On Tuesday, May 27th, WordPress will turn 5 years old. We’ve come a long way from that original 0.7 release.
To celebrate we’re throwing a party in San Francisco at 111 Minna, starting at 9PM. You can get the full details and RSVP on Upcoming.org or on Facebook.
I hope you see some of you there, should be a fun time.
If you host a party in your area for WordPress’ 5th, let us know and we’ll post it here.
We’re doing some usability testing in New York City. Join in if you’re in the area.
WordCamps are my favorite events to go to because there’s something about the core WordPress community that attracts smart folks with good philosophies that are fun to hang out with. In this post I’ve collated the upcoming WordCamps we know about, including the one in San Francisco. Hopefully there will be one nearby so you can meet other WordPressers in your area.
WordCamp San Francisco will be August 16 at the Mission Bay Conference Center.
WordCamp Paris will be on May 3rd. Here’s their official site.
WordCamp Italy in Milan will be May 10th. (And I believe I’ll be there.)
WordCamp Birmingham UK will be July 19-20.
WordCamp Toronto will be October 4th.
There are people in the planning stages in Australia, Philippines, Beijing, Utah, Hawaii, UK, NYC, and possibly others, so if you live in one of those areas and would like to help set up a WordCamp in your area Google around or connect with bloggers in your area.
You can always find out more at WordCamp Central.
Version 2.5.1 of WordPress is now available. It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.
In addition to the security fix, 2.5.1 contains many bug fixes. If you are interested only in the security fixes, you can download these corrected copies of wp-includes/pluggable.php, wp-admin/includes/media.php, and wp-admin/media.php. Replace your existing copies of these files with these new copies.
If you download the entire 2.5.1 release, you will be getting over 70 other fixes. 2.5.1 focuses on fixing the most annoying bugs and improving performance. Here are some highlights:
Since 2.5 your wp-config.php file allows a new constant called SECRET_KEY which basically is meant to introduce a little permanent randomness into the cryptographic functions used for cookies in WordPress. You can visit this link we set up to get a unique secret key for your config file. (It’s unique and random on every page load.) Having this line in your config file helps secure your blog.
Many thanks to Steven Murdoch for responsibly reporting the security issue (CVE-2008-1930) and Alex Concha for reporting an XSS issue.
An Event Apart is a web design and development conference which features some of the same fine folks who helped out with WordPress 2.5. (And many others.) I attended the one in Chicago a while back and was engaged the whole day in interesting talks on design, writing copy as interface, advanced CSS, and creativity — each topic presented by the leading folks in the field.
The conference normally costs just under a thousand dollars to attend, which is well worth it, but because of our association with the folks they’ve set up a discount for WordPress users.
If you enter AEAWP on checkout the price drops to $795, or $200 below the regular registration fee. The coupon is unlimited, and can be used for one ticket or five. They have events coming up in New Orleans, Boston, San Francisco, and Chicago. You can learn more and register on their site at aneventapart.com.
We’ll also have some final dates for WordCamp San Francisco coming up, I’ll be posting those soonish so people can start making vacation and travel plans. (Nothing like a blogging vacation.)
WordPress 2.5, the culmination of six months of work by the WordPress community, people just like you. The improvements in 2.5 are numerous, and almost entirely a result of your feedback: multi-file uploading, one-click plugin upgrades, built-in galleries, customizable dashboard, salted passwords and cookie encryption, media library, a WYSIWYG that doesn’t mess with your code, concurrent post editing protection, full-screen writing, and search that covers posts and pages.
For a short overview of the features with screenshots, it’d be best to visit our sneak peek announcement for RC1. Or check out a 4-minute screencast of the new interface in action. If you just want to jump straight to the good stuff here’s where you can find 2.5 upgrade and download information.
If you want to see everything I would grab a cup of coffee or a mojito, because this post is epic.
Cleaner, faster, less cluttered dashboard — we’ve worked hard to take your feedback about what’s most important in the dashboard and organize things to allow you to focus on what’s important — your blog — and get out of your way. In collaboration with Happy Cog and the community we’ve taken the first major step forward in the WordPress interface since version 1.5.
Dashboard Widgets — the dashboard home page is now a series of widgets, including ones to show you fun stats about your posting, latest comments, people linking to you, new and popular plugins, and of course WordPress news. You can customize any of the dashboard widgets to show, for example, news from your local paper instead of WP news. Plugins can also hook in, for example the WordPress.com stats widget adds a handy double-wide stats box.
