WordPress 2.8.5 Another Security Release

Posted by Jeff

on October 24, 2009

Most of you that frequent your self-hosted WordPress site should be well aware of the new version, 2.8.5 now available. As with all incremental security releases, it is recommended that you upgrade as soon as possible.

What I consider an incremental upgrade is when it goes something like from 2.8.4 to 2.8.5. This kind of small version change usually has no major enhancements and should have a pretty painless upgrade. When there are major changes like the upcoming release of version 2.9, then I would recommend waiting a week or so for some of the bugs to be found and fixed. I would suggest either researching any new major release or wait for the first incremental version of it to be released. And remember with all upgrades always backup first!

From the official WordPress.org site regarding version 2.8.5:

The headline changes in this release 2.8.5 are:

* A fix for the Trackback Denial-of-Service attack that is currently being seen.
* Removal of areas within the code where php code in variables was evaluated.
* Switched the file upload functionality to be whitelisted for all users including Admins.
* Retiring of the two importers of Tag data from old plugins.

We would recommend that all sites are upgraded to this new version of WordPress to ensure that you have the best available protection.

If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then we would recommend that you take a look at the WordPress Exploit Scanner. This is a plugin which searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames. You can read more about this plugin here – “WordPress Exploit Scanner“

When upgrading this site I encountered the “WordPress Upgrade Error Allowed Memory Size Exhausted” error. So I had to do the work-around to increase the memory limit by adding a bit of code to my wp-config.php file discussed on this previous post: WordPress Upgrade Error Allowed Memory Size Exhausted.

Similar Posts:

WordPress Upgrades

Tags: upgrade-wordpress, WordPress-Upgrade

If you liked this post, feel free to leave a comment that is relevant to the post or subscribe to the feed and get future articles delivered to your feed reader.

Sorry but due to the spamming of a few all comments are moderated and will appear when approved and all drive-by comments will be deleted!

Comments

Comment by Czech Coder on October 25, 2009 @ 7:12 am

Those security updates…. What about making WordPress a little bit more stable and reliable?

Comment by Eren@ Embracing Blogging on October 25, 2009 @ 12:31 pm

As soon as this update came out I upgraded all of my Wordpress blogs immediately. I wonder if static sites have so much work to be secure? That is something that is totally worth looking into. I haven’t installed the Exploit Scanner plugin yet. I better get started on that asap.
All the best,
Eren

Comment by Feratik on October 26, 2009 @ 1:54 am

maybe I should wait until WP 2.9 release for update all my blogs…

Jeff Replied:
October 26th, 2009 at 8:05 am

If you don’t have 2.8.4 or higher then your blog is vulnerable to getting hacked.

Comment by SARAH D on October 27, 2009 @ 1:17 am

Yeah 2.8.4 helps alot to prevent hackers. its a must have !

Comment by reiki healing on October 27, 2009 @ 5:32 pm

Absolutely, Security is very important! But I am just very eager to see what WP 2.9 will have in store for us.
Tech-Freak Stuff´s last blog

Comment by Essay Writing on October 29, 2009 @ 1:45 am

Hi..
I agree with reiki healing… security is very important especially nowadays to protect against like spammers and etc.

Comment by Barbie Brown on October 29, 2009 @ 4:33 am

When I tried to auto upgrade, it gave me a message successfully upgraded, but when I tried to login my site account again I wasn’t able to… it showed some 500 error but my main site was opening…. I am now upgrading Wordpress manually…

Comment by Imran S on October 29, 2009 @ 5:40 pm

Upgraded immediately no compromise on security, waiting for 2.9 now…

Comment by wordpress tips and tricks on October 30, 2009 @ 10:53 am

I thought wordpress was the most secure bloggin script. I used to use phpbb the forum script and got my site hacked 2-3 times even after constant updates. So far so good with wordpress. and in fact i am enjoying every bit of it. its really a great tool. thanks to matt and his team to put in the efforts.

Brent2 Replied:
November 1st, 2009 at 4:22 pm

Part of the reason WordPress is so secure is their constant attention to security. If an exploit is found, even a miner one, they have an update very quickly.

We noticed a significant amount of WordPress accounts being hacked and, after reviewing the hacks to ensure it wasn’t our problem, waited for WordPress to release something. Took them all of 2 days to find the most obscure hack I’d ever seen. Poof. 2.8.5.

Comment by Anne at B6S.net on November 2, 2009 @ 6:06 am

I am sick and tired of the frequent WP updates. When you have over 50 blogs to look after (I hire writer and manage a fairly largish network), it can get annoying. Unless there’s a major security issue, I just wait and upgrade every few versions… Otherwise, I’d be spending way too much time doing upgrades.
That said, at least the installs and upgrades are relatively hassle free and it still is the best blogging platform out there

Comment by Rome on November 3, 2009 @ 1:36 am

Well if you have multiple blogs it’s quite a hassle to upgrade everyone of them everytime, but it’s also not a good idea to leave them vulnerable, so probably better to upgrade right away anyway…

Comment by Mohsin on November 3, 2009 @ 3:00 am

I was using wordpress version 2.8 and was facing lots of problems, especially the file upload bug. It simply irked upon my nerves. I had downgraded then and now I won’t be upgrading till I get a good number of feedback from a few users.

