It started with an email. Lil’ asked,
When I went to my blog login, there was a big blurb in red that says:
“MAJOR SECURITY ANNOUNCEMENT
“Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable WordPress users, but trust me this is not a joke.”
I have no idea what this means….can you provide me with a clue?
So I went forth and researched. And researched. And researched. Apparently this is the second security flaw of its kind in WordPress, and it affects 1.5 series releases as much as it does the newer 2.0 series. Did I mention that all of us on this server are running 1.5.2?
The new 2.0.4 version is available as of… tomorrow? (This is July 28, and the date stamp on the official announcement is July 29. Does this guy have a TARDIS or something?) Problem is… there’s no fix for 1.5.2. Nor will there ever be a fix, I’m willing to bet. Sure, I’ve disabled ‘guest user registration’, which is actually something I do on every new WordPress install I create so I was ahead of the curve on this by a long ways, but still… if I want security fixes, I have to upgrade.
This is not how I wanted to spend my weekend, people. Truly.
UPDATE, Five Minutes Later: Duh. I can’t upgrade anything until after the Blogathon, or I’ll risk overloading my poor underpowered webserver. Well, guess what I’m doing over the course of next week?