WordPress 3.8.2 was released today with several important security fixes that warrant an immediate update. If you have background updates turned on, you should get the 3.8.2 security release within 12 hours. Of course, you can always update immediately via Dashboard > Update in the admin.
Andrew Nacin outlined the important security fixes in this release. In summary, they are:
- Fixes a weakness that could let an attacker force their way into your site by forging authentication cookies
- A fix to prevent a user with the Contributor role from improperly publishing posts.
- Update to pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
- Fixes a low-impact SQL injection by trusted users
- Prevents possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
These security concerns were discreetly disclosed to the WordPress security team, but now that they are public knowledge, it’s very important to get your sites updated to the latest version.
First WordPress Security Release Shipped as a Background Update
In the course of providing the 3.8.2 security update, a 3.7.2 release was also pushed out, which includes the same fixes for sites still running on 3.7.1.
We’ve now entered a new era of WordPress security updates wherein sites that are on older versions may have automatic updates enabled. Passing on those same security updates, wherever possible, only makes sense.
I asked Nacin how far back the team plans to provide security releases for sites running older versions of WordPress. “We don’t want sites to remain on older versions,” he said. “But it’s obviously tough to pass up the opportunity to keep them secure.”
There is no hard and fast rule set for how far back security updates will go, but Nacin says that they will continue to do what they can. “This was the first security release shipped as a background update, so it’s new to us, too,” he said. “But I would expect we’ll do whatever we can to keep sites secure.”
So far the automatic updates seem to be going quite well:
In the 15 minutes after WordPress 3.8.2 dropped, 230,000 WordPress installs were automatically updated. https://t.co/8pCvBD2Tl8
— Andrew Nacin (@nacin) April 8, 2014
We’ve served about 800,000 updates over the last hour. All sites have been receiving instructions to update; they check every 12 hours.
— Andrew Nacin (@nacin) April 8, 2014
More numbers: 1.2 million WordPress sites have automatically updated over the last 97 minutes. https://t.co/Cc76GKcTID
— Andrew Nacin (@nacin) April 8, 2014
T plus two hours: 1,446,176 updates. At this point I’ve moved beyond “nervous wreck” to “shipping champagne.” Eventually this won’t be news.
— Andrew Nacin (@nacin) April 8, 2014
The first release candidate for 3.9 was also sent out on the heels of the 3.8.2 security update. You can expect to see the official 3.9 release next week on April 16th.
It must be pretty awesome for Nacin and team to see those numbers grow so fast and within such a short time after the push out. Nerve wrecking in the beginning to a state of euphoria perhaps after a mere two hours. Job well done!