Security update: Upgrade your WordPress to 2.3.3

Unless you want registered users to be able to edit your blog posts, you should update your WordPress installation to version 2.3.3. It’s a small change, and if you want to you can just replace your xmlrpc.php file with a newer version.

By the way, if you followed the advice in my recent security tips for WordPress post, you wouldn’t have to read about the update on my blog. Instead, you would already be subscribed to the WordPress security/developers’ feed (Atom feed link) that is suitable for subscribing in Google Reader or your favorite feed reader. I highly recommend subscribing to that feed so that you’re less likely to be caught by surprise when there’s a security issue with WordPress.

24 Responses to Security update: Upgrade your WordPress to 2.3.3 (Leave a comment)

  1. I’ve just upgraded my blog using the WordPress Automatic Upgrade plugin. It just took couple of minutes, so if you are lazy to do the uploading of files, use that plugin. I highly recommend it.

  2. Thanks for the suggestion to just replace xmlrpc.php. This will be the first upgrade I do myself, so I’m going to wait until I have enough time to dedicate, but it’s great that I can protect my blog posts in the meantime with just updating that one file.

  3. It’s now I am glad I use Subversion to upgrade WordPress. 🙂

    If you want to make a “full” upgrade of WP by switching files the changed files is wp-includes/gettext.php, wp-includes/version.php, wp-includes/pluggable.php, xmlrpc.php, wp-admin/install-helper.php.

    Einar

  4. I happened to catch it 33 minutes after it was released, since I saw the notice in my console. I of course recommend WPAU.

  5. It’s worth noting that if you don’t use an external blog editor or trackbacks, you can just delete the xmlrpc.php file entirely.

    If you do use an external editor, but do Not use trackbacks, you could rename the xmlrpc.php file to something else and adjust the path in your editor tool.

    If your editor tool does not support changing the path, you could also restrict access to that file with .htaccess, which is also something that you should do for your wp-admin directory as well.

  6. Hiya Matt,

    I tried to email ya about this and say thanks for your last gmail post, but you dont like my email addy 🙁 well your server anyhow

    It was kinda funny seeing that they mentioned alot in relation to what you posted before. I have been sending alot of folks i know to check your last post and see the .ht trick so they could adapt it to.

    FUNNY ips btw

    since you watch the subversion info youll know there were more than just minor security bugs in the xml component. really hoping this is the fix.

    as always man good stuff, lol, but for once i posted in front of ya 🙂

    Peace bra,

    Mich D.

  7. Good point, The How-To Geek.

  8. I keep getting annoyed with the amount of updates. I haven’t been able to find a quick solution to upgrading my wordpress, without doing a bit of an over haul. Thanks for the tip at the top Matt with explaining just the file that needs to be changed.

    I worked out the little bit of code that always flags up that there is a newer version of wordpress available and removed it, but I didn’t realise how serious some of the glitches are that are being fixed!

    Thanks Matt.

  9. Is there any point upgrading if you don’t have user registration enabled?

  10. keniki

    6 comments in a row? why are you doing this?

    Pls. be nice 😉

  11. In forums and membership sites I found that many people are ‘afraid’ of upgrading, since they don’t know exactly what they’re doing.

    I found this WordPress Automatic Upgrade Plugin that does the job, either fully automatically or manual so you can follow all steps (I recommend using the latter, so you can follow what happens; only takes a minute).

    The plugin creates backups, puts your blog in ‘maintenance’ mode, de-activates the plugins, changes the files, activates the plugins and doesn’t touch the wp-content folder.

    Works like charm.
    Review at my link.

  12. Matt,

    All great those posts that you do, very useful as well. But I’m missing the spam hunts posts… 🙂 I am sure that you guys are doing enormous amounts of work on combatting spam, and lately the focus seems to be on link spam. But it looks like that the most fancy spam techniques have a much higher priority in Google than the very basic “hidden content” type of spam.

    I can’t tell how frustrating it is to see sites rank high that use very simple techniques to hide keywords and stuff pages full of keywords. Why can’t the spam team of Google do something about that?

    I remember that Google very proudly took sites of BMW or Mercedes out of the index because they used spam techniques. But an unknow @$$&#¨#& can put a 60000 page site online with completely keyword stuffed pages in (parcially) hidden divs and put another site in an iframe and get away with it. Even after Google received numerous spam reports about it.

    Sure, they also throw up 2 huge adsense blocks at the top of many pages so that it becomes an MFA site as well. Even better!!! Even more reasons to take them out of the indexed.

    Don’t get me wrong here. I do not believe that adsense is the reason sites like this are still in the index and receiving tons of visitors from Google. I think it has to do with priorities. But perhaps the priorities are not enough in line with reality.

    Maybe the focus is again more on the english language search than on other languages?

    Please do something, Matt.

  13. Here’s the right url, you can only view his friends unless he adds you:

    http://www.facebook.com/friends/?id=2718835#view=everyone&flid=0&q=&s=0&nt=0&nk=0&lt=0

  14. Dave (original)

    I can’t tell how frustrating it is to see sites rank high that use very simple techniques to hide keywords and stuff pages full of keywords. Why can’t the spam team of Google do something about that?

    I remember that Google very proudly took sites of BMW or Mercedes out of the index because they used spam techniques. But an unknow @$$&#¨#& can put a 60000 page site online with completely keyword stuffed pages in (parcially) hidden divs and put another site in an iframe and get away with it. Even after Google received numerous spam reports about it.

    I wouldn’t assume hidden text helps ANY page in Google.

    The BMW case was likely more of a message to SEO and Webmasters than anything. That is, they made an example of them, but haven’t been consistent in treatment of hidden text.

  15. I haven’t found one upgrade procedure that was clear or comprehensive. Even the manual process leaves me with a questionable upgrade and persistent nagging to upgrade.

  16. I can’t tell how frustrating it is to see sites rank high that use very simple techniques to hide keywords and stuff pages full of keywords. Why can’t the spam team of Google do something about that?

  17. Ilan – You can report pages by clicking on “ads by google” if they have Google ads on the page. Plus Google had DE-valued the on page text. So it’s likely they are using multiple ranking methods. Not just text cheats.

  18. I wouldn’t assume hidden text helps ANY page in Google.

    Well, you´re assuming wrong. Hidden text works perfectly. Google’s algorithms obviously aren’t capable of detecting if text is hidden or not. At least it doesn’t seem to be a standard check. At most a manual check after a spam report came in.

    Consider that a site got a top10 position for a keyword that only exists in hidden text and doesn’t have those keywords in any external backlinks. That doesn’t deserve to rank high. It doesn’t even deserve to be indexed.

    I know that you probably find this a lot less in english language countries because people know it’s a high risk thing to do. But in other languages there is very little communication from search engines to webmasters. (is improving a bit, but webmasters in other languages that don’t speak english aren’t really looking for communications from search engines either) The result is that a lot of old fashion SEO techniques are still pretty common. And dumb as it may seem, they do work.

  19. I updated my own wordpress site and also those of my clients.

    I dind’t subscribe to the feed, but updates are also listed on the wordpress dashboard.

    Thanks for posting Matt!

  20. Wow, users to be able to edit your blog posts. Is it really that wide open?? Shocking.

  21. Thanks Matt for the how-to on the easy way to update. Easy is always a good thing when it comes to me and any kind of programming things.

  22. Thanks for the update, I hope it is easy to update through cPanel>fantastico.

    Regards,

  23. Why doen’t they eliminate WordPress 2.3.3 – Passive XSS hacks, used by hackers? There are list of them availible, but nobody from the WP community seems to do something about the old hacks availible.

css.php