimization – seems like a little thing, but it will help a lot with SEO.

Check out the preview at Technosailor.com for the full scoop.

WordPress 2.8.5 Released

A new WordPress release came out last night. Unlike the previous, this is what they are calling “a hardening release”, i.e. it is generally designed to make the code base more secure, but doesn’t fix any known vulnerabilities.  As with all minor level releases, I suggest you update as soon as possible, if for no other reason than to stay current.

From their blog:

  • A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins.

We can expect to see 2.9, the next major level release within around the end of the month, certainly before mid-November.  That release will supposedly center on enhancements to image handling features.

(For those casual readers, I should probably explain that I develop sites daily with WordPress, and have for many years…hence I think my opinion on matters WordPress should have some level of importance to you…)

WordPress 2.8.4 – Update Now

wordpress-logoThe folks at Automattic released a security update for WordPress today due to a very specific bug:

…a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

While this isn’t an incredibly nasty bug, it does affect the admin user, which many folks use as their only point of access to the system, which is poor practice.  On my customer sites, the admin user is never actually used by anyone (except for me, and only in an emergency).  Everyone gets a user specific account and that account has the right privelidges for that user.

Click the upgrade button now, or have your web guy/gal/poodle take care of it for you.

WordPress Revision History to the Rescue

(Uh, Jeff, Kelly, move on, nothing to read here.  Nothing of interest to you at all…really…)

I had one of those moments today.  Mistakes were made.  Bad mistakes.  The “oh crap, I’m editing on the production site, not the qa or dev server” type of mistakes that immediately have you picturing your career dissipation light suddenly burning bright.

So I noticed after working on this highly important site that I’d accidently overwritten something on the live site.  Yech.

Luckily, as of version 2.6, WordPress now has Revision History.  I’ve only used the feature a few times before, and then, only when I’d gotten to an unrecoverable point on a qa server.  So in I went, and there it was…the content I’d overwritten, waiting for me, like a girlfriend I’d done wrong…

Saved.  Career dissipation light dims to nothing.

Thank you WordPress…without that my next stop was going to be the Internet Archive…

WordPress 2.6.3 Released, and Issues with Auto Upgrade

The folks at Automattic today released WordPress 2.6.3 which is a minor security patch to the Snoopy script they use for displaying rss feeds in the admin area.  Not an utterly crucial upgrade, but one you might want to take just to be sure your secure.  The upgrade took me 5 minutes using the auto upgrade plugin.

One issue that I noticed while using the auto upgrade plugin, which was also upgraded, was that the script failed repeatedly on the database backup step.  I was forced to skip that step (I used the database backup plugin to grab one).  If you find you have the same issue, you may want to skip that step as well.  Just be sure to get a db backup (and you should be getting those weekly!).

Now’s probably a good time to mention that we’ve got another major WordPress Upgrade on the way, 2.7, which should be here in November.  Again, there will be major changes in the Admin area as they clean it up even more and make it more useful for us.  For an overview of the new Admin UI, have a look here.

So what’s the 2.7 upgrade mean to you?  Basically it’s going to provide a more logically oriented admin area, and one in which we’ll better be able to build upon into the future.  As I’ve said before, WordPress is not longer just blog software, it has become a full fledged open source content management package, and this is yet another move in that direction.

On another front, Automattic will also be releasing the 1.0 level version of BBPress, their forum package which provides tight integration with WordPress. I’m particularly interested in this package, as I work with BBPress on almost a daily basis, but honestly, the feature list doesn’t even approach that of vBulletin or even Simple Machines.  Still, I’m hopeful for a vast improvement over the 0.9 code stream.

WordPress 2.6 – It’s a CMS, Baby!

I remember when I first setup WordPress back in 2003, the old 1.x days, my comment was that “It’s just like a CMS (content management system) with most of the functionality removed.” Well, with the release of WordPress 2.6, I can finally eat my words. It’s now simply a content management system, and a darned good one at that.

That’s right, content management system. To call it a blogging platform is to sell it short. It’s now all the features I expect to see in a simple content management system, and two that we do not expect to see: it is both easy to use and easy to maintain.

Is it Enterprise level software? No, probably not, although it is certainly scalable and customizable. But that doesn’t mean it’s not in use at corporations around the globe. I know of many that now rather than calling their Interwoven contractor will fire up a new WP install for certain needs.

