Ticket #594 (closed maintenance: fixed)
WordPress 3.6.1 Maintenance and Security Release
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | critical | Milestone: | Maintenance |
| Component: | Parrot server | Keywords: | |
| Cc: | ed, laura | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 6.8 |
Description
The following is from http://wordpress.org/news/2013/09/wordpress-3-6-1/
WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately. It addresses three issues fixed by the WordPress security team:
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
Additionally, we’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.
Change History
comment:1 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.0 to 0.25
comment:2 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 0.25 to 0.75
Report by email from the Transition Streets admin:
Having looked at the Transition Streets site at www.transitiontogether.org.uk and tried to upgrade to 3.6.1 I get this message:
"Destination directory for file streaming does not exist or is not writable."
Looking at the Apache error log for the site we have entries such as:
[Mon Sep 16 07:45:14 2013] [error] [client 83.149.126.98] PHP Warning: file_exists(): open_basedir restriction in effect. File(/home/transstreets) is not within the allowed path(s): (/home/ts/:/tmp/) in /home/ts/sites/default/wp-includes/functions.php on line 1302 [Mon Sep 16 07:45:14 2013] [error] [client 83.149.126.98] PHP Warning: file_exists(): open_basedir restriction in effect. File(/home/transstreets/public_html/wp-content/uploads) is not within the allowed path(s): (/home/ts/:/tmp/) in /home/ts/sites/default/wp-includes/functions.php on line 1302
Clearly some old paths need fixing, so dumping the database, editing it and reinserting it:
sudo -i su-user ts cd sites/default/ wp db export Success: Exported to ts.sql mv ts.sql ../../private/ vim ../../private/ts.sql :1,$s;home/transstreets/public_html;home/ts/sites/default;g 3 substitutions on 1 line wp db import ../../private/ts.sql Success: Imported from ../../private/ts.sql rm ../../private/ts.sql
Trying the update on the command line:
wp core update Downloading update from http://wordpress.org/wordpress-3.6.1-new-bundled.zip... PHP Warning: touch(): Unable to create file /home/francis/public_html/transitionstreets/wp-content/uploads/wordpress-3.tmp because No such file or directory in /home/ts/sites/default/wp-admin/includes/file.php on line 177 PHP Warning: unlink(/home/francis/public_html/transitionstreets/wp-content/uploads/wordpress-3.tmp): No such file or directory in /home/ts/sites/default/wp-admin/includes/file.php on line 489 Error: Download failed. Destination directory for file streaming does not exist or is not writable.
So searching the the old paths in the files:
grep -rl "/home/francis" . ./wp-config.php
The following variables were changed:
define('WP_TEMP_DIR', '/home/ts/tmp');
Now the update runs OK:
wp core update Downloading update from http://wordpress.org/wordpress-3.6.1-new-bundled.zip... Unpacking the update... Success: WordPress updated successfully.