Multi-file upload with progress bar — before when you would upload a large file you’d wait forever, never knowing how far along it was. And uploading more than one photo was an exercise in patience, as you could only do one at a time. Now you can select a whole of folder images or music or videos at once and it’ll show you the progress of each upload.
Bonus: EXIF extraction — if you upload JPEG files with EXIF metadata like camera make and model, aperture, shutter speed, ISO, et al. WordPress will extract all the data into custom fields you can use in your template. If you use the EXIF title fields or similar those will be put into their equivalent fields in WP. Most modern digital cameras generate EXIF data.
Search posts and pages — search used to cover just posts, now it includes pages too, a great boon for those using WordPress as a CMS. New themes can style or sort pages differently in results.
Tag management — you can now add, rename, delete, and do whatever else you like to tags from inside WordPress, no plugins needed.
Password strength meter — when you change your password on your profile it’ll tell you how strong your password is to help you pick a good one.
Concurrent editing protection — for those of you on multi-author blogs, have you ever opened a post while someone was already editing it, and your auto-saves kept overwriting each other, irrecoverably losing hours of work? I bet that added a few words to your vocabulary. Now if you open a post that someone else is editing, WordPress magically locks it and prevents you from saving until the other person is done. You’ll see a message like below.
Few-click plugin upgrades — if the plugins you use are part of the plugin directory since 2.3 we’ve told you when they have an update available. Now we take that to the next logical step — downloading and installing the upgrade for you. This is dependent a little bit on your host setup, and it may ask you for your FTP password much like OS X or Windows will ask you for a password, but it works well on majority of hosts we were able to test, your mileage may very, plugins in mirror may be larger than they appear.
Friendlier visual post editor — I’m not sure how to articulate this improvement except to say “it doesn’t mess with your code anymore.” We’re now using version 3.0 of TinyMCE, which means better compatibility with Safari, and we’ve paid particular attention this release to its integration and interaction with complex HTML. It also now has a “no-distractions” mode which is like Writeroom for your browser.
Built-in galleries — when you take advantage of multi-file upload to upload a bunch of photos, we have a new shortcode that lets you to easily embed galleries by just putting [ gallery] (without the space) in your post. It’ll display all your thumbnails and captions and each will link each to a page where people can comment on the individual photos. I’ve been using this feature on my blog and have already uploaded over 1,200 pictures into 23 galleries. The shortcode has some hidden options too, check out this documentation.
Now for the geeky stuff. While we’re excited about the above features, each one represents a new opportunity or API for other developers to take to another level. (The best of which we’ll someday integrate back into WP.)
Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.
Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.
Easy taxonomy and URL creation — probably best illustrated with an example: I can call register_taxonomy() with a few arguments to register a “people” taxonomy and whenever I edit an image I’ll see a UI like tags has for identifying the people in a photo, and these will be URL addressable with /person/firstname-lastname/. All with a single function call.
Inline documentation — the vast majority of the new code going into WordPress include inline documentation that explains the functions and documents their arguments.
Database optimization — we haven’t changed the table layout in this release, which is one of the reasons so many plugins work fine with 2.5. We have added a few new indicies and made a few default fields more flexible based on some bottlenecks we found on WordPress.com, which now hosts 2.7 million WordPress blogs. It should be invisible to the application, just a bit faster on the database side.
$wpdb->prepare() — now almost all of the SQL in WordPress is prepared first, and the same functions are available to your plugins. This should prevent elementary SQL escaping issues.
Media buttons — the add media buttons above the post are both expandable, so you could have an “Add Google Map” button if you like, They can be overridden, so if you think you can do the video or audio tab better than we have you can replace the default.
Shortcode API — the new gallery functionality is powered by the new shortcode API. Shortcodes are little bracket-delineated strings that can be magically expanded at runtime to something more interesting. They give users a short, easy to type and copy/paste string they can move around their post without worrying about messing up complex HTML or embed codes. The Shortcode API is fully documented.
Now you see why 2.5 took a little extra time. 