So here is a run down of the new features that make the difference for me:

  • Revision History: this was never a big deal to bloggers, as we generally are lone gunmen. However when you enter a multiple user environment, you need a fast and easy way to see who did what and when, plus the ability to revert to a previous version. This is a staple of the *big bad print cms editorial system* and has been a glaring hole in the WP system by my estimation.
  • Image Editing: The previous version hinted at the auto resize capability of the system by offering thumb, medium or large image sizes for anything you uploaded. Now I can select the exact width I want for the image, assign any of the data I want, link it as I wish, all within a neat little flash app. Image editing in WordPress.

    Image editing in WordPress
  • Image Resize: Now I can resize to any size I want (just upload the image, click “insert to post” then you can reopen the image by hovering over it in the editor, clicking the edit image that will appear on the image, and you’ll see you have complete resize options.
  • Add Style Code to Image: Also, now I can edit style code directly into the image editor. This is the main reason that you always see my images aligned on this blog to the right, I never took the time to add a padding-right: 3px; to the style sheet, so I didn’t like the way it looked. These styles can now be added directly in the editor.

  • Image Caption: Then there’s the image caption feature – again, I can just write in a caption and I’ve got an image caption. One of the little things, but it’s been missing from this (and many other cms systems) for a long time.
  • More Edit Info In Editor: I can now at a glance see the last save time, last edited by and word count info. Also, I have direct link access to see comments, manage comments, manage all posts, manage categories, manage tags, and view drafts. Basically the stuff I need if I’m a production editor working on numerous posts, is right there, so I don’t have to go looking.
  • Better Plugin Management: I love that they have separated my active plugins from my inactive plugins. Of course, it just highlights to me that if I am not using a plugin it should be removed.
  • Gears Integration: Typically when we start to add so much functionality via a browser, performance starts to drop. I haven’t seen any issues, but WordPress has added Gears support to handle this. Just click the “turbo” button in the far upper right hand corner.

The single biggest feature though, is one that will come in handy for the lone gunman blogger: they will now be able to do an automatic (single click) update for WordPress when a new version comes out. That’s a huge feature, and will help the less technical stay up to date and secure.

So far, the only issue I’ve seen is that my Tag Suggest Plugin appears to have stopped working. A very small price to pay. I was able to update the site in about 10 minutes, most of which was spent downloading and uploading files. For the first time I did an autoupdate on the recently updated plugins, which was sweet.

Congratulations to the Automattic team and happy Blogging Content Managing to all!

(An after thought a day later: I should probably mention that I’ve got 10 high volume multiuser sites running on WP, where we use it as a CMS, some getting over 10 million visits a month. This update brought in the final bits the system needed in my estimation...)

Techcrunch Says WordPress a Massive Security Risk

(The link to the article is lower in this post, to ensure the proper text appears in the Techcrunch trackback…)

Techcrunch yesterday featured an article by Nik Cubrilovic with the salacious title “WordPress Security Issues Lead To Mass Hacking. Is Your Blog Next?”  – from that article:

Due to its popularity as a blogging platform, WordPress has become a prime target for hackers looking to take over blogs for search-engine optimization (SEO) of other sites they control, traffic-redirection and other purposes. Recently there have been a spate of automated attacks which take advantage of recently discovered security vulnerabilities in WordPress.

To date, WordPress has been keeping up with the security holes by releasing updates within a few days of new exploits being found, but in the past few days new exploits have appeared that nobody seems to have answers for.

Okay, that kind of talk gets my interest.  Funny thing, when I was talking with the Automattic guys (who develop WordPress) yesterday, no mention was made of any new security vulnerabilities.  So I had a look at the stuff he cites  as “the past couple days” and the issues are all over a year old, and affect out of date versions of the software, and are remedied in current releases.

So we have a situation in which one of two things is happening:

  • This is a “hit job” on Automattic by Techcrunch for reason or reasons unknown – if so, shame on you…
  • Or…there are vulnerabilities which Techcrunch did not identify so as to allow WordPress to come up with a fix.  If this is the case, I applaud their handling of the issue.

Either way, Techcrunch in general, and Nik Cubrilovic in  particular need to clarify the existence of new security holes, and they need to do it fast.