Sometimes security holes are found in software. WordPress is no exception, and it’s wise to get a move on and update any website that may be vulnerable:
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.
[Via : WordPress 2.8.4: Security Release.]
Fortunately these updates are very simple and very quick — all that’s needed is a couple of clicks.
First make sure you have a current backup. Read my book How to backup your WordPress website (US$4.75) for help with that.
Then log in to your website’s Dashboard. I suggest that at this stage you check whether any plugins have updates available and install those updates.
Soon after a WordPress core update is available you’ll see a notice with a link at the top of any Dashboard page.
Click the link. Some information appears, reminding you to first back up, and telling you which update is available. You have the choice of ‘Upgrade Automatically’ or ‘Download’ the specific update.
Just click the Upgrade Automatically button.
WordPress spends a few moments updating the files it needs direct from the WordPress server.
If all goes well another notice appears advising you of a successful update.
If you’re unlucky there will be a problem and you’ll need to deal with that, perhaps by trying the automatic update again, or downloading the updater file and doing the upgrade manually, or even by reverting to your backups.
I’ve been doing the Automatic Upgrades each time they’ve been available, on half a dozen sites I run. I guess I’ve done around 30 or so updates by now and have not yet had any problems.