WordPress.org

October 1, 2008 Update: The survey is now closed. Thanks to all those who participated.

Another round of mini-mockups and multiple choice questions awaits the first 5000 respondents. WordPress 2.7 UI Survey #2 is now available to take your opinions regarding:

• Where to put the search box
• Where to put the Add New Post button/favorites menu
• How to label the Future Publish/Edit Timestamp function

The survey (hosted by the good guys over at PollDaddy.com) will automatically close after receiving 5000 responses, which only took about two days for the navigation survey, so hurry over and cast your votes.

Note: when the survey has closed, these links will be disabled and this post will be updated.

Note: Survey is closed as of 9/18/08. Thanks for the feedback!

WordPress 2.7 is currently in development and as some people already know, it features a revised layout with a left-hand navigation column that was designed in response to user feedback regarding the use of screen real estate. Because the navigation came straight from the Crazyhorse prototype that was developed quickly for usability testing, it is still a work in progress.

Navigation sections and labels are being decided now, and as usual there are lots of good ideas floating around. As part of the mission to increase user involvement in design decisions, we’ve created a survey intended to give WordPress users the ability to play a part in deciding how the navigation options should be grouped and labeled. If you use WordPress and want to add your opinion, take the survey.

WordPress 2.7 Navigation Options Survey

Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().  With his help we worked around these problems and are now releasing WordPress 2.6.2.  If you allow open registration on your blog, you should definitely upgrade.  With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.  The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit.  However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.  Stefan Esser will release details of the complete attack shortly.  The attack is difficult to accomplish,  but its mere possibility means we recommend upgrading to 2.6.2.

Other PHP apps are susceptible to this class of attack.  To protect all of your apps, grab the latest version of Suhosin.  If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit.  You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized.

2.6.2 also contains a handful of bug fixes.  Check out the full changeset and list of changed files.