In addition to the security fix, 2.5.1 contains many bug fixes. If you are interested only in the security fixes, you can download these corrected copies of wp-includes/pluggable.php, wp-admin/includes/media.php, and wp-admin/media.php. Replace your existing copies of these files with these new copies.

If you download the entire 2.5.1 release, you will be getting over 70 other fixes. 2.5.1 focuses on fixing the most annoying bugs and improving performance. Here are some highlights:

• Performance improvements for the Dashboard, Write Post, and Edit Comments pages.
• Better performance for those who have many categories
• Media Uploader fixes
• An upgrade to TinyMCE 3.0.7
• Widget Administration fixes
• Various usability improvements
• Layout fixes for IE

Secret lives of blogs

Since 2.5 your wp-config.php file allows a new constant called SECRET_KEY which basically is meant to introduce a little permanent randomness into the cryptographic functions used for cookies in WordPress. You can visit this link we set up to get a unique secret key for your config file. (It’s unique and random on every page load.) Having this line in your config file helps secure your blog.

Many thanks to Steven Murdoch for responsibly reporting the security issue (CVE-2008-1930) and Alex Concha for reporting an XSS issue.

For a short overview of the features with screenshots, it’d be best to visit our sneak peek announcement for RC1. Or check out a 4-minute screencast of the new interface in action. If you just want to jump straight to the good stuff here’s where you can find 2.5 upgrade and download information.

If you want to see everything I would grab a cup of coffee or a mojito, because this post is epic.

User Features

Cleaner, faster, less cluttered dashboard — we’ve worked hard to take your feedback about what’s most important in the dashboard and organize things to allow you to focus on what’s important — your blog — and get out of your way. In collaboration with Happy Cog and the community we’ve taken the first major step forward in the WordPress interface since version 1.5.

Dashboard Widgets — the dashboard home page is now a series of widgets, including ones to show you fun stats about your posting, latest comments, people linking to you, new and popular plugins, and of course WordPress news. You can customize any of the dashboard widgets to show, for example, news from your local paper instead of WP news. Plugins can also hook in, for example the WordPress.com stats widget adds a handy double-wide stats box.

Multi-file upload with progress bar — before when you would upload a large file you’d wait forever, never knowing how far along it was. And uploading more than one photo was an exercise in patience, as you could only do one at a time. Now you can select a whole of folder images or music or videos at once and it’ll show you the progress of each upload.

Bonus: EXIF extraction — if you upload JPEG files with EXIF metadata like camera make and model, aperture, shutter speed, ISO, et al. WordPress will extract all the data into custom fields you can use in your template. If you use the EXIF title fields or similar those will be put into their equivalent fields in WP. Most modern digital cameras generate EXIF data.

Search posts and pages — search used to cover just posts, now it includes pages too, a great boon for those using WordPress as a CMS. New themes can style or sort pages differently in results.

Tag management — you can now add, rename, delete, and do whatever else you like to tags from inside WordPress, no plugins needed.

Password strength meter — when you change your password on your profile it’ll tell you how strong your password is to help you pick a good one.

Concurrent editing protection — for those of you on multi-author blogs, have you ever opened a post while someone was already editing it, and your auto-saves kept overwriting each other, irrecoverably losing hours of work? I bet that added a few words to your vocabulary. Now if you open a post that someone else is editing, WordPress magically locks it and prevents you from saving until the other person is done. You’ll see a message like below.

Few-click plugin upgrades — if the plugins you use are part of the plugin directory since 2.3 we’ve told you when they have an update available. Now we take that to the next logical step — downloading and installing the upgrade for you. This is dependent a little bit on your host setup, and it may ask you for your FTP password much like OS X or Windows will ask you for a password, but it works well on majority of hosts we were able to test, your mileage may very, plugins in mirror may be larger than they appear.

Friendlier visual post editor — I’m not sure how to articulate this improvement except to say “it doesn’t mess with your code anymore.” We’re now using version 3.0 of TinyMCE, which means better compatibility with Safari, and we’ve paid particular attention this release to its integration and interaction with complex HTML. It also now has a “no-distractions” mode which is like Writeroom for your browser.

Built-in galleries — when you take advantage of multi-file upload to upload a bunch of photos, we have a new shortcode that lets you to easily embed galleries by just putting [ gallery] (without the space) in your post. It’ll display all your thumbnails and captions and each will link each to a page where people can comment on the individual photos. I’ve been using this feature on my blog and have already uploaded over 1,200 pictures into 23 galleries. The shortcode has some hidden options too, check out this documentation.

Developer Features

Now for the geeky stuff. While we’re excited about the above features, each one represents a new opportunity or API for other developers to take to another level. (The best of which we’ll someday integrate back into WP.)

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

Easy taxonomy and URL creation — probably best illustrated with an example: I can call register_taxonomy() with a few arguments to register a “people” taxonomy and whenever I edit an image I’ll see a UI like tags has for identifying the people in a photo, and these will be URL addressable with /person/firstname-lastname/. All with a single function call.

Inline documentation — the vast majority of the new code going into WordPress include inline documentation that explains the functions and documents their arguments.

Database optimization — we haven’t changed the table layout in this release, which is one of the reasons so many plugins work fine with 2.5. We have added a few new indicies and made a few default fields more flexible based on some bottlenecks we found on WordPress.com, which now hosts 2.7 million WordPress blogs. It should be invisible to the application, just a bit faster on the database side.

$wpdb->prepare() — now almost all of the SQL in WordPress is prepared first, and the same functions are available to your plugins. This should prevent elementary SQL escaping issues.

Media buttons — the add media buttons above the post are both expandable, so you could have an “Add Google Map” button if you like, They can be overridden, so if you think you can do the video or audio tab better than we have you can replace the default.

Shortcode API — the new gallery functionality is powered by the new shortcode API. Shortcodes are little bracket-delineated strings that can be magically expanded at runtime to something more interesting. They give users a short, easy to type and copy/paste string they can move around their post without worrying about messing up complex HTML or embed codes. The Shortcode API is fully documented.

Now you see why 2.5 took a little extra time.

Upgrade Notes

2.5 does include security fixes so it is recommended for all users, the 2.3 branch will no longer be updated. The upgrade instructions for this version are pretty much the same as any other version. The most important thing to check is your plugins, so if for example everything works except the new uploader, a legacy plugin might be causing a javascript error on the page and breaking it. If something goes wrong, the safest thing to do is turn your plugins off (we have a button to do them all at once, now) and turn them back on one-by-one, testing the problem along the way. This has solved almost everybody’s problems in testing, and it also lets you know which plugin author to show some love to so they’ll update their plugin, and which plugin authors already have so you can shower them with praises on your blog.

One brief note about some of the new upload and plugin upgrade features, