Skip navigation

WordPress 2.6.2 Mandatory Upgrade

WordPress NewsRyan Boren has announced the mandatory WordPress 2.6.2 upgrade has been released and WordPress users are required to download WordPress 2.6.2 and upgrade immediately.

This mandatory security upgrade adds protection for a SQL Column Truncation and other security and bug fixes. There is a full changeset and list of changed files to help you find the differences, and a specific changeset for downloading will be available soon.

The vulnerability impacts all PHP applications, not just WordPress, specifically open registration on WordPress blogs. Boren says the attack is difficult to accomplish, but WordPress would rather be safer than sorrier if this is manipulated in the future. If you allow open registration on your WordPress blog, upgrade immediately and follow the instructions in the announcement.

WordPress 2.7 is due later this fall. If you are interested in following the development of WordPress and WordPress related applications, here is a list:

Site Search Tags: , , , , , , , , , , , ,

Feed on Lorelle on WordPress Subscribe Feedburner iconVia Feedburner Subscribe by Email Visit
Copyright Lorelle VanFossen, the author of Blogging Tips, What Bloggers Won't Tell You About Blogging.


  1. Posted September 9, 2008 at 11:59 am | Permalink

    Can you use the expression “strongly recommended” or “strongly encouraged” in place of “mandatory”? I seem to find that use of m-word implies some sense of attempting to rule the world…

  2. Posted September 9, 2008 at 12:12 pm | Permalink

    Thanks – that list of changed files is most helpful. A while ago someone used to publish one every time which made updating a lot easier. I wish that they still did.

  3. Posted September 9, 2008 at 5:47 pm | Permalink

    I agree with John. When I read your first paragraph my reaction was, WHAT?? Ryan Boren only said “you should definitely upgrade” in the linked post; he didn’t use the terms “mandatory” and “required.” Using an expression from my neck of the woods: Get off your high horse.

  4. Posted September 9, 2008 at 5:52 pm | Permalink

    Everybody should upgrade so that we can all use the login_redirect filter! I’m excited. OK, so it only applies to people who want to redirect users after login, but still…

  5. Posted September 9, 2008 at 6:23 pm | Permalink

    Yes, and once again what I’ve been saying for a long time proves true: Every “upgrade” to wordpress comes complete with its own new set of security holes. I’d never recommend WordPress to a new user for this reason alone.

  6. Posted September 9, 2008 at 6:51 pm | Permalink

    Phew! I just did the upgrade before I was hauled off to prison! 😉

    I’ve never done it this way before, but the only files I uploaded were the ones on the list of changed files you linked to, Lorelle. Then I directed my browser to the wp-admin/upgrade.php file and everything seemed to be fine. Will it be fine? As I said, I’ve never done it this way before.

  7. Posted September 9, 2008 at 9:39 pm | Permalink

    Pagani: I take it you didn’t read the link? Or do you just like making stuff up? This security flaw affects phpBB and hundreds of other software packages. It was a fundamental flaw found in the way PHP seeds it’s random number generator.

    I also think you’ll find that WordPress has no more security issues than any other often updated piece of software. With WordPress though, the issue is actually fixed (the random number flaw was discovered very recently) rather than ignoring it or patching it 6 months later like other packages (I won’t name names).

    But anyway, you are more than welcome to go use something else or even code you’re own. I think you’ll find though you were much better off with WordPress. 😉

  8. Posted September 9, 2008 at 10:14 pm | Permalink

    upgraded already 🙂

    with Dreamhost, wordpress upgrades are soooooooooo easy 🙂 and fast too

  9. Posted September 9, 2008 at 10:23 pm | Permalink

    Havent missed an upgrade yet. Simple and effective.

  10. Posted September 9, 2008 at 10:48 pm | Permalink

    Upgraded and my blog didn’t break! Phew!! *takes a sigh of relief*

  11. Posted September 10, 2008 at 1:03 am | Permalink

    daily blog ranking report

  12. Posted September 10, 2008 at 6:18 am | Permalink

    Mandatory… that’s just going to encourage people not to!

  13. Posted September 10, 2008 at 9:45 am | Permalink

    I am finding it impossible to upgrade from 2.5 to 2.6. My hosting is on Go Daddy – all the sites on Network Solutions upgraded without a problem. But when I upgrade to 2.6 on the Go Daddy hosting account everything seems to go well until I have to log back in after the installation. The old password does not work and I request a new password. That doesn’t work either – so I have had to go back to 2.5 just to get the site to display. Any ideas? Thanks, Chief

  14. Posted September 10, 2008 at 3:00 pm | Permalink

    Are there any issues with the automatic upgrade plugin?

