Calling all bloggers running WordPress as their content management system (CMS) – yes, I’m talking about you guys and gals with self-hosted WordPress installations.  WordPress version 3.0.2 just came out (release date 11/30/10) and if you haven’t done so already, it’s time to upgrade your WordPress installation.

WordPress 3.0.2 is a mandatory security update, which means if you know what’s good for the safety of your blog, you’ll get on this update right away!

How to Upgrade to WordPress 3.0.2

To upgrade your WordPress installation to version 3.0.2, you have several choices:

1. You can follow the directions at the WordPress Codex here.

2.  Log in to your WordPress dashboard and you’ll get a message at the top of the page alerting you to the new version. It also has a link to the download information.

3.  Download the plugin WordPress Automatic Upgrade, which will guide you through a series of clicks in your dashboard to update to the new version.  This handy plugin is, by far, the easiest way to upgrade your WordPress.

List of the Changes Made in WordPress 3.0.2

From the WordPress.org site, the following changes were made in this security update:

• “Fix moderate security issue where a malicious Author-level user could gain further access to the site. (r16625)
• Remove pingback/trackback blogroll whitelisting feature as it can easily be abused. (#13887)
• Fix canonical redirection for permalinks containing %category% with nested categories and paging. (#13471)
• Fix occasional irrelevant error messages on plugin activation. (#15062)
• Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin. (r16367, r16373)
• Clarify the license in the readme (r15534)
• Multisite: Fix the delete_user meta capability (r15562)
• Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins (#15122)
• Multisite: Fix ms-files.php content type headers when requesting a URL with a query string (#14450)
• Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs (#14536) “

WordPress 2.8.4 was released yesterday (August 12, 2009) and if you haven’t upgraded your blog yet, you should do so ASAP.  You can upgrade to WordPress 2.8.4 from your dashboard or download the latest version here.

There was a security vulnerability found in the previous WordPress version that allowed people to use a special URL that could bypass the security for password resets.  In essence, this would enable a hacker to hit user accounts (like the admin account), reset your password, and have access to your blog.

Think it couldn’t happen to your blog?  It can – Robert Scoble’s site was hacked into yesterday.  Don’t let this happen to you!

We luckily upgraded all of our WordPress sites when the release was announced and haven’t had any problems. 

Security Not a Drawback to Using WordPress

Some people use security issues like yesterday’s as an excuse to not use WordPress.  However, the window is very small between the time hackers discover a vulnerability and WordPress finds out about it and creates a solidly tested solution.  The power of using an open source CMS with such collective knowledge going into its development really gives WordPress users the blogging edge, with an extremely robust platform. 

To put it plainly, there is no better than WordPress, so don’t let yesterday’s security issue scare you away.

Remember that WordPress updates are critical for your security and should be installed as soon as you know about them.  You can keep informed of these updates by simply checking your WordPress dashboard or following the WordPress Blog.