WordPress 2.6.2 Is Out: Care If You Have Open User Registration

By Daniel Scocco

Yet another version of WordPress is out. The official development blog just announced that WordPress 2.6.2 is out, which aims to fix an exploit of the open user registration feature.

In theory this is not a security hole, because all that a malicious user would be able to do is to reset the password of other users (which is annoying but not critical). But coupled with another security bug it looks like a talented guy could also predict the new passwords.

So bottom line is: if you allow open registrations on your blog, upgrade. If you don’t, it is up to you.

On a side note to the WordPress team (if any of you read this blog, which I doubt…): how about scheduling the releases on a quarterly basis, unless a critical security exploit comes up? It might be me, but it looks like WordPress 2.6.1 was released 2 weeks ago.

Another idea would be an automatic, one-click upgrade integrated into WordPress.



Share

24 Responses to “WordPress 2.6.2 Is Out: Care If You Have Open User Registration”

  • kate

    wordpress very easy and very good

  • Elijah Nicolas

    For incremental upgrades, do you need to install 2.6.1 prior to 2.6.2 or for major releases, do you need to go from 2.5 to 2.6 then to 2.6.2? Can you go to 2.6.2 from 2.5 since it overwrites every single file anyway? I wanted to make sure prior to messing things up.

  • drlovecat

    i agree with #13,

    WP2.6.2 may be not necessary for update now! 2.7

    —————————————————————–
    thank for your kindness. i love your theme so much.

  • Samuel

    So what, you’re saying that you’d rather they wait a few months for their release, giving hackers more time to exploit a problem in the code? Becuase that’s what a quartely release-type situation would lead to…

  • Paula

    I haven’t as yet upgraded any of my blogs and some are still working on 2.5 or there abouts. Just worried that it may not go as smoothly as I would like.

  • BloggerNewbie

    I have upgrade phobia. The last 5 minute install took me 5 days to fix and get back to where I started. WP 2.5.1 won’t allow me to post at a future date, (sends my post into never never land) so I would like to upgrade. I will try the plug in.

  • Daniel Scocco

    @Lilla, open registration is when you enabled a WordPress feature that allows any visitor to create a user account on your blog.

    By default this is not activated.

  • Carla

    As a non techie, I say no thank you at least for now. The version I currently have has been a PITA for me as it is (at least getting it on my site). If I had some help, maybe. 🙂

  • NunoXEI

    I think your last point is absolutely dead on. I hate the fact that my hosting provider does not always pick up the latest WordPress update in order to offer a quick (safe?) way to upgrade a WP site from the Admin Panel within their own system. This allows people like me who are afraid to screw stuff up manually doing it a chance to stay current as well.

    WP has implimented the plugin update feature right into WP, I don’t see why they couldn’t make at least SOME of the smaller WP updates available at a click from within WP’s admin area.

  • team ray

    wordpress seem to be develop by a bunch of amateurs

    they need to hired some real developers

  • Qutting The Day Job

    Not going to upgrade just yet.
    Last upgrade was a bit painful when several plug-ins quit working and had to be abandoned or tweaked.
    I’ll wait for a major upgrade but an auto upgrade (non-plugin) sure would be nice….with a backup feature of course.

  • Mike Bobiney

    Holding off until 2.7 unless absolutely necessary. Everyday I see the upgrade prompt and every day I resist the urge to click.

  • Adam Pieniazek

    You should all check out SVN installs and upgrades. Basically, just copy the line to upgrade via SVN, paste it in your terminal and BAM, wordpress is updated!

    Really quite painless and quick.

    Also, wordpress team, keep those updates coming! I’d rather get too many releases (which we can ignore) rather than too few!

  • Saurav

    One click upgrade would be quite helpful.
    I tried the plugin which is supposed to incorporate one click feature but got error during the install.

  • Eden

    I’ll be holding off. I just upgraded to 2.6.1 a few days ago. They definitely need a release schedule, except for critical security issues.

  • Lilla

    Ummm…really basic question but what is “open registration” and where do I find it to change it if I wanted too? Thanks!!

    p.s. There’s an automatic WP upgrade plug-in?

  • Malcolm Bastien

    Ya, getting WordPress to upgrade as seamlessly as the plug-ins do now would be really sweet.

    What I’ve just recently is the wordpress-automatic-upgrade plugin. It lets your installation upgrade automatically, and though it’s not as smooth as it could be, it sure beats opening up the FTP client.

  • Farrhad

    Wrt your last sentence,
    there is a plugin to do the needful.

  • Mayooresan

    Oh.. I’m really tired of this… Seems we need to upgrade WP every week… OOps 🙂

  • Dan @ PowerDosh.com

    Thinking about it, there’s potential for someone to write a tool that allows you to easily update all of your wordpress installs from your desktop.

  • Nick

    Yes, I allow Open Registrations, So I figured Why not I guess? I also have the Automatic WordPress Installtion plugin which makes it a breeze to do.

    But Yes that would be sweet if WordPress could do some kind of a One click intergrater that ONLY updates the files it needs for current Wordpess users.

  • sharninder

    There is a wordpress automatic upgrade plugin which you can use to ease the pain a bit.

    I hadn’t even updated to 2.6.1 since the update wasn’t recommended but I think I’ll upgrade to this one soon, even though I don’t have open user registrations.

  • Dan @ PowerDosh.com

    It’s also apparent that their testing process is not that great. They seem to have a high degree of reactive development releases.

  • CypherHackz

    I will only upgrade my WP when only major version or critical bug fixes is out. It consumes a lot of time if you (me) want to upgrade 5 blogs at once.

Comments are closed.