Comment by Buy Resveratrol on November 4, 2009 @ 2:37 am

I stopped using Wordpress recently because of all the bugs i was facing. I wish they would bring out a clean, user friendly version for Linux

Comment by poolscaping on November 5, 2009 @ 2:31 am

Every hacker knows Wordpress has a user “admin” with god-like administration privileges. Slow the hackers down by removing the “admin” user. Create a Wordpress user with admin privileges using the administration interface. Log out of Wordpress and log back in with the new user. Delete the admin user. The new admin user should be different than your normal post author.

Comment by Jimbo on November 5, 2009 @ 2:51 am

I love Wordpress, but all the updates are driving me crazy. It seems like there’s a new release every week. I know it’s good that they are patching holes to keep me safe and what not, but still…

Comment by Brochures on November 5, 2009 @ 4:00 am

I don’t get that small-time updates either. Why can’t that update wait until the next version? More importantly, how can one small problem not be detected before being upgraded into a new version?

Comment by Custom Blog Design on November 5, 2009 @ 4:11 pm

I also wait at least a few weeks before upgrading to the latest version to give the wordpress team the time to iron out rough corners and fix bugs. It’s time for me to upgrade now.

Comment by Marcio Rocon on November 6, 2009 @ 1:17 am

Comment by industrial cleaning on November 6, 2009 @ 6:50 am

Good post and you are Absolutely,right Security is very important! But I am just very eager to see what WP 2.9 will have in store for us keep posting hanks man.

Comment by seo greece on November 6, 2009 @ 12:06 pm

I heard that a 2.9 beta is coming soon….

Maybe this December

Wordpress rockz and i have to say that the antispam measures are fantastic… I rarely get spam messages to my e-mail anymore

Go wp go

Comment by muxin on November 6, 2009 @ 5:11 pm

so.. another wordpress update (…) lucky I only have a few blogs on wordpress, updating a new version really takes time. But glad to know it has better security than the previous version

Comment by web design orange county on November 10, 2009 @ 6:19 pm

hackers adapt to their environment, sadly. updates get made, hackers find a loophole, new updates are made, and it goes on and on. but at least wordpress developers are keeping up on their game. we need to constantly backup our databases!

Comment by Hen night accessories on November 12, 2009 @ 5:28 am

Wordpress is still the best blogging platform for me i really love wordpress, but these weekly updates are starting to wear me out.thanks

Comment by psychic readings online on November 14, 2009 @ 12:33 am

It is annoying that word press is making frequent and small updates. I can’t wait for word press 2.9. I hope we will see the update soon great post keep posting thanks a lot.

Comment by NJ Web Design on November 14, 2009 @ 2:16 am

There is a discussion of WordPress 2.9 tomorrow at the WordCamp NYC 2009. Looking forward to that as my last few upgrades up from 2.7 have not gone perfectly. Regards,

Comment by reverse phone search on November 15, 2009 @ 11:33 am

The DOS attack became very common in WordPress platform.One of my WordPress blogs was exploited using the same problem and I stopped using it as I thought it has been hacked but now after installing these Updates I have to see again.

Comment by Waxing Brisbane on November 16, 2009 @ 3:11 am

I know almost all of us are waiting eagerly for the new features instead of security updates. But the security of our blog is equally important.very informative post.

Comment by Gold coast indy accommodation on November 16, 2009 @ 7:53 am

WordPress 2.8.5 is not new for us because we know that very soon we will find new one that is 2.9. So wait for it, its in the way.

Comment by ashraf on November 16, 2009 @ 9:14 pm

Comment by Montreal Wordpress Web Design on November 17, 2009 @ 11:42 am

I agree with Anne that for people running multiple blogs, the continual updates can be very time consuming. Sometime back I did start changing the default “admin” to different master usernames and deleted that one. It’s at least one step toward slowing down potential hackers.

Comment by mrhte9th on November 17, 2009 @ 10:49 pm

very nice info, one of my blog use wordpress and fortunetly my hosting support for one click upgrade. only one click from my cpanel then my blog has upgrade to higher version

Comment by Magento Development India on November 20, 2009 @ 9:15 am

I will wait for WordPress 2.9 release. then i will update my all blogs.

Comment by tommy on December 4, 2009 @ 4:05 pm

As soon as this update came out I upgraded all of my Wordpress blogs immediately. That is something that is totally worth looking into. hope wordpress is getting better

Comment by malowanki on December 13, 2009 @ 6:30 pm

Thanks for this link:WordPress.org site Jeff, I think that WordPress 2.8.5 is great.

Comment by thejuicery on December 17, 2009 @ 4:33 am

i had been upgrade, and i never know it, because my wordpress before this was hacked by someone from middle east. thanks for share us..

Drive-By comments will be deleted! Like "Thanks for sharing", "Nice post", or any other text that doesn't contribute to the discussion. If you ask a very specific question about your particular WordPress theme, it will probably be deleted. I can fix your WordPress site but for a price. If you ask a question like "Why don't my blog work right", it will be deleted. If you ask a question about your WordPress site without a leaving a link to it, it will be deleted. The point is to ask questions and or comment on the the actual content of the post, and to please use some common sense. All comments are moderated and will appear when approved. Thank you.