comment:3 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 1.5
- Total Hours changed from 0.75 to 2.25
Laura has updated ttt, the sites which have not been updated are:
- earthin 3.5.1
- movie 3.3.2
- recon 3.5.2
So, setting up development copies of them and using the curses-create-user to create new user accounts, first one being recondev:
cd /home/recon/sites/default wp db export /home/recondev/private/recon.sql Success: Exported to /home/recondev/private/recon.sql cd /home/recondev/sites/default/ wp db import /home/recondev/private/recon.sql Success: Imported from /home/recondev/private/recon.sql rm /home/recondev/private/recon.sql rsync -av --exclude="wp-config.php" /home/recon/sites/default /home/recondev/sites/default rm -rf /home/recondev/sites/default/wp-content/backups/* cp /home/recon/sites/default/.htaccess /home/recondev/sites/default/ echo "User-agent: *" > /home/recondev/sites/default/robots.txt echo "Disallow: /" >> /home/recondev/sites/default/robots.txt chown -R recondev:recondev /home/recondev/sites/default
Then the site URL was manually set by editing /home/recondev/sites/default/wp-config.php as per http://codex.wordpress.org/Changing_The_Site_URL
define('WP_HOME','http://recondev.parrot.webarch.net');
define('WP_SITEURL','http://recondev.parrot.webarch.net');
But after all this the site just displays a blank page and theere is nothing in the error.log, http://recondev.parrot.webarch.net/
So, the two files that were changed were backed up:
cd /home/recondev/sites/default cp wp-config.php ../../private/ cp robots.txt ../../private/
And the /usr/local/bin/mysql-drop-tables script was used to drop all the tables in the database:
mysql-drop-tables recondev Deleting wp_bad_behavior table from recondev database... Deleting wp_commentmeta table from recondev database... Deleting wp_comments table from recondev database... Deleting wp_gdsr_data_article table from recondev database... Deleting wp_gdsr_data_category table from recondev database... Deleting wp_gdsr_data_comment table from recondev database... Deleting wp_gdsr_ips table from recondev database... Deleting wp_gdsr_moderate table from recondev database... Deleting wp_gdsr_multis table from recondev database... Deleting wp_gdsr_multis_data table from recondev database... Deleting wp_gdsr_multis_trend table from recondev database... Deleting wp_gdsr_multis_values table from recondev database... Deleting wp_gdsr_templates table from recondev database... Deleting wp_gdsr_votes_log table from recondev database... Deleting wp_gdsr_votes_trend table from recondev database... Deleting wp_links table from recondev database... Deleting wp_options table from recondev database... Deleting wp_postmeta table from recondev database... Deleting wp_posts table from recondev database... Deleting wp_ratings table from recondev database... Deleting wp_term_relationships table from recondev database... Deleting wp_term_taxonomy table from recondev database... Deleting wp_terms table from recondev database... Deleting wp_usermeta table from recondev database... Deleting wp_users table from recondev database... Deleting wp_wassup table from recondev database... Deleting wp_wassup_meta table from recondev database... Deleting wp_wassup_tmp table from recondev database... Deleting wp_wpb2d_excluded_files table from recondev database... Deleting wp_wpb2d_options table from recondev database... Deleting wp_wpb2d_premium_extensions table from recondev database... Deleting wp_wpb2d_processed_files table from recondev database... Deleting wp_wpcreviews table from recondev database... Deleting wp_yarpp_keyword_cache table from recondev database... Deleting wp_yarpp_related_cache table from recondev database...
And the files where deleted:
rm -rf /home/recondev/sites/default/*
And the files were copied across again:
rsync -av --exclude="wp-config.php" --exclude="backup" --exclude="backups" /home/recon/sites/default/ /home/recondev/sites/default/ cp /home/recondev/private/wp-config.php /home/recondev/sites/default/ cp /home/recondev/private/robots.txt /home/recondev/sites/default/ chown -R recondev:recondev /home/recondev/sites/default
And the database dumped and imported:
cd /home/recon/sites/default wp db export /home/recondev/private/recon.sql Success: Exported to /home/recondev/private/recon.sql cd /home/recondev/sites/default/ wp db import /home/recondev/private/recon.sql Success: Imported from /home/recondev/private/recon.sql rm /home/recondev/private/recon.sql
So there is now a working copy of the site at http://recondev.parrot.webarch.net/ which shouldn't get indexed due to http://recondev.parrot.webarch.net/robots.txt
Upgrading it:
cd /home/recondev/sites/default wp core update Downloading update from http://wordpress.org/wordpress-3.6.1-new-bundled.zip... Unpacking the update... Success: WordPress updated successfully.
