WordPress 2.8.5 offers improved security
WordPress version 2.8.5 promises better security. Described by the development team as a 'hardening release', it contains a number of functions back ported from the version 2.9 beta which should make the blogging system more resistant to attack. According to developer Peter Westwood, these include a fix for Trackback related denial-of-service (DoS) attacks and the deletion of areas of code which allowed PHP code in variables to be executed via the eval() function.
Administrators will also no longer be able to upload arbitrary files to the media library. The white list of permissible fie extensions had previously applied to normal users only. The aim here is to make it harder for attackers, having penetrated administrator accounts, to upload and execute PHP code.
Additionally, the development team recommends the WP plug-in "WordPress Exploit Scanner", which helps users detect signs of intrusion on their websites. The plug-in searches for suspicious entries in files and the database (blog entries and comments) and checks the list of active plug-ins for unwelcome names. Plug-in developer Donncha O Caoimh points out that the plug-in does not, however, prevent attacks.