From the folks at WordPress:

An important security issue has been brought to the attention of the WordPress team and we have worked diligently to bring you a new stable release that addresses it. Our latest version 2.0.2 contains several bugfixes and security fixes.

I highly recommend that you download the newest release and upgrade your WordPress installation(s) ASAP (and backup your database before upgrading!).

For those of us with many blogs, this is one of those pains in the neck that makes you wish you had a hosted solution that did the upgrading for you. But all in all, the pros of getting all the features and customizability of the full version of WordPress makes it worth the hassle for those who are technically inclined enough to handle WordPress.

(The rest of you should check out WordPress.com — they’ve had a lot of upgrades lately, including new themes, WordPress Widgets, and more - which I’ll write about in a later post, but suffice it to say good things are happening over there )

BTW - It has not been clarified whether this security vulnerability which was found (and fixed) was in any way related to the supposed hacking of the WP 2.0 Theme Competition that was being hosted by kycap.com, but based on the dialog in the WordPress support forums it does appear that the KYCAP theme competition was a hoax, which, if true, is just evil. Fortunately, a new WordPress 2.0 Theme Competition has sprung out of this mess and is being run and judged by some of the more well known and respected (i.e., trustworthy) members of the WP community

Update: It now appears that the kcyap theme competition was a complete hoax and the site owner made off with 188 WordPress 2.0 specific themes! The site itself has disappeared, the owner doesn’t respond to any questions nor does he make any attempt to restore the posts, etc. You can read up on some of the discussion in the Wordpress Support Forums. I have removed the links to the hoax site so-as to not generate any additional traffic or inbound links for the jerk.

I ask that all theme designers who applied to the scam competition now enter the new, legit one — and also would be extremely grateful if you would submit your themes to me, as well. While I’ve nothing to offer in the way of prizes (wish I could, but hopefully some fame and the knowledge that you’re helping the community will be inspiration enough), I am extremely eager to create a Comprehensive List of WordPress 2.0 specific themes (and have plans to create a blog specifically about themes to make it much easier for folks to find the theme of their dreams). Please email all theme info to howtoblog @ gmail.com with a subject of WP 2.0 theme — thanks!

On March 5th, the WordPress 2.0 Theme Design Competition that was being hosted by kcyap.com claimed that it got hacked (and that his entire database was erased):

“Very regret to announced that this competition blog website had been hacked. I have no backup for all this data and not sure if the server admin did have a backup on it or not. I am very sorry for this incident.

The prizes will still be the same and i will upload once again all the submitted themes on by one from now. This may takes quite some time, please be patient.

The result for this competition will still be announce don the 10th March 2006.”

This should be a reminder to everyone to BACKUP YOUR DATABASE ON A REGULAR BASIS (I’ll write a how-to post on this shortly).

And as many commenters pointed out, it was unacceptable for a site hosting a theme competition of this level to not have backups. Other commenters suggested the site owner use the Google cache to try to retrieve the old posts.

However, the big question that’s on my mind - and which was brought up by CountZero is how did this happen??

“But the really more important task than assigning any guilt to anyone on this case, I suppose, is to find out how the hacker could compromise the machine. Did he use some undiscovered WordPress vulnerability, did he make use of those being published just about a week ago, or did he make use of other security issues on your server? Is it sure that these loophole(s) are closed now, and can you make sure there is no backdoor/rootkit left on the machine now?”

I hope the WordPress team is taking a good look at this to ensure that it wasn’t the result of some previously unknown security vulnerability in WordPress. Was the kycap Theme Competition Blog running on WP 2.0 or WP 2.0.1? And if he was running the latest version (WP 2.0.1), did the hackers get in through a WordPress security flaw, or through some other method related to his specific hosting situation? Or perhaps he had spyware on his PC and they had a keylogger which gave them access to his password so they could just easily log into his account. (Which reminds me that everyone should have Microsoft’s free Anti-Spyware software installed on their Window’s PCs)

Additionally, there has also been speculation that the whole Theme Competition was a hoax (to gain google pagerank?). Many commenters have found it rather suspicious that even if the database was wiped that there still wouldn’t be backups of all of the themes that designers had submitted - after all, they sent them in through email. And what of all the ‘unnamed judges’ (which I always thought was a little shady..) - shouldn’t they have copies of the themes and their descriptions, as well?

IMHO, the Theme Competition site owner (Justin) owes it to the WP community to work with both his webhost and the WordPress team to discover just how that site got hacked, and then reveal that information to everyone - both to restore his credibility and so that we can all know whether we need to be worried about the same thing happening to us - and learn from his situation about how to protect ourselves. Specifically, we need to know whether the hack stemmed from a problem with WordPress security. I’ll rest easier once this information is known, especially since I’m still entrenched in hoards of hours in porting How to Blog over to WP from TypePad (it was easy to import the posts, but there’s all this minutiae that’s taking hoards of hours to deal with as part of the transition).

So far I’ve only had the opportunity to test how WordPress 2.0.1 handles sending of automatic trackbacks (in the Options|Discussion tab, we’re presented with a checkbox that
says, “Attempt to notify any Weblogs linked to from the article (slows
down posting.)”