And the site looks like it's working OK (if you take care not to follow links to http://www.reconomy.org/), eg:
- http://recondev.parrot.webarch.net/
- http://recondev.parrot.webarch.net/category/what-can-i-do/lead-the-transition/
There are still these plugins that need updating:
cd /home/recondev/sites/default wp plugin status | grep U UA akismet UA backupwordpress UA contact-form-7 UA facebook-members UA google-analyticator UA jetpack UA newsletter-sign-up UA recent-posts-slider UI sidebar-login UA wordpress-backup-to-dropbox Legend: A = Active, I = Inactive, U = Update Available
I'll now set up dev copies of the other two sites.
comment:4 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 2.25 to 2.35
A couple of plugins have been deactivated on the recondev site:
wp plugin deactivate backupwordpress Success: Plugin 'backupwordpress' deactivated. wp plugin deactivate wordpress-backup-to-dropbox Success: Plugin 'wordpress-backup-to-dropbox' deactivated.
comment:5 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 2.35 to 2.85
Setting up a copy of the movie site, first curses-create-user was used to create a moviedev account and site, then the following was done:
cd /home/moviedev/sites/default/ cp wp-config.php /home/moviedev/private/ rm -rf * cp /home/moviedev/private/wp-config.php . rsync -av -exclude="wp-config.php" /home/movie/sites/default/ /home/moviedev/sites/default/ echo "User-agent: *" > /home/moviedev/sites/default/robots.txt echo "Disallow: /" >> /home/moviedev/sites/default/robots.txt chown -R moviedev:moviedev /home/moviedev/sites/default
The database was copied and imported:
cd /home/movie/sites/default/ wp db export /home/moviedev/private/movie.sql Success: Exported to /home/moviedev/private/movie.sql cd /home/moviedev/sites/default/ wp db import ../../private/movie.sql Success: Imported from ../../private/movie.sql
Then the site was updated:
cd /home/moviedev/sites/default wp core update Downloading update from http://wordpress.org/wordpress-3.6.1-new-bundled.zip... Unpacking the update... Success: WordPress updated successfully.
But the site was blank and there was this error in the logs:
PHP Fatal error: Call to undefined function wp_get_current_user() in /home/moviedev/sites/default/wp-includes/capabilities.php on line 1281
So following the suggestion at http://wordpress.org/support/topic/fatal-error-call-to-undefined-function-wp_get_current_user-4 the following was added to /home/moviedev/sites/default/wp-includes/capabilities.php:
require_once('pluggable.php');
These variables were added to wp-config.php:
define('WP_HOME','http://moviedev.parrot.webarch.net');
define('WP_SITEURL','http://moviedev.parrot.webarch.net');
And that fixed the problem, the dev site can be tested here:
http://moviedev.parrot.webarch.net/
There are these outstanding plugin updates:
wp plugin status | grep U UA affiliates-woocommerce-light UA akismet UA event-o-matic UA transposh-translation-filter-for-wordpress UA usernoise UA wp-customer-reviews Legend: A = Active, U = Update Available
comment:6 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 2.85 to 3.0
The Earth Inheritors site is very simple, so I think it's safe to update it without creating a dev version:
su-user earthin cd sites/default/ wp plugin status 3 installed plugins: UI akismet I hello UA wp-piwik Legend: I = Inactive, A = Active, U = Update Available wp plugin update-all Enabling Maintenance mode... Downloading update from http://downloads.wordpress.org/plugin/akismet.2.5.9.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/wp-piwik.0.9.9.6.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Disabling Maintenance mode... Success: Updated 2/2 plugins. wp core version 3.5.1 wp core update Downloading update from http://wordpress.org/wordpress-3.6.1-new-bundled.zip... Unpacking the update... Success: WordPress updated successfully.