2.5 does include security fixes so it is recommended for all users, the 2.3 branch will no longer be updated. The upgrade instructions for this version are pretty much the same as any other version. The most important thing to check is your plugins, so if for example everything works except the new uploader, a legacy plugin might be causing a javascript error on the page and breaking it. If something goes wrong, the safest thing to do is turn your plugins off (we have a button to do them all at once, now) and turn them back on one-by-one, testing the problem along the way. This has solved almost everybody’s problems in testing, and it also lets you know which plugin author to show some love to so they’ll update their plugin, and which plugin authors already have so you can shower them with praises on your blog.
One brief note about some of the new upload and plugin upgrade features, there are some edge-case hosting platforms, like versions of Lighttpd before 1.5 or over-agressive mod_security rules, which can break. If something isn’t working like it was looked in the screenshot, ask your host if there’s something on the server side which may be interfering. Hosts, feel free to join and post to our wp-testers mailing list if you have an environment that requires some extra code to work around. We’d be happy to include it in the next update.
Quick tip: in 2.5 you click the name of things to edit them, like your username to edit your profile or the title of a post to edit it.
More than growing, it’s on fire. We always talk about things like downloads, and the 2.3 branch has already had 1.92 million downloads as I write this post, but this time we have some far more interesting information I’d like to share.
There were over 1,200 commits to our repository since 2.3.0 and over 90 people were credited in them. This means in our core code, not plugins, there were at least 90 individual folks that contributed something high-quality enough that it made the cut to be part of the download you guys get today. I had no idea this group of people was so large.
Outside of the core commit team, there was particular help from these people, in rough order of number of credits and tickets: mdawaffe (Michael Adams), azaozz (Andrew Ozz), nbachiyski (Nikolay Bachiyski), andy (Andy Skelton), iammattthomas (Matt Thomas), tellyworth (Alex Shiels), josephscott (Joseph Scott), lloydbudd (Lloyd Budd), DD32 (Dion), filosofo (Austin Matzko), hansengel (Hans Engel), pishmishy, ffemtcj, Viper007Bond, ionfish (Benedict Eastaugh), jhodgdon (Jennifer Hodgdon), Otto42, thee17 (Charles E. Free-Melvin), and xknown. Also want to thank MichaelH and Lorelle on the documentation side, and moshu, Kafkaesqui, whooami, MichaelH, Otto42, and jeremyclark13 for helping with support.
The 2.5 branch is nicknamed “Brecker” in honor of Michael Brecker, an exceptionally talented saxophonist who could cross styles effortlessly and never stopped experimenting and pushing himself until he passed away last year.
All of this wasn’t enough, so in our copious spare time we decided to redesign WordPress.org to better match the aesthetics of the new dashboard and also to spruce up a few areas that needed lovin’. Some parts of the site, like the Codex, might show the old style for a day or two. We know, just give us a bit of time. Thanks to Matt Thomas for his epic effort in designing and coding the new site.
As always with WordPress, we don’t claim any of these features to be perfect, or to be better than everyone else in the world, but they are done by and for the people and the one thing we do promise is that with every release we listen and do our best to improve.
2.5 is a major milestone for WordPress not because it added dozens of user-requested features, but because it reaffirms that we’re as passionate about blogging as the day we started. Our community is too fierce to rest on its laurels — contrary to what pundits claim, blogging is far from “finished” and every improvement just whets our appetite for more. And more is coming.
It’s a good thing WordPress doesn’t limit the length of posts, because this one would have hit it. If you made it this far, thanks for sharing a bit of your day with us. I sincerely hope this new version of WordPress helps you do what you love to do.
2.5 is coming along thanks to the fantastic feedback you guys provided on RC1 (over 580 pingbacks and counting), and we’re now ready to show you a bit more of a peek with a short screencast covering the new dashboard and uploader and Release Candidate 2. First here’s the screencast, which is also available embedded below, as a Flash movie, or as a 17mb AVI download:
I’ve uploaded more than a thousand photos already into the new gallery system — it works.
(This was my first screencast, but I hope we can have more on WordPress.org and our documentation in the future.)
If you make frequent backups and you’re interested in helping us out with development by testing the very latest, download and install Release Candidate 2 of WordPress 2.5, and join our testers mailing list to report any bugs you find in the code.
Finally with regards to theme and plugin compatibility, we’ve had no reports of any broken themes in this upgrade, which makes sense because we didn’t really change anything core about themes, just added new optional capabilities like Gravatars. Plugins that work with the admin may require updating to take advantage of the new, cleaner UI in WordPress 2.5.
