Ryan Boren has announced the mandatory WordPress 2.6.2 upgrade has been released and WordPress users are required to download WordPress 2.6.2 and upgrade immediately.
This mandatory security upgrade adds protection for a SQL Column Truncation and other security and bug fixes. There is a full changeset and list of changed files to help you find the differences, and a specific changeset for downloading will be available soon.
The vulnerability impacts all PHP applications, not just WordPress, specifically open registration on WordPress blogs. Boren says the attack is difficult to accomplish, but WordPress would rather be safer than sorrier if this is manipulated in the future. If you allow open registration on your WordPress blog, upgrade immediately and follow the instructions in the announcement.
WordPress 2.7 is due later this fall. If you are interested in following the development of WordPress and WordPress related applications, here is a list:
- WordPress Development Updates Blog
- WPDevel Twitter
- WordPress Development Trac Timeline
- WordPress iPhone App Trac Timeline
- WordPress Roadmap
- Blog Herald WordPress Wednesday News
Site Search Tags: wordpress, wordpress news, wordpress versions, wordpress upgrade, wordpress update, wordpress 2.6, wordpress 2.6.2, security, security update, mandatory update, upgrade, download, download wordpress
Subscribe 
Via Feedburner 
Subscribe by Email 
Visit
Copyright Lorelle VanFossen, the author of Blogging Tips, What Bloggers Won't Tell You About Blogging.
Lorelle on WordPress 
27 Comments
Can you use the expression “strongly recommended” or “strongly encouraged” in place of “mandatory”? I seem to find that use of m-word implies some sense of attempting to rule the world…
Thanks – that list of changed files is most helpful. A while ago someone used to publish one every time which made updating a lot easier. I wish that they still did.
I agree with John. When I read your first paragraph my reaction was, WHAT?? Ryan Boren only said “you should definitely upgrade” in the linked post; he didn’t use the terms “mandatory” and “required.” Using an expression from my neck of the woods: Get off your high horse.
Everybody should upgrade so that we can all use the login_redirect filter! I’m excited. OK, so it only applies to people who want to redirect users after login, but still…
Yes, and once again what I’ve been saying for a long time proves true: Every “upgrade” to wordpress comes complete with its own new set of security holes. I’d never recommend WordPress to a new user for this reason alone.
Phew! I just did the upgrade before I was hauled off to prison! 😉
I’ve never done it this way before, but the only files I uploaded were the ones on the list of changed files you linked to, Lorelle. Then I directed my browser to the wp-admin/upgrade.php file and everything seemed to be fine. Will it be fine? As I said, I’ve never done it this way before.
Pagani: I take it you didn’t read the link? Or do you just like making stuff up? This security flaw affects phpBB and hundreds of other software packages. It was a fundamental flaw found in the way PHP seeds it’s random number generator.
I also think you’ll find that WordPress has no more security issues than any other often updated piece of software. With WordPress though, the issue is actually fixed (the random number flaw was discovered very recently) rather than ignoring it or patching it 6 months later like other packages (I won’t name names).
But anyway, you are more than welcome to go use something else or even code you’re own. I think you’ll find though you were much better off with WordPress. 😉
upgraded already 🙂
with Dreamhost, wordpress upgrades are soooooooooo easy 🙂 and fast too
Havent missed an upgrade yet. Simple and effective.
Upgraded and my blog didn’t break! Phew!! *takes a sigh of relief*
daily blog ranking report
Mandatory… that’s just going to encourage people not to!
I am finding it impossible to upgrade from 2.5 to 2.6. My hosting is on Go Daddy – all the sites on Network Solutions upgraded without a problem. But when I upgrade to 2.6 on the Go Daddy hosting account everything seems to go well until I have to log back in after the installation. The old password does not work and I request a new password. That doesn’t work either – so I have had to go back to 2.5 just to get the site to display. Any ideas? Thanks, Chief
Are there any issues with the automatic upgrade plugin?
I get to wait on Fantastico. I could do it manually, but when I do it blows up the next upgrade via Fantastico, so I wait. I turned off new user registration until then.
@ chris:
There are some issues, but the issues are usually found on sites that have been tweaked and experimented with – not “normal” or sites with old versions of server software and such. But for the most part, many are using it successfully. You’ll have to check the Plugin author’s site for more specific information.
Uh… I just upgraded to 2.6.2 and now I can’t find things in my WYSYWIG editor like adding a URL etc… did someone screw around with that?? ARGH. Back to hard-coding links…
@ jboettcher:
Have you checked in the WordPress Support Forum for help? Did you DELETE the old files before uploading the new ones? Did you check to see if somehow your Profile setting were changed to the non-visual editor settings and change it back?
I haven’t heard anything like that.
I have the same problem as Chief. I upgraded from 2.5, couldn’t log in, didn’t receive a new username/password info and the “forgot password?” page kept saying my email address wasn’t on record.
Any suggestions on what went wrong and how to fix it much appreciated!
Mandatory? Ha..
Mandatory? With what consequences? For such an excellent writer you seem to have seriously missed the language boat today, Lorelle!
@ Jay Parkhill:
The suggestions I offered Chief are the ones I recommend. I also recommend checking the WordPress Support Forum as that is where trained and experienced volunteers and staff are answering these kinds of questions. 😀
And WordPress MU? I guess that’s vulnerable, too.
Has anyone here ever had their blog hacked or something because of security vulnerabilities?
@ sean:
Um, yes. In fact, there was a “pirate” who publicly displayed a huge list of blogs that hadn’t upgraded and announced that he was going to go down the list and hack each of them. He actually succeeded for some on the list. He considered them “warned” and then he attacked.
It isn’t common, but it does happen, which is why it is so important to upgrade when there are security issues at stake. Just because this particular issue might only involve open registration blogs, which is a lot of WordPress blogs with open registration for comments, multiple bloggers and contributors, since this is a PHP issue, who knows what PHP you may have added to your WordPress blog by tweaking with it that might make it vulnerable. Better safe than sorry.
Here is more info:
WordPress Security Prevention, Reactions, and Scares
WordPress Blogs and More Hacked by Google Redirects
Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme
Protecting Your WordPress Blog
Good Reasons to Upgrade WordPress
Hi Lorelle,
I have just upgraded my WordPress blog from 2.6.1 to 2.6.2 (manually). Everything went without a hitch, however all of my posts have the title of the post showing, but no actual post.
I backed up my blog before the upgrade. Is this a database problem?
Can you steer me in the tight direction to fix this?
Thanks,
MG
@ MG Page:
Check the WordPress Support Forum. So far, I’ve had none of the problems a few sites are reporting. It could be a problem with your WordPress Theme or how you upgraded. The Forum is the best place for help.
4 Trackbacks/Pingbacks
[…] WordPress 2.6.2 Mandatory Upgrade […]
[…] WordPress 2.6.2 Mandatory Upgrade Ryan Boren has announced the mandatory WordPress 2.6.2 upgrade has been released and WordPress users are required to […] […]
[…] For those who did not update their blog yet please go to WordPress download section as Lorelle wrote that this download or upgrade of WordPress 2.6.2 was a mandatory update. […]
[…] Do I thank the crew at WordPress or do I tell them to piss off? Lorelle VanFossen: WordPress 2.6.2 Mandatory Upgrade […]