The site was then tested all everything looks OK:
comment:7 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 3.0 to 3.15
The recondev site has had all the plugins updated and everything is reported as working, so updating the live site:
su-user recon cd ~/sites/default/ wp core update Downloading update from http://wordpress.org/wordpress-3.6.1-new-bundled.zip... Unpacking the update... Success: WordPress updated successfully. wp plugin update-all PHP Warning: call_user_func_array() expects parameter 1 to be a valid callback, function '_show_post_preview' not found or invalid function name in /home/recon/sites/default/wp-includes/plugin.php on line 406 Enabling Maintenance mode... Downloading update from http://downloads.wordpress.org/plugin/akismet.2.5.9.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/backupwordpress.2.3.3.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/contact-form-7.3.5.2.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/facebook-members.5.0.7.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/google-analyticator.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/jetpack.2.4.2.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/newsletter-sign-up.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/recent-posts-slider.0.7.3.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/sidebar-login.2.6.0.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Downloading update from http://downloads.wordpress.org/plugin/wordpress-backup-to-dropbox.zip... Unpacking the update... Installing the latest version... Removing the old version of the plugin... Plugin updated successfully. Disabling Maintenance mode... Success: Updated 10/10 plugins.
The only outstanding site needing updating is now the Movie site.
comment:8 follow-up: ↓ 9 Changed 3 years ago by laura
- Add Hours to Ticket changed from 0.0 to 1.5
- Total Hours changed from 3.15 to 4.65
Re Transition Movie website -
Chris enabled a clone on parrot for me to test out the updates to see if the site will work with the latest WP release. JS popup errors were thrown after running the update, and I tracked the issue to being due to some scripting in the Woocommerce plugin. Obviously the whole plugin can't and musn't be updated right now (nor any related plugins to Woocommerce, and also Event-o-matic too) as there are major changes which will require time of dev poss bit of design work, and also updates to costings for shipping to be provided for input or inputted - so to enable the security updates for WP to take place, I did some testing, and fixing.
About the error alert - (It's an alert, nowt to do with Wordpress or Woocommerce as such)
jQuery BlockUI alert error
Plugins and themes that happen to be using jQuery.BlockUI may have an interesting error where they get a popup saying that they need to use jQuery later than v 1.2.3 even though WordPress is using 1.10.1+
This is caused by math not acting the way humans assume it will. In older versions of the jQuery.BlockUI code used by plugins there is a little 'buglet' - the code tests for versions BUT drops the trailing '0', so instead of asking is 1.10 greater than 1.2, it tests if 1.1 is greater than 1.2, and so it fails.
files now updated/edited to remove error alert on tnmovie live site ready for upgrade to WP 3.6.1
Removed "alert('blockUI requires jQuery v1.3 or later! You are using v' + $.fn.jquery);return;" (but not the "{" or "} )
/plugins/woocommerce/assets/js
woocommerce_plugins.js
woocommerce.min.js
admin/woocommerce_admin.js
admin/woocommerce_admin.minjs
Tests completed after altering the files-
1 - in the dev version of devmovie - I altered the settings for the cart to my contacts and a simple cash on delivery option to test placing an order and tested out different quantities and shipping options - all ok
2 - placed a test order - all ok
3 - checked emails to test customer and admin - all ok
4 - completed order. - all ok
i did try to update the UI Block.js to a newer version - but in this now old version of Woocommerce, there were too many dependencies on it, and various key things to the shop functionality stopped working, so best option to allow for working without the alerts was this method implemented above to allow for the core WP update to take place until a longer term option (or not) is agreed.
Newer versions of Woocommerce have tidied greatly the integration of UI Blocks js so not so much of an issue for the future if / when updating Woocommerce properly which'll then need some re configuring (esp the shipping rates as that plugin is totally re-written in the newer version!) and some theme tweaks and a few changes to template calls too.
So, hopefully db update can take place on tnmovie live site. I tried to login to make some alterations in the dashboard, but looks like the files for Wordpress core 3.6.1 have already been placed and it's waiting to do the DB update so am unable to login until this has happened.
I can run this if needed, be good to know there is a full backup we can roll back to if any probs to how it was before if needed as cannot guarantee that this older woocommerce is fully compatible with WP3.6.1 but after the test run on devmovie clone site - shop function worked (but didn't test using paypal payment option)
If Chris is running the db update on tnmovie live, let me know asap when done as need to login to alter a couple of things in the dashboard and update a couple of the 'OK to update' plugins and remove the twitter widget from the home page and adjust a quick theme bit as the twitter feed no longer works with the newer twitter api just for tidyness, will only take a couple of mins.
