WordPress 3.8.2: First Security Release Shipped as a Background Update

photo credit: Will Montague - cc
photo credit: Will Montaguecc

WordPress 3.8.2 was released today with several important security fixes that warrant an immediate update. If you have background updates turned on, you should get the 3.8.2 security release within 12 hours. Of course, you can always update immediately via Dashboard > Update in the admin.

Andrew Nacin outlined the important security fixes in this release. In summary, they are:

  • Fixes a weakness that could let an attacker force their way into your site by forging authentication cookies
  • A fix to prevent a user with the Contributor role from improperly publishing posts.
  • Update to pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
  • Fixes a low-impact SQL injection by trusted users
  • Prevents possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.

These security concerns were discreetly disclosed to the WordPress security team, but now that they are public knowledge, it’s very important to get your sites updated to the latest version.

First WordPress Security Release Shipped as a Background Update

In the course of providing the 3.8.2 security update, a 3.7.2 release was also pushed out, which includes the same fixes for sites still running on 3.7.1.

We’ve now entered a new era of WordPress security updates wherein sites that are on older versions may have automatic updates enabled. Passing on those same security updates, wherever possible, only makes sense.

I asked Nacin how far back the team plans to provide security releases for sites running older versions of WordPress. “We don’t want sites to remain on older versions,” he said. “But it’s obviously tough to pass up the opportunity to keep them secure.”

There is no hard and fast rule set for how far back security updates will go, but Nacin says that they will continue to do what they can. “This was the first security release shipped as a background update, so it’s new to us, too,” he said. “But I would expect we’ll do whatever we can to keep sites secure.”

So far the automatic updates seem to be going quite well:

The first release candidate for 3.9 was also sent out on the heels of the 3.8.2 security update. You can expect to see the official 3.9 release next week on April 16th.

Who is Sarah Gooding


Sarah Gooding is an Editorial Ninja at Audrey Capital. When not writing about WordPress, she enjoys baking, knitting, judging beer competitions and spending time with her Italian Greyhound.

12 Comments


  1. It must be pretty awesome for Nacin and team to see those numbers grow so fast and within such a short time after the push out. Nerve wrecking in the beginning to a state of euphoria perhaps after a mere two hours. Job well done!

    Reply

  2. [If you have background updates turned on, you should get the 3.8.2 security release within 12 hours.]

    So what happens if site gets hacked within those 12 hours.

    Is there a plugin that sends me an e-mail when there is an update for core/themes/plugins?

    Reply

  3. What if that update destroys my page due to a plugin? Maybe we want to test them on our test site first….

    Reply
    1. Ben

      @Dimitris – Then run your site through a source control system (git, mecurial or subversion). Automatic background updates are disabled if they detect you’re running from source control. Once you know of an update, apply it and test it on your dev or test environment. Once everything looks good, commit your new changes to source control and push it out to the live server. The extra benefit of source control is that you can roll back the entire site if needed or just roll back a particular file. And the benefit of having a history of site changes to compare against when troubleshooting issues.

      Reply

  4. I was watching @nacin’s tweets last night. It must feel almost Godlike, yet simultaneously stomach churning to watch those figures coming in! The automatic updates are really something very special, well done all involved. Another milestone.

    Reply
  5. lampelina

    Has anyone noticed that this latest update break Quick Draft dashboard feature?

    Reply

  6. Well done, WP Team! All my managed sites received their notice and all is right with our world. Too bad the HeartBleed SSL issue can’t be handled as effectively and discreetly. Thanks.

    Reply

  7. Milestone for auto updates, I started flipping around when I saw the first messages when I knew nobody had been in admin…push updates are the “thing.” A first, but good by me.

    Reply

Leave a Reply