WordPress has announced the release of their Maintenance and Security update, WordPress 3.5.1 and its time, once again, to upgrade WordPress.
While WordPress 3.5 was released not too long ago, there were a number of issues that caused some people to have problems with their WordPress site. This release addresses those issues and also includes important security updates to the WordPress core. You can be assured that hackers will try to exploit WordPress sites that have not upgraded and have known vulnerabilities.
Remember that you should always backup your website (both files and database) before upgrading WordPress. While updating WordPress almost always works flawlessly, in the event something should go awry, having a backup will allow your site to be restored with a minimum of hassle.
Don’t forget to upgrade your WordPress themes and plugins as well. There have been some significant changes to the way WordPress does things and your old versions may not be compatible the new WordPress. Outdated WordPress themes and plugins can also pose a security risk.
In the case of themes, especially with older WordPress themes, you should do a little research before you update. You want to be sure that your theme is compatible with the new versions when you upgrade WordPress. Also, remember that if your theme has had customizations made to it, updating can cause those customizations to be lost. Another good reason to backup before updating!
If you are worried about making the updates to your WordPress yourself, contact The Web Mechanic to take care of it for you!
From the wordpress.org website, here is what’s new in WordPress 3.5.1.
WordPress 3.5.1 is now available. Version 3.5.1 is the first maintenance release of 3.5, fixing 37 bugs. It is also a security release for all previous WordPress versions. For a full list of changes, consult the list of tickets and the changelog, which include:
- Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
- Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
- Networks: Suggest proper rewrite rules when creating a new network.
- Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
- Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
- Suppress some warnings that could occur when a plugin misused the database or user APIs.
Additionally, a bug affecting Windows servers running IIS can prevent upgrading WordPress from 3.5 to 3.5.1. If you receive the error “Destination directory for file streaming does not exist or is not writable,” you will need to follow the steps outlined on the Codex.
WordPress 3.5.1 also addresses the following security issues:
- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
- Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
- A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.