  15. Posted September 10, 2008 at 3:45 pm | Permalink

    I get to wait on Fantastico. I could do it manually, but when I do it blows up the next upgrade via Fantastico, so I wait. I turned off new user registration until then.

  16. Posted September 10, 2008 at 5:04 pm | Permalink

    @ chris:

    There are some issues, but the issues are usually found on sites that have been tweaked and experimented with – not “normal” or sites with old versions of server software and such. But for the most part, many are using it successfully. You’ll have to check the Plugin author’s site for more specific information.

  17. jboettcher
    Posted September 10, 2008 at 6:52 pm | Permalink

    Uh… I just upgraded to 2.6.2 and now I can’t find things in my WYSYWIG editor like adding a URL etc… did someone screw around with that?? ARGH. Back to hard-coding links…

  18. Posted September 10, 2008 at 7:07 pm | Permalink

    @ jboettcher:

    Have you checked in the WordPress Support Forum for help? Did you DELETE the old files before uploading the new ones? Did you check to see if somehow your Profile setting were changed to the non-visual editor settings and change it back?

    I haven’t heard anything like that.

  19. Posted September 10, 2008 at 8:59 pm | Permalink

    I have the same problem as Chief. I upgraded from 2.5, couldn’t log in, didn’t receive a new username/password info and the “forgot password?” page kept saying my email address wasn’t on record.

    Any suggestions on what went wrong and how to fix it much appreciated!

  20. Posted September 10, 2008 at 11:28 pm | Permalink

    Mandatory? Ha..

  21. Posted September 10, 2008 at 11:37 pm | Permalink

    Mandatory? With what consequences? For such an excellent writer you seem to have seriously missed the language boat today, Lorelle!

  22. Posted September 11, 2008 at 11:08 am | Permalink

    @ Jay Parkhill:

    The suggestions I offered Chief are the ones I recommend. I also recommend checking the WordPress Support Forum as that is where trained and experienced volunteers and staff are answering these kinds of questions. 😀

  23. Posted September 11, 2008 at 2:13 pm | Permalink

    And WordPress MU? I guess that’s vulnerable, too.

  24. Posted September 12, 2008 at 8:35 pm | Permalink

    Has anyone here ever had their blog hacked or something because of security vulnerabilities?

  25. Posted September 12, 2008 at 9:16 pm | Permalink

    @ sean:

    Um, yes. In fact, there was a “pirate” who publicly displayed a huge list of blogs that hadn’t upgraded and announced that he was going to go down the list and hack each of them. He actually succeeded for some on the list. He considered them “warned” and then he attacked.

    It isn’t common, but it does happen, which is why it is so important to upgrade when there are security issues at stake. Just because this particular issue might only involve open registration blogs, which is a lot of WordPress blogs with open registration for comments, multiple bloggers and contributors, since this is a PHP issue, who knows what PHP you may have added to your WordPress blog by tweaking with it that might make it vulnerable. Better safe than sorry.

    Here is more info:

    WordPress Security Prevention, Reactions, and Scares
    WordPress Blogs and More Hacked by Google Redirects
    Are You Risking Your Blog With an Unofficial or Vulnerable WordPress Theme
    Protecting Your WordPress Blog
    Good Reasons to Upgrade WordPress

  26. Posted September 14, 2008 at 7:08 pm | Permalink

    Hi Lorelle,
    I have just upgraded my WordPress blog from 2.6.1 to 2.6.2 (manually). Everything went without a hitch, however all of my posts have the title of the post showing, but no actual post.

    I backed up my blog before the upgrade. Is this a database problem?

    Can you steer me in the tight direction to fix this?


  27. Posted September 15, 2008 at 7:50 am | Permalink

    @ MG Page:

    Check the WordPress Support Forum. So far, I’ve had none of the problems a few sites are reporting. It could be a problem with your WordPress Theme or how you upgraded. The Forum is the best place for help.

4 Trackbacks/Pingbacks

  1. […] WordPress 2.6.2 Mandatory Upgrade […]

  2. […] WordPress 2.6.2 Mandatory Upgrade Ryan Boren has announced the mandatory WordPress 2.6.2 upgrade has been released and WordPress users are required to […] […]

  3. […] For those who did not update their blog yet please go to WordPress download section as Lorelle wrote that this download or upgrade of WordPress 2.6.2 was a mandatory update. […]

  4. […] Do I thank the crew at WordPress or do I tell them to piss off? Lorelle VanFossen: WordPress 2.6.2 Mandatory Upgrade […]

Post a Comment

Required fields are marked *

%d bloggers like this: