Skip navigation

Update WordPress Now: WordPress 3.0.4

WordPress NewsThe last month has seen two WordPress mandatory security releases, and today, WordPress 3.0.4 brings another mandatory update.

To update, log in as the Administrator and click the update notification for one-click updates to your WordPress blog. blogs are automatically updated.

WordPress update notification

In writing up “Mandatory Security Update: WordPress 3.0.4 Released for , I stumbled upon a notification to all DreamHost customers alerting them of a WordPress hack:

A noticeable amount of customers who have not yet upgraded their copies of WordPress to the most recent version (3.0.4) have been reporting issues with logging into their dashboard. Upon further review, most of these customers have had code inserted into a large number of WordPress files.

They recommend all customers upgrade to WordPress 3.0.4, then provide instructions on how to remove the eval(base64) hack from infected sites, which has little to do with the current WordPress update and a lot to do with an old infection hack that has been making the rounds of WordPress, Drupal, Joomla, and other publishing platforms for over a year.

I’d like to clear a little of the confusion up.

  1. To protect your WordPress blog, update immediately for every mandatory security update. These usually will not impact any WordPress Plugins or Themes, and change little in the core other than to lock up any security issues.
  2. WordPress 3.0.4 fixes an XSS security vulnerability bug in the kses.php file that “sanitizes” posts. These “holes” can open a WordPress blog to potential exploitation, but upgrading immediately closes those holes, so hackers have to find new ways in. If you update with every mandatory update, rarely is your site exposed long enough to get hacked as these are typically found prior to public exposure.
  3. The base64 hack was prevented by the release of WordPress 2.8.4. If you haven’t updated, do so now. I reported on this worm hack in fall of 2009 with extensive details on prevention and protection, as well as what to do if you’ve been infected.
  4. Please check your site carefully to see if you have been infected by the base64 worm or other hacks. Resources to test your site’s security include:
  5. Security risks come from WordPress Plugins and Themes, so check these thoroughly and only download from official and well-known sites.
  6. WordPress is not broken nor a security risk: When these alerts and mandatory security releases are announced, a lot of naysayers claim WordPress is broken, out-of-date, or a security risk. Don’t be one of those. These releases and announcements are for your own good. They often come out within hours of the security vulnerability discovery, helping your WordPress site stay safe and secure faster than most publishing platforms. WordPress is only as strong as you make it, so make it so.
  7. The article on WordPress 3.0.4 Security Release on WordCast offers more tips and information.

    Please, update your WordPress blog immediately.


    Feed on Lorelle on WordPress Subscribe Feedburner iconVia Feedburner Subscribe by Email

    Copyright Lorelle VanFossen.

28 Comments

  1. Posted December 29, 2010 at 10:00 pm | Permalink

    Looks like that 2.9.x installs do not get hacked.

    • Posted December 30, 2010 at 11:06 am | Permalink

      @hakre: All WordPress versions prior to WordPress 3.0.4 have vulnerabilities, which is why it is important to update immediately when a security release is announced. Specific versions are not exempt. There were several security releases during the 2.9 trunk.

  2. Posted December 30, 2010 at 12:05 am | Permalink

    automatic update failed have to manually update wordpress to latest version, now have to look that i’m infected or not.
    thanks a lot for sharing plugins to check out whether you are infected or not.

    • Posted December 30, 2010 at 11:05 am | Permalink

      If automatic update failed, it could be that your server either isn’t updated with current versions of PHP and MySQL, or your installation was old, or that there is something else that could be going on. Good for you to check on this thoroughly.

  3. Posted December 30, 2010 at 6:11 am | Permalink

    automatic update its oke….
    i can’t installing BulletProof Security WordPress Plugin, error.
    AntiVirus WordPress Plugin, use it, it’s okey

  4. Posted December 30, 2010 at 11:33 am | Permalink

    @Lorelle: Yeah I checked it. As 3.1 is not out yet, shouldn’t there be some security release for 2.9? I’ll file a patch in trac:http://core.trac.wordpress.org/ticket/16042 – No Idea for the other security issues so far, I think they have not yet been backported.

    • Posted December 30, 2010 at 11:43 pm | Permalink

      @hakre: I checked and WordPress is currently only supporting one branch back, which is 2.9, but when 3.1 is out, that support will move to 3.0.

  5. Posted December 31, 2010 at 9:15 am | Permalink

    Lorelle
    Thanks for the warning – you were pretty quick to notify us on this one.

    Good to see that you have your finger on the pulse.

    Any suggestions on a good post or video for doing a manual update?
    I find the WordPress site a little difficult to follow.

    Have a great 2011.

    • Posted December 31, 2010 at 10:43 am | Permalink

      There are a variety of videos and guides but for those manually updating, the Updating WordPress article on the Codex is still your best bet. Just print it out and follow it step-by-step and within minutes, it’s done. However, I recommend that you use the auto update feature. It’s fast and easy. If it isn’t working, consider contacting your host and asking in the WordPress Support Forum to figure out why and fix it. Thanks.

  6. Posted December 31, 2010 at 10:44 am | Permalink

    @Jason: If you are doing a full upgrade to a major version, then yes, that’s an optional route. For a security update where no feature changes are included, it is usually unnecessary to take all those extra steps and they are handled by the auto update.

  7. Posted December 31, 2010 at 10:45 am | Permalink

    Many thanks Lorelle

    Will give it a go.