Just for info, I have a copy of the unaltered original woocommerce plugin prior to this mornings alterations here too.
- Laura
comment:9 in reply to: ↑ 8 Changed 3 years ago by chris
Replying to laura:
So, hopefully db update can take place on tnmovie live site. I tried to login to make some alterations in the dashboard, but looks like the files for Wordpress core 3.6.1 have already been placed and it's waiting to do the DB update so am unable to login until this has happened.
That's puzzling, I haven't touched the live movie site as far as I'm aware. I'm happy for you to to the update if / when is good for you and I'm also able to do it if we can agree a time that is good for both of us, sometime this evening or tomorrow morning would be good for me.
comment:10 Changed 3 years ago by laura
if you go to the /wp-admin of instransitionmovie.com you get the message -
"Database Update Required
WordPress has been updated! Before we send you on your way, we have to
update your database to the newest version.
The update process may take a little while, so please be patient."
which was showing also on the devmovie site when trying to login too.
So something tried to update somewhere me thinks!
Re updating core (and can do a couple of plugins at the same time) I can
do this this evening if helpful.
Laura
On 17/09/2013 14:45, Transiton Technology Trac wrote:
> #594: WordPress 3.6.1 Maintenance and Security Release
> -------------------------------------+-------------------------------------
> Reporter: chris | Owner: chris
> Type: maintenance | Status: new
> Priority: critical | Milestone:
> Component: Parrot server | Maintenance
> Keywords: | Resolution:
> Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0
> Total Hours: 4.65 | Billable?: 1
> -------------------------------------+-------------------------------------
>
> Comment (by chris):
>
> Replying to [comment:8 laura]:
> >
> > So, hopefully db update can take place on tnmovie live site. I tried to
> login to make some alterations in the dashboard, but looks like the files
> for Wordpress core 3.6.1 have already been placed and it's waiting to do
> the DB update so am unable to login until this has happened.
>
> That's puzzling, I haven't touched the live movie site as far as I'm
> aware. I'm happy for you to to the update if / when is good for you and
> I'm also able to do it if we can agree a time that is good for both of us,
> sometime this evening or tomorrow morning would be good for me.
>
comment:11 Changed 3 years ago by laura
Before updating did a check in sftp read me files and seemed to be older version. Possibly something odd between server moves. Updated on login screen, then logged in as per normal. Then did the updates...
Actions taken this evening on tnmovie website:
- Did a back up dump of all site files, and ran db backup (just in case!)
- Ran Wordpress 3.6.1 - had blank screen, and checked error log. Added the hack to capabilities.php as mentioned earlier in the thread.
3.Updated the following plugins that can be updated:
Askimet
BackupWordpress?
Usernoise
Wp-Pwik
WP Customer Reviews
Transposh Translation Filter - Noted the lovely flags disappeared, so followed transposh's blog to upgrade to their latest version from their own site as recommended.
- Checked all seems okay
- No error messages appearing on screen as such, as per the earlier tests on the dev version of the site, and have altered (see earlier thread) 4 files in the Woocommerce.
Transposh needed tweak in constants.php to make the UK flag show for English (had to do this last time)
'en' => 'English,English,us,en_US',
And changed it to:
'en' => 'English,English,gb,en_US',
Changed twitter widget on home page also as that called to the old API, hence the blank block area. Added some blurb text from the About page to fill the space to make it look tidier.
Hopefully all working okay. Tested out adding items to cart, and changing quantities, delivery locations, all worked okay, but did not place an order. Will await any contact from Amber if orders aren't functioning fully.
comment:12 Changed 3 years ago by laura
One more little add, seen this before in some WP sites after upgrading to WP 3.5+ where the jquery isn't functioning fully in the dashboard, it wasn't working on the tnmovie website, so added new line on wp-config.php
define('CONCATENATE_SCRIPTS', false);
added on line 91 on wp-config.php
Logged back into tnmovie website and the jquery hover effects (mainly in the side menu in the dashboard with popout menu items) are all now functioning again fully.
