WordPress has just released version 3.9.2, fixing a serious bug which allows someone to easily overload any site running WordPress version v3.5 to v3.9.1.
I recommend that you upgrade any WordPress installation to the latest version every time you are prompted to do so on your dashboard. Since the introduction of WP 3.7, sites will generally auto-update themselves to the latest iteration of the software (within a generation – so WP 3.7.3 will upgrade to WP 3.7.4 but not WP 3.9.2), but it doesn’t happen all in one go. Some of my sites auto-upgraded 2 days ago, some today. And not all my sites have yet auto-upgraded. So you may want to manually jump-the-gun and run the upgrade yourself.
Why Bother Upgrading?
Upgrading WordPress is generally recommended as updates are often released to protect blogs from new security threats. As with any site upgrade, it’s a very good idea to run a full site backup beforehand, just in case something goes wrong. There’s always a slight chance that an update could render some of your plugins or themes unusable. If this should happen, you should contact the relevant theme or plugin developer to let them know about the issue. Don’t assume someone else has already done this. And don’t assume the developer already knows there’s an issue with their product.
WordPress 3.9.2 is a security release for all previous versions and WordPress.org strongly encourages bloggers to update their sites immediately.
The most important item in this release is a fix for a possible denial of service issue in PHP’s XML processing that exists in all previous versions of WordPress. Other security updates include:
- Fixing possible but unlikely code execution when processing widgets (WordPress is not affected by default)
- Preventing information disclosure via XML entity attacks in the external GetID3 library
- Adding protections against brute attacks against CSRF tokens
- It also contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators
Sites that support automatic background updates will be updated to WordPress 3.9.2 (from WP 3.9.0 or 3.9.1) or auto-upgrade themselves soon if they haven’t already done so. If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. Older versions of WordPress aren’t supported, so I advise updating to 3.9.2, regardless of your current version of WP, so your blog can benefit from the new security additions.
How To Manually Upgrade To WP 3.9.2
If you want or need to manually upgrade WordPress to V3.9.2, you’ll see a message like this at the top of your WP dashboard:
Click the Please Update Now link to proceed with the upgrade.
You can also choose to click on the Updates link on the left sidebar on your site to access all updates (WordPress core, plugins and themes) for your site. You’ll see a page something like this:
You can then click on the Update button on the WordPress Updates page:
If you’re upgrading from a much older version of WordPress, you’ll be told that WordPress needs to upgrade your database and it will ask your permission to do this:
Click the Upgrade WordPress Database button to allow the database upgrade.
Remember: you should have created at least a database backup, if not a full site backup, before running this upgrade in case something should go wrong.
After a few seconds, you should see a screen like this:
Finishing The Upgrade
What you’ve achieved so far is upgrading the WordPress core files and possibly your database. It’s highly likely that you have plugins and themes that need to be updated too. So return to the WordPress Updates page and upgrade all the plugins and themes listed there (you’ll need to do this in two separate operations).
Once everything has been updated, your WordPress Updates page should look like this:
With WordPress being the most popular blogging platform on the planet, it remains a target for hackers so webmasters need to be vigilant about securing their blogs as much as possible.
Filed under: WordPress Security