WordPress.org

Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

This issue affects all versions of WordPress prior to 3.0.4, so if you are still on a 2.X release you need to update as well.

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.

I am often asked how decisions are made for WordPress, who’s involved in decision-making, and how the open source project is structured in general. WordPress is a meritocracy, meaning that anyone can get involved, and a combination of the quality of someone’s contributions and their level of interest/time commitment will determine how much influence they have over decisions. Because these factors vary, we have several levels of contributors to the core WordPress application, ranging from full-time lead developers to casual one-patch contributors.

I loved it when that Intel commercial in 2009 gave Ajay Bhatt, co-inventor of the USB, some recognition as a rock star of geekland (though I hated it that it wasn’t actually Ajay Bhatt, but an actor — way to kill the message, Intel).¹ In WordPress-land, most people know who Matt Mullenweg is, but most of the other leaders and contributors are much less visible. Moving forward, I’m going to be posting profiles here of some of our more dedicated contributors.

Why now? We’re coming up on the second annual WordPress core leadership meetup in January 2011, and we’re thinking we’ll hold a video town hall at some point during our time together. Between now and then the profiles I post will be of the core developers who will be at the meetup. After that, I’ll be branching out and posting about other contributors, including developers, designers, forum moderators, etc.

I’ll post here in January when we have dates/times set for the video town hall. In the meantime, you can submit questions for us to answer then in the forum thread What Should 2011 Hold for WordPress?

To get a sense of how all these people fit together and how decisions are made, you can check out the presentation I did at WordCamp Portland in October on How WordPress Decisions Get Made.

^{1 – And how lame is it that Conan O’Brien’s interview with the real Ajay Bhatt is no longer available on the The Tonight Show’s website, and everyone’s embedded videos are blank? I found a copy of it here. And here’s the original Intel commercial if you were living under a rock and never saw it. 🙂}

The first release candidate (RC1) for WordPress 3.1 is now available.

An RC comes after the beta period and before final release. That means we think we’re done. We currently have no known issues or bugs to squash. But with tens of millions of users, a variety of configurations, and thousands of plugins, it’s possible we’ve missed something. So if you haven’t tested WordPress 3.1 yet, now is the time! Please though, not on your live site unless you’re extra adventurous.

Things to keep in mind:

• With nearly 700 tickets closed, there are tons of changes. Plugin and theme authors, please test your plugins and themes now, so that if there is a compatibility issue, we can figure it out before the final release.
• Users are also encouraged to test things out. If you find problems, let your plugin/theme authors know so they can figure out the cause.
• If any known issues crop up, you’ll be able to find them here.

If you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:

• Post it to the Alpha/Beta area in the support forums
• Report it to the wp-testers mailing list
• Join the development IRC channel and tell us live at irc.freenode.net #wordpress-dev
• File a bug ticket on the WordPress Trac

To test WordPress 3.1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).

We released WordPress 3.1 Beta 1 on Thanksgiving, so it’s only fitting that the release candidate comes as a Christmas present. Happy holidays and happy testing!

Download WordPress 3.1 RC 1

If you’d like to know which levers to pull in your testing, check out a list of features in our Beta 1 post.

Haikus from Jane on her 39th birthday:

Practice makes perfect
is what they say about things,
but sometimes it’s not.

In this case it is
not practice but refinement,
and then more testing.

You can help WordPress!
Now: 3.1, beta 2
is here; needs testing.

But! Remember this:
Only install on test sites,
as YMMV.

The second beta of WordPress 3.1 is now available!

For things to test, please review our Beta 1 release announcement. A list of known issues can be found on our bug tracker.

Already have a test install that you want to switch over to the beta? Try the beta tester plugin. Please test 3.1 on a test site, not on your live site, as interactions with plugins that haven’t been updated may be unpredictable, and we can’t predict (see how that works?) whether something will break or not… that’s why we’re asking people to help us test everything! 🙂

Testers, don’t forget to use the wp-testers mailing list to discuss bugs you encounter. Plugin and theme authors, please test your plugins for compatibility.

Download the WordPress 3.1 Beta 2 now.

WordPress 3.0.3 is available and is a security update for all previous WordPress versions.

This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.

These issues only affect sites that have remote publishing enabled.

Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings → Writing” screen.

Download 3.0.3 or update automatically from the “Dashboard → Updates” screen in your site’s admin area.