What that means is that for any article linked to in a particular
post, wordpress should automatically be sending a ping to alert that
article that you’ve written about them, saving you the time of having
to manually paste their trackback URI into the Trackbacks section of
the Write Post screen.

On what was initially my WP 2.0 Test blog (and which is now my WP 2.0.1 Test Blog), I had reported that in WordPress 2.0, the only blogs that seemed to receive these automatic trackback pings were other WordPress 2.0 blogs.

I had hoped that these problems would be resolved in
WordPress 2.0.1, but instead they seem to have worsened, with even more
erratic results than before:

• again, no trackback pings to WordPress 1.5.x blogs or TypePad blogs got sent
• again, the only time WP properly sent a single ping to a referenced post was when it was pinging the same version of wordpress, this time from v2.0.1 to v2.0.1
• duplicate pings were sent to WordPress 2.0 blogs that were referenced in a wordpress 2.0.1 post, AND
• duplicate pings were also sent to wordpress.com blogs that were referenced in a wordpress 2.0.1 post - making you look like a spammer

What a bummer.

One month to the day from when wordpress 2.0 first came out, the first wordpress point release to address the many needed bug fixes has come out. The team states that :

‘All in all we’ve closed 114 bugs in the 2.0.1 release, which you’re welcome to check out if you’re curious about every fix. To summarize:

• You can now specify an upload directory, and whether to use date-based storage or not.
• Caching has been fixed under certain PHP enviroments.
• Permalinks have been fixed for weird enviroments as well.
• XML-RPC uploading works.
• Compatibility with older versions of PHP.
• Several WYSIWYG fixes and cleanups.
• Imports now use much less memory.
• Now works with MySQL 5.0 in strict mode.’

Now, what’s ominously missing from this list of bug fixes is any mention of the problems with trackbacks, which is my main hesitation for upgrading all my wordpress blogs. Yet in reading through the complete list of fixes, it appears the trackback problems were fixed — see tickets 2197 and 2170 — I must say that I don’t know why the WordPress team didn’t emphasize that in their bulleted list of fixes. In any case, I’m thrilled to hear it’s been fixed — YAY! Hopefully this means I can seriously contemplate moving my blog from TypePad to WordPress. Unfortunately, TypePad doesn’t support functionality for 301 permanent redirects, which are what would be necessary to tell the search engines that my blog has moved (and word to the wise and newbie alike — don’t ever make the mistake that I did and use a subdomain off a typepad.com, wordpress.com, etc account if you think there’s ever the slightest chance you’d like to use your own domain name down the road, or heaven forbid switch to a different blogging system altogether — moving How to Blog is gonna be one hell of a nightmare, but the benefits that WordPress provides may make it worth it…still on the fence)

In any case, you can download WordPress 2.0.1 here.

Technorati Tags: wordpress 2.0.1, new wordpress, wordpress bug fixes, wordpress release

Wow, I can’t believe it - I’ve just uploaded the latest update to my WP theme list and it now contains a mindblowing 615 free wordpress themes that wordpress users can download and use on their blogs for free.

Some of the themes have been tested on WordPress 2.0, and have been marked as such, and a few of the themes are actually specifically for WordPress 2.0 and won’t work with 1.5.x (also marked accordingly).

I’m super excited about the prospect of all the new themes to come down the pipeline now that WP 2.0 is out - and for all of the updates to current themes that theme authors might be lured into performing given the fabulous customization that wordpress 2 allows.

For those who don’t know, WordPress 2.0 has taken themes to the next level in a serious way, providing the ability for theme authors to actually allow theme users with options that can be easily customized through a panel in the adminstration area of WordPress. If a theme is customizable, there will be a tab under Presentation for “Current Theme Options”.

The Default theme that is packaged with WordPress 2.0 allows you to make changes to the theme’s header, including the font color and colors used for the background of the header.

But themes like Regulus 2.0 really take it up a knotch by providing checkboxes allowing the blog owner to change the header image, the color scheme, whether to show full posts or excerpts on the homepage, whether to display the post’s author on the homepage, as well as sidebar options such as ’show calendar’, ’show recent posts’, ’show all archive months’, etc.

You can also see a running demo of a new WP 2.0 theme called BloxPress which actually allows the blog viewer to change the layout of the theme, dragging and dropping theme sections around to change their order in the sidebar at will and adding and removing content as it suits them (something which I wish was incorporated into the WordPress core for the blog owners, at least). Seriously cool stuff.

It’s a beautiful thing, this level of customization. I sincerely hope that more WordPress 2.0 theme authors create their themes with these sort of theme options (and more!) in mind!

WordPress 2.0 also allows theme designers to include a screenshot as part of their theme package which will then display on the Presentation|Themes tab so it’s much easier to select a theme that’s suited to your blogging style.

I’m going to need a better way of managing my theme list now that some themes are for v1.5.x and others just for 2.0, etc which isn’t something I can easily due from within the constrains of TypePad. Which leads me to my next post: feeling like I’m stuck in limbo and with a conundrum on my hands.