After much anticipation, the stable version of WordPress 3.0 (Thelonious) was released on Thursday, June 17, 2010.
According to Matt Mullenweg, WordPress 3.0 is faster, stabler and more secure. It comes with more than 1,200 bug fixes and feature enhancements.
After reviewing the comprehensive list of improvements available at the 3.0's Codex page, here's my review of some security features or concerns:
- New default theme, "Twenty Ten." I plan on checking out this theme more thoroughly and will update you about any security concerns.
- WordPress and WordPress MU have merged, allowing the management of multiple sites (called Multisite) from one WordPress installation. Although, this is a great feature for those that want to have multiple sites in one, please be careful. If you allow others to create a blog within your blog, it becomes more of a security risk when you allow end users certain permissions.
- Ability to set the admin username and password during installation. I am really excited about this feature. Finally, we don't have to manually change or delete the "admin" user. Be sure you use a strong username and password.
- Check required php and mysql versions in the update and notify if the server environment does not meet those requirements. This will help with compatibility issues.
- Block comments for future posts and password protected posts (when password not provided). Nice feature.
- Upgrade plugins in bulk from the Plugins > Installed panel. I am a bit concerned with this. If one of the plugins you're upgrading is incompatible and it breaks your site, how will you know which plugin caused the problem without manually deactivating them one at a time?
- When deleting plugins, check for uninstall hooks and ward of data deletion. Nice feature.
- Allow "No role for this blog" to be chosen in Users > Add New panel. Nice feature.
- Automatic generation of Security Keys during installation. Wow! I'm really glad to hear this. Most newbies never even add these and now it will be done for them.
- Validate table_prefix in wp-config.php generator. I am going to try a fresh install in a test site and see if it allows me to choose my own table prefix. Not using the default table prefix "wp_" helps keep out hackers.
- Reminder to plugin authors to test and make sure they do not generate unexpected output; see Ryan Boren's explanation. Nice. During plugin activation, WP 3.0 check to see if the plugin generates any output. If any output is generated, a warning is shown to the user.
- Updates to jQuery, jQuery UI, json lib, phpass, Prototype.js, Scriptaculous.js, and SWFobject JS. Glad to see those are current now!
I'm really excited about all the new features and security enhancements WordPress 3.0 has to offer. However, because this was such a huge overhaul of WordPress, I am going to install a test site and import my theme, plugins and data to see if all works well before I update my production website.
We encourage you to upgrade your WordPress to the latest stable version (3.0) as well. You can download it or upgrade within your dashboard.
Be sure to watch the WordPress 3.0 video tour below:
Update 6/18/2010 at 1:30pm: Currently, I am not finding any historic plugin compatibility data for WordPress 3.0, but will keep an eye on this article for any future info.
Regarding themes, I also do not see any historic lists of compatible themes yet, but will watch that one also.
Update 6/25/2010 at 2:00 pm: Be sure to check out the sticky post called "3.0 Issues, Problems, Resolutions Thread" at WordPress.org.
We'd like to hear from you...
Have you tried WordPress 3.0 yet? Noticed any new security features I didn't mention above? Be sure to share your WordPress 3.0 experience by leaving a comment below.