- Laura
comment:13 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 4.65 to 5.4
Thanks for all the work you have done on this Laura, please don't forget to record you time against this ticket.
All the wiki:WordPress site are wiki:ParrotServer are now running WordPress 3.6.1 and I have updated the wiki pages for each site to link to the development version of the site etc, the outstanding issues are:
- The wp script doesn't work with the Earth Inheritors site, wiki:EarthInheritorsWordPress#Issues
- The movie site has woocommerce updates outstanding and a PHP warning with the wp script, wiki:InTransitionWordPress#Issues
- The recon site has a PHP warning with the wp script, wiki:ReconomyWordPress#wp
- The ts site has a PHP warning with the wp script, wiki:TransitionStreetsWordPress#Issues
- The ttt site has a couple of PHP warnings with the wp script, wiki:TransitionTownTotnesWordPress#Issues
comment:14 Changed 3 years ago by laura
Hi Chris
Time just under 3 hours in all.
Re those php warnings, they appeared for lots of sites looking at the WP Forums when upgrading to 3.6+, advice generally if wanting to fix is to do a download and manual re-uploading all files & folders - except the wp-content folder obviously! - from a fresh download of WordPress, making sure to say override all existing files. But also on some sites care especially not to override htaccess (or take a copy to amend later with any special addons) and wp-config too (On some sites I use Persishable Press' 5G blacklist on htaccess - http://perishablepress.com/5g-blacklist-2013/ for added security which would need tweaking again if overwriting htaccess)
then running the upgrade manually via wp-admin/upgrade.php.
(see one of the threads here for more info - http://wordpress.org/support/topic/36-missing-functions )
Some recommend just overwriting wp-admin and/or wp-includes (esp if users can't login) from a fresh download of WP.
As that warning is so widespread on so many sites, presume this will be a bug fix in a later release.
Hope that's useful.
comment:15 Changed 3 years ago by laura
- Add Hours to Ticket changed from 0.0 to 1.3
- Total Hours changed from 5.4 to 6.7
comment:16 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Status changed from new to closed
- Resolution set to fixed
- Total Hours changed from 6.7 to 6.8
All the sites have been upgraded to 3.6.1 and a ticket has now been opened for the upgrade to 3.7.1 see ticket:619 so this ticket is safe to close.
Using wp to find the admins of the sites has been documented wiki:ParrotServer#usewptolistadministrators and the following email has been sent to them:
Hi You are getting this email as you are a WordPress admin on a site hosted on parrot.transitionnetwork.org and last night a new security release, of WordPress came out, 3.6.1 see: - http://wp.me/pZhYe-H9 There are several options regarding how sites can be upgraded, these are listed with the best option (from my point of view) first: 1. You upgrade the site(s) yourselves, ASAP, using the web interface or even using the mobile app, see https://wordpress.org/mobile/ 2. You ask me to upgrade the sites ASAP, I can do this simply and easily, feel free to ask me to do it if you are confident that the upgrade shouldn't break anything. 3. If I don't hear from you and/or you are not confident about doing the upgrade yourself and/or are concerned that it might break things then I can: 3.1 Create a development copy of the site. 3.2 Upgrade the development copy. 3.3 Ask you to check that the development copy is working OK and if I don't hear from you I'll do my best to do this. 3.4 Assuming 3.3 went OK then I'll upgrade the live site. The reason option 3. is least preferable is that it'll take me the most time, but if this is the only way to get the site upgraded then it's the way I'll do it. I have also opened a ticket for this work: - https://tech.transitionnetwork.org/trac/ticket/594 I think we should probably set up a ttech-wp email list for people with WordPress sites running on parrot.transitionnetwork.org for support and announcements -- Ed if you think this is a good idea can you create this list when you are back from leave? Please don't hesitate to get in touch if you have any questions and please let me know which of the above three options is best for you. All the best Chris