Wordpress Version 2.0.3 Review
Author: Danny Wirken

WordPress, the premier free open-source blogging utility, has
gone through several upgrades in its life. Today it's one of
the most popular blogging tools on the Internet; it's easy to
use, powerful, and very versatile. It also has a very active
base of skilled users who are eager to improve the product and
to help out those who haven't tried it before.

Though the Strayhorn 1.5 version is the favorite for many, it
is not as stable or as secure as the newest version 2.0.3. The
best part of the new version is the security patch; the new
"nonce" security key reduces the chances of a malicious hacker
finding a way into your admin panel. Besides the security
patch, though, several minor bugs have been squashed with this
version. Though a major upgrade to 2.1 is due out soon, the
2.0.3 is something you should definitely download and install
if only because of the security fixes, which were actually
backported from the major upgrade files.

In addition to the 2.0.3 install, you should be aware that some
bugs have already been found, and that a plugin will need to be
installed to repair those bugs. If you modify any of the files
that this patch plugin fixes, you'll need to either merge the
changes with the new files or make those changes manually once
again. You can find these issues by running a diff to locate
changes; if the only changes you find are your own, then you're
fine, and otherwise you'll need to merge them manually into the
new files.

The short list of what WordPress 2.0.3 fixes includes:

•Small performance enhancements
•Movable Type / Typepad importer fix
•Enclosure (podcasting) fix
•The aforementioned security enhancements (nonces)

One mostly annoying bug shipped with 2.0.3 as well. It gives
you an "Are You Sure?" dialog when you edit comments, and adds
a backslash before each quotation mark in the post you're
editing. Make certain to download the patch.

What's Up With The Security Problem?

The security problem seems minor, but the WordPress team is
fixing it before it grows into something major. It's a bug that
takes advantage of the cookie you download when you sign into
WordPress. The cookie in question prevents anyone unauthorized
from accessing your admin panel. It's tied to your user
account, and verifies that you are the authorized administrator
of the account you're working on.

The bug that's being fixed is one that takes advantage of a
sociological trick. If someone created a link or a form
pointing to your WordPress admin account, they might possibly
be able to trick you into clicking the link. In the case of the
one here, you delete a post. This sounds both minor and highly
unlikely; but a small crack in the door can be exploited later
by a dedicated hacker. And this is also the kind of bug that, a
few years ago, allowed a hacker access to the Microsoft
databases, from which he stole portions of the Longhorn and
other codes. So yes, you do need to take it seriously.

WordPress had ensured you were safe from this kind of hacking
by using a utility called HTTP_REFERER. But this utility has
some issues. For instance, with JavaScript in Internet
Explorer, it can be spoofed. In addition, certain firewalls and
proxies can strip the information it's supposed to carry out,
causing some people to be unable to use their WordPress admin
accounts the way they're supposed to be able to.

Now, instead of the HTTP_REFERER, a nonce is used; this is a
number used once. It's like a password that changes every
twelve hours, and is valid for twenty-four hours. The nonce is
unique to the specific WordPress install being used, the
WordPress user logged in, the action, the object of the action,
and the 24-hour time of the action. When any of these is
changed, the nonce is no longer valid. All plugin authors will
have to ensure the nonce is added to their forms and other
interactive capabilities that may be affected.

Upgrading from WordPress 2.0.2 to 2.0.3

As with any upgrade, the first thing you should do is back up
everything: the files in your WordPress directory, the database
plugin with any changes, and any data you have added should be
backed up as well. In addition, it might be a good idea to do a
second backup of your entire WordPress directory just in case
something goes wrong with your install.

Now remove the wp-admin directory entirely. Also remove the
wp-includes directory, except for any translation and language
files or directories you may have added; add these files to the
backup files you created earlier. Finally, remove all the files
where WordPress is installed with the exception of the file
http://wp-config.php.

Now you're ready to start your install. Download and unpack the
2.0.3 version in a separate install directory. You want to make
sure you can control files and directories you copy over. Now
install the new wp-admin and wp-includes directories.

Install the rest of the files of the top directory, with the
exception of the http://wp-config-sample.php file.

Now enter the admin panel. You should see the following
message: "Your database is out of date. Please upgrade." Follow
the link provided to update the database, and follow the
directions there. Now remove the files wp-admin/upgrade.php and
wp-admin/install.php. Download the plugin fix; add it and
activate it. Replace your backup files where they need to be,
and do the comparisons if you've modified any of your earlier
files. This should take care of the whole thing.

For geeks, there is also an upgrade package that only includes
the changed files. Look for it under Changes Diff (2.0.2 >
2.0.3). It consists of a zip file that is much quicker to
install, but you should be certain you can handle it before
using it.


About The Author: http://www.theinternetone.net