From the WordPress blog

WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog.

Emphasis mine. This isn’t that urgent, if you ask me. If you don’t trust users on your blog then they shouldn’t be on your blog. This won’t effect too many people, but still, it’s always worth upgrading and fixing any potential threats no matter how small a risk they are. Grab WordPress 2.3.3 or the patched XML-RPC file if you don’t want to upgrade.

[Update]: This is more urgent than I thought for some people. I forgot that you can let people register on your blog to make comments! Those will be valid users as well and could exploit this bug. I don’t have user registration turned on, but I know a lot of people do so this is quite serious indeed. Upgrade ASAP.

Sara Smith Interviewd Matt Mullenweg who you might know from WordPress. When I was working for 451 Press we were getting so much traffic that the servers couldn’t handle the load. WordPress, like any database driven site, can put quite a strain on a server. The majority of that being from mysql queries. The bad part of these kinds of site is that the pages rarely update. Pages like the front page update a few times a day, as do the category pages, but they don’t change that often. Actual posts and pages only update whenever an author edits them, which is not that often. Part of the http header response is whether or not a page can or should be cached. WordPress specifically tells the browser NOT to cache any pages generated by WP. Squid, setup as a revers proxy or caching server can let you cache a tremendous amount of pages with very little overhead relieving the load on your web server.

The problem is Squid obeys WordPress’ request to “not cache” those pages. The end result is that Squid will cache images, css, etc. but not the pages themselves. While this is a still a big improvement as static files get served from cache freeing up your web server to churn out more WordPress pages it could still be better.

One thing we did to help reduce the amount of mysql queries was use WP-Cache. Matt mentions in the interview that WordPress 2.4, which is due out pretty soon, will have the new version of WP-Cache built into the core. It’ll be disabled by default but you’ll be able to turn it on if you like. This is a big step forward in making WP more cache friendly. Add this to Squid with a dash of memcached and opcode caching and you could serve many, many, many times more pages than you were able to previously. This is the magic formula to surviving a Digg or slashdot or just a very popular site that gets lots of traffic. You might first be inclined to setup several web servers and do some load balancing or something like that but caching is cheaper and pretty easy to setup. If your site is still getting more traffic than your cache can handle then you can load balance your cache servers!

I’m just happy to see WordPress addressing something like this. As more sites use WP and become popular they are going to need this. It’s no longer just a need of large blog networks.

Technorati Tags: WordPress, 2.4, Cache, WP-Cache, Squid

As of WordPress 2.3 the tables categories, post2cat, and link2cat have been removed. New tables replace them but they aren’t the same. WordPress is moving more towards tagging / taxonomy, which is fantastic. However, many plugins are still using the old table terminology. After I upgraded I did a search in all the plugins I used and disabled them until they get updated. One of them I don’t really use anymore as WP has the features I need to replicate it built in (customizable post listings) while I do want Google sitemaps back.

So, keep that in mind when upgrading that it might break some of your plugins if they do business with the categories, post2cat or link2cat tables.

Technorati Tags: WordPress, Plugins, Upgrade, 2.3.x

The WordPress Theme Generator has to be one of the coolest tools for WordPress I’ve seen in a while. Not only does it make it easy to generate a customized theme for WordPress it also makes it easy try different colors, something I’ve been known to struggle with. I may have to write my own version of this for internal use to work with my new template that will be used on upcoming projects. This is something that could be useful to Blognetworks too as a tool to let their bloggers customize their own designs more.

Technorati Tags: WordPress, Themes, Theme Generator