    Have a great 2011

  8. Obituaries
    Posted December 31, 2010 at 6:05 pm | Permalink

    I’m afraid to upgrade! I upgraded to 3.02 after I got the message in the dashboard. That’s when my admin area slowed down, giving a fatal error time out after 30 seconds. Then, I upgraded to 3.03 after I got the message in the dashboard. That’s when my admin area slowed down even slower. Could I have a security breech?
    Thank you.

    • Posted January 3, 2011 at 10:07 am | Permalink

      Were you updating through the automatic upgrade feature or manually? You need to be more specific when asking such questions. Are you using a cache Plugin? Did you clear it? There are so many questions needing answers before you can get more help or tell if your site has been hacked.

  9. Posted January 4, 2011 at 7:48 am | Permalink

    Hello Lorelle, I did the automatic upgrade through fantastico in cpanel.

    • Posted January 4, 2011 at 10:31 am | Permalink

      That means you were using a server provided tool. Contact them for assistance as they may have problems on their end, or at least, can help you through the process.

  10. Lea
    Posted January 5, 2011 at 7:10 am | Permalink

    You know, I just used clean wordpress 3.04 installation for my new website. After several days, I’m noticing something weird. My published post date can automatically change by itself. For e.g. old post published on Jan 3rd 2011, can suddenly become the latest post published. Is this something new in wordpress 3.04? How do I stop this?

    • Posted January 5, 2011 at 12:30 pm | Permalink

      Please report this in the WordPress Support Forums or the bug tracker. It may have nothing to do with WordPress or your upgrade but with a Plugin you are using. Either way, they can help you there.

  11. Posted January 5, 2011 at 4:47 pm | Permalink

    @Lorelle, after checking plugin, you are right. I found out that one of my plugins offer “promote old post” option. I think this is the reason my old posts date changes automatically. Thanks again.

    • Posted January 5, 2011 at 5:33 pm | Permalink

      You are welcome. Good luck and glad you upgraded. There is some nasty stuff going around which is impacting older versions.

  12. Steve Doh
    Posted January 15, 2011 at 9:57 am | Permalink

    thanks for update me too, i hope its not error like 3.0.2 ^^

  13. Posted January 15, 2011 at 10:20 am | Permalink

    I upgraded from 3.0.3 to 3.0.4 using the automatic upgrade and it went like a dream.
    Just love WordPress.

  14. Posted January 28, 2011 at 4:45 pm | Permalink

    Lorelle – which is the best plugin to test for site infection?
    You list 11.

    I’m looking for something that won’t use too much bandwidth.

    • Posted January 28, 2011 at 6:01 pm | Permalink

      If you upgrade the moment an upgrade notification comes out, then you are usually safe and need little else. If you need to check to see if your Theme or site has an infection, use the run once tools, which do not keep active after running. For blocking, there are so many options…who knows which have any impact on server or bandwidth. You’ll have to check them out individually. See for more info, too.

  15. MTW
    Posted January 31, 2011 at 5:25 pm | Permalink

    Hi,I have recently upgraded wordpress version to 3.0.4 but i found that comments from my site disappeared. I could view all comments on dashboard but none shows in website.Do you know what may be the problem.My hosting site had also gone through the problem but they are hlpless

  16. gersing
    Posted February 6, 2011 at 3:41 pm | Permalink

    i have a lot of problems with new wordpress…. especially with space… it requirs at least 32mbyte for minimum plugins…

    • Posted February 6, 2011 at 10:19 pm | Permalink

      I don’t understand. The zip file is 3 Megs. That’s microscopic for today’s publishing platforms. The WordPress Plugins you choose are optional, and they vary from a couple kilobytes to megabytes, depending upon what you choose. Godaddy, one of the cheapest web hosts, offers 1 gig disk space for $5 a month. For under $10, you can get 10 gigs. 32 megabytes is tiny comparatively. So I’m not sure I understand your issue or complaint.

  17. Jocuri
    Posted February 14, 2011 at 2:07 pm | Permalink

    meanwhile there is 3.0.5…

  18. teguh
    Posted March 19, 2011 at 7:44 am | Permalink

    I’ve upgraded my wp on several other blogs. Good info. Thank you.


10 Trackbacks/Pingbacks

  1. [...] Lorelle: Update WordPress Now: WordPress 3.0.4 [...]

  2. [...] Update WordPress Now: WordPress 3.0.4 [...]

  3. [...] has already been used, has been seen en masse by some hosts and at least closely mirrors hacks that affected earlier versions of WordPress or may simply be a case of sites not updating WordPress since [...]

  4. [...] has already been used, has been seen en masse by some hosts and at least closely mirrors hacks that affected earlier versions of WordPress or may simply be a case of sites not updating WordPress since [...]

  5. [...] Go here to read the rest: Update WordPress Now: WordPress 3.0.4 « Lorelle on WordPress [...]

  6. [...] Update WordPress Now: WordPress 3.0.4 [...]

  7. [...] since found a little more information here and here.  The second link has more  links at the bottom of it for further [...]

  8. [...] I tried to update my WordPress CMS software to the latest version 3.0.4 as Lorelle had stated that it has crucial security updates. When I first started blogging, I used [...]

  9. [...] find anything. I thought it was because I upgraded WordPress to 3.0.4. Finally I come a across one comment that sheds light on it all. The answer is right below the first [...]

  10. [...] find anything. I thought it was because I upgraded WordPress to 3.0.4. Finally I come a across one comment that sheds light on it all. The answer is right below the first [...]

Post a Comment

Follow

Get every new post delivered to your Inbox.

Join 19,717 other followers

%d bloggers like this: