We still have about 82 percent of the WordPress installs that were written a couple of weeks ago that have not been updated to 2.6.1 or later. I am going to have to begin disabling these installs because these older versions do not need to stay active indefinitely.

I will only be disabling WordPress installs that are older than 2.5.1. If you are using WordPress 2.5.1 or later, then you won’t have your install disabled. You really still need to upgrade to WordPress 2.6.2, but at this time I am not going to make any changes as long as you are running WordPress 2.5.1 or later.

If you insist on continuing to run a WordPress install that is older than 2.5.1, then I implore you to please contact the WordPress developers or visit their support community at:

http://wordpress.org/support

Running anything less than 2.5.1 (really anything less than 2.6.2) is unsafe. You can discuss your options with the community at this address.

I will likely begin disabling these scripts early next week. So if you have not yet updated, now is the time to be doing so.

Scott

As some of you are aware of, there is currently a major hurricane swirling around in the Gulf of Mexico. The hurricane is expected to make landfall later tonight or early tomorrow morning around the Houston, TX area. We do not have any servers located in Houston, but we do have servers located in Dallas, TX which is about 250 miles Northwest of Houston. We are not expecting any major issues with this storm. The storm is expected to weaken quickly once it makes landfall. Dallas will probably see some rain and maybe some thunderstorms, but we are not expecting any major problems. The datacenter is equipped with backup generators, so in the event of power loss the backup generators will kick in and run the datacenter.

Obviously our foremost concern is with the people in the path of this storm and those that may be affected by the storm. Hopefully the storm will weaken further before it makes landfall and not cause much damage.

We will continue to monitor the situation. We just wanted to let everyone know that we are aware of the situation and to let everyone know that the datacenter does have measures in place to guard against problems like this.

Steven

Hot off the heels of a new exploit found in WordPress 2.6.1, the WordPress developers have released an update to WordPress, version 2.6.2. This release fixes an annoying security issue where a new user can register and have the password of an existing WordPress user changed to a random password.

From the WordPress release:

Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.

I would recommend that all users, even those that are using WordPress 2.6.1 to update to WordPress 2.6.2 as soon as possible.

Scott

I have checked on the servers and I am seeing about 15 percent compliance with the WordPress update. This means that 15 percent of the WordPress installs that were outdated last week have either been updated or removed.

Our WordPress updater program is still available to those that want to try it to upgrade their WordPress installs. We have updated a couple of WordPress 2.5.1 installs to WordPress 2.6.1 and did not encounter any problems. I am not sure if the updater will work on anything less than WordPress 2.5.1.

We have also received a few complaints and concerns from users who do not believe that they have to update their blogs. Please understand that we do not make the rules on the Internet. It is just a fact that if you run outdated software on an account then you are more likely to be hacked into. If your account is hacked into, then this can have adverse affects throughout the entire server. This is why we are pushing to these installs updated. We are trying to raise awareness that you have to keep these installs up-to-date.

If you have concerns about the new WordPress interface or something about the new version of WordPress then you need to contact WordPress about this. You can reach the WordPress forums at:

http://wordpress.org/support

I know some users have written in saying that they are using WordPress 2.5.1 and that WordPress 2.6.1 does not contain any new security fixes. It is true that 2.6.1 does not fix any major security flaws in WordPress. While I still believe that you should upgrade WordPress 2.5.1 installs to the latest version, I am less concerned with those installs that are version 2.5.1. The main issue is with the installs that are from the 2.3 release tree. WordPress 2.3 had a lot of security issues and these issues also affected versions prior to 2.3. These installs need to be updated. If you won’t take my word for it, then ask around on the WordPress forum and see if anyone still believes you should be running WordPress 2.3.

We are just trying to be proactive in regards to this. In order to make sure the servers stay secure we have to insure that the servers are secure. Any server administrator that knows that there are accounts on their servers that are running and old and outdated version of a script or application and they do nothing about it, then they are not doing a very good job administrating the server. We are just trying to keep you informed and trying to keep your data safe.

Scott

We have sent out notices to all of the accounts that we show as having outdated WordPress installs. You should have received one of these notices if you have an outdated WordPress script on your hosting account and if your contact information is up-to-date in our billing database. If you did not receive a notice and you think you might have an outdated install you can always submit a support request and have our technicians take a look at your account.

We have posted instructions for upgrading WordPress installs. You can follow these instructions if you want to upgrade your WordPress install to the latest version. The latest version at the time of this posting is 2.6.1. If you installed WordPress through Fantastico then you need to log into your control panel and use the Fantastico link and interface to update your WordPress to the latest version. If you installed WordPress through Fantastico and you try to update it through some other means then this could have potentially adverse affects on your hosting account and WordPress install.

I have also developed an experimental WordPress updater that I can run on your account to upgrade a given WordPress install. At this time the software is just experimental, but I am willing to try the software on your account if you want me to and if you are aware of the risks. The updater may cause your WordPress install to stop working, but I need to run the updater on some installs to figure out if there are any bugs or any ways to improve the system. If you want me to run the updater on your WordPress install just submit a support request ticket with your valid username and password information and a note containing what WordPress install to update and a note that you understand the risks involved. I will have to have the correct username and password of your account in order to validate that you are the true owner of the account before I can run the update. I also may have to turn away update requests through the WordPress updater if problems are encountered.

If you are not using the WordPress installs that are listed and you want them removed, you can submit a support ticket instructing us to remove the script. Again we need to know specifically what WordPress install to remove and the valid username and password for the account. Please Note, if you tell us to remove a WordPress script from your account then that script will be deleted and cannot be brought back. So if you tell us to remove a WordPress script from your account, you need to be sure that this is really the action you want to take.

Some of you may be running reasonably up-to-date WordPress scripts on your account and you may be safe from any major security exploit. However I still recommend that you upgrade to the latest version of WordPress, version 2.6.1. You just never know when a minor flaw may escalate to a major threat. One thing is for certain, if you are always running the most up-to-date version of any actively developed script then you know that you have done the most that you can do to keep your script and website secure.

Scott