WordPress 2.6.2 Released

September 9th, 2008
WordPress, WordPress Security

WordPress 2.6.2.: This release is in response to a recent warning to developers from Stefan Esser about the dangers of SQL Column Truncation and weaknesses of mt_rand(). The issue at hand that forced the release is discussed in detail on the blog post linked above. Basically the attack is complex, is dependent on open registration being turned on in your blog, but can be executed in theory and turns out to be more of an annoyance than an actual exploit.

If you have open registration on your blog, the team recommends that you upgrade your install to WordPress 2.6.2 A handful of other fixes are also included in this upgrade. Here is a list of changed files.




  1. Kabatology (3 comments.) says:

    Well, my weblog doesn’t have an open registration, so I can bypass this update. Come-on next update :-)

    • Jacob Santos says:

      There are other fixes that might have affected you. If not, then probably can wait until 2.7, which has the said fixes. If you use phpBB or another web application with WordPress on the same domain, then you probably want to upgrade anyway, because there are other exploits that could possibility be made against your blog through a security hole in another web application… in theory, maybe.

      Ask a security expert.

  2. you’ve to upgrade man! because each time dash board will tell you to upgrade. that is painful :P

  3. dinu (5 comments.) says:

    upgraded :)

  4. Terje says:

    After upgrading from 2.6 to 2.6.2 I get this message every time I post a new article or edit a post: “could not open file!” (http://domain.tld/wp-admin/post.php)
    The articles do end up getting postet, but why do I get that message? Anyone knows?

  5. Tadd (89 comments.) says:

    Well, I don’t have open registration .. heck, I don’t have anyone even view my site … but I figured, why get nagged to upgrade all the time!?

    So I’m upgraded.

    And everything works fine if anyone was worried … just security fixes.

  6. Neil (1 comments.) says:

    I have open registration, i only set the site up last week, and today when i checked my emails i had over 20 new user registrations, all email addresses were nearly the same, all user names were “admin”, i defo think someone had tried to change my pass. Im upgraded, user accounts deleted and new pass. Lets hope it works ok.

    • Otto (215 comments.) says:

      Yes, there are active exploits in the wild for this one, so upgrading is really highly recommended.

  7. Philip Barron (1 comments.) says:

    No open registrations at my installations, but the other fixes might apply, so I upgraded. All is well.

  8. James Stein (1 comments.) says:

    Only thing that can stop the hackers is making sure your wordpress install is secured. You do this yourself not by waiting on wordpress developers. The script itself is the problem and many have already lost millions of dollars due to hackers.

    You must take action yourself and not take inthe BS lies about just upgrade.. Upgrading will not stop the hackers.. Only one solution can stop the hackers and that is to change the way your wordpress blog functions (see the url)



  1. […] een nieuwe release mensen. En ook deze keer is het in feite een bug-fix release en niet zozeer een nieuwe features […]

  2. […] WordPress bloggers are advised to update to WordPress 2.6, especially those WordPress blogs that have an open registration. The update fixes a mt_rand() weakness that becomes a nuisance – amongst other fixes. To update, it is enough to replace the following files. via [Weblog Tools Collection] […]

  3. […] englischsprachige Weblogtoolscollection berichtet, das Version 2.6.2 eine Antwort auf die dringende Warnung des Entwicklers Stefan Esser […]

  4. […] not a big upgrade, so pretty easy to deploy to your blog. WordPress 2.7 shouldn’t be too far away though, so you might want to hold out […]

Obviously Powered by WordPress. © 2003-2013

page counter