The community has started to keep a list here of which plugins work great and which don’t. It’s worth looking at, or even better just deactivate your plugins before upgrading for 2.5 and let the built-in updater notify and give you one-click upgrades to plugins you have installed, assuming the developer is cool and has updated their code for 2.5 already.
A customizable dashboard, multi-file upload, built-in galleries, one-click plugin upgrades, tag management, built-in Gravatars, full text feeds, and faster load times sound interesting? Then WordPress 2.5 might be the release for you. It’s been in the oven for a while, and we’re finally ready to open the doors a bit to give you a taste.
For the past few months, we’ve been working with our friends at Happy Cog — Jeffrey Zeldman, Jason Santa Maria, and Liz Danzico — to redesign WordPress from the ground-up. The result is a new way of interacting with WordPress that will remain familiar to seasoned users while improving the experience for everyone. This isn’t just a fresh coat of paint — we’ve re-thought the look of WordPress, as well as how it’s organized so that you can forget about the software and focus on your own creative pursuits.
Here are a few vignettes of what’s in store.
The Dashboard’s most important role is to inform quickly and get you to where you’re headed in the admin. In interviewing users, we found that most of you ignore the Dashboard entirely — its useful information being mostly hidden in an overly complex design. The new Dashboard is focused on the most relevant tasks at hand: a quick summary of what’s published and scheduled for publication, the latest comments and incoming links, blog stats, and WordPress updates and news. You can add your own RSS feeds and edit the way information is presented so that the new Dashboard conforms to the way you use WordPress.
The WordPress navigation has confounded even sophisticated users. With the new design, we’ve cut the number of navigation options in half, separating the primary functions (writing, managing posts and pages, editing the blog’s design, and managing comments) from secondary functions. This presents information at a more comfortable pace, revealing only the information that’s necessary. Everything you need is still there — just better organized. (Especially for people new to WP.)
By far, the most frequently accessed part of WordPress is the Write screen. It gets the job done, but its myriad options can be overwhelming. The new write screen only displays the information that you’ll use most often. It displays the most common fields in a way that makes posting incredibly easy. Additional options are hidden away until you need them. The new Write screen anticipates the natural flow of the way you write, and is smart enough to remember the way you left it so that your preferred writing environment is always quickly available. The new visual editor even has a handy full-screen mode to help block out distractions while composing your newest post. (My personal favorite new feature.)
The Manage screens have been redesigned and unified so that now, managing your pages, posts, media, and comments all use similar, consistent interfaces. We’ve omitted superfluous information and made what’s important faster to find. We believe these changes will make you a faster, more proficient blogger.
You might also notice there are some new colors, the dashboard feels much fresher and lighter. If you’re jonesing for the old look under your user options you can now select the “classic” colors and get those old blues back. (It’s also pluggable so people can easily add or share their own color schemes.)
If you make frequent backups and you’re interested in helping us out with development by testing the new code, download and install Release Candidate 1 of WordPress 2.5, and join our testers mailing list to report any bugs you find in the code.
We’re also interested in feedback on the new interface and would love to hear your opinions, thoughts, rants, raves, and anything in between. We created a special email address just for the occasion: 2.5-feedback@wordpress.org.
The software is basically done and stable, and could be released today, but we’d like to incorporate feedback from a wider audience before making it available to the general public. After a few days of your feedback we’ll set a final release date. Personally, I can’t wait.
WordPress 2.3.3 is an urgent security release. If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.
Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available from its author.
Since we are talking security, remember to use strong passwords and change them regularly. While you’re updating WP and your plugins, consider refreshing your passwords.
WordPress 2.3.2 is an urgent security release that fixes a bug that can be used to expose your draft posts. 2.3.2 also suppresses some error messages that can give away information about your database table structure and limits and stops some information leaks in the XML-RPC and APP implementations. Get 2.3.2 now to protect your blog from these disclosures.
As a little bonus, 2.3.2 allows you to define a custom DB error page. Place your custom template at wp-content/db-error.php. If WP has a problem connecting to your database, this page will displayed rather than the default error message.
For more detail on what’s new in 2.3.2, view the list of fixed bugs and see the changes between 2.3.1 and 2.3.2.
Special thanks to Alex Concha for his help on this release.
0.142