WordPress 2.6.2
WordPress 2.6.2 is a security release which tackles problems with SQL Column Truncation and mt_rand().
Since WordPress 2.6.1 was an optional update—first time in the history of WordPress—is WP 2.6.2 the same way? Here’s the answer:
If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.
The dev blog also notes that this vulnerability is also applicable to other PHP-based applications.
Aside from security fixes, WP 2.6.2 contains a number of bug fixes as well.
WordPress 2.5’s New Password Hashing Scheme
Ryan Boren tells us there’s a new password hashing scheme in WordPress 2.5 (along with a new format for cookie authentication). Why is this important for WordPress users with little knowledge about security?
If you share your users table with other applications or with other WordPress blogs that won’t be upgrading to 2.5 all at once, you’ll probably want to continue using MD5 hashes rather than the new hashes.
Thankfully there’s a WordPress plugin that allows us to continue using MD5 hashes. He strongly recommends us to install and run it once we upgrade to 2.5.
Users that login prior to installation of the plugin will get the new hashes, but after the plugin is active those users will be moved back to MD5 upon their next log in. If you ever want to move to the new hashes, just deactivate the plugin.
