Yesterday the wonderful people at WordPress.org announced and released a security and bug update to WordPress 3.5. This version is labelled 3.5.1, and we’re sure you’ve already seen the uniquitous yellow label in your admin panel!

As always, it’s essential that you completely backup your files and databases before performing an update, just in case a plugin goes awry and you receive the fatal “white screen of WordPress death” following the update. This is rare, but there’s nothing worse than a dead website meant to have 1000s of hours of work put into it!

Bug Fixes Included in 3.5.1

WordPress contributor Andrew Nacin reported the following bug fixes:

• Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
• Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
• Networks: Suggest proper rewrite rules when creating a new network.
• Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
• Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
• Suppress some warnings that could occur when a plugin misused the database or user APIs.

Security Fixes Included in 3.5.1

If you’ve ever been the victim of a WordPress hacking attempt, you know how painful it can be to have left your WordPress installation un-updated, and therefor extremely vulnerable. In addition to running VaultPress on every one of your WordPress sites, here are the important security fixes included in 3.5.1:

• A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
• Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
• A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

Scary stuff, eh?

Need help updating? Have you been hacked before? Give us a shout and we’ll help you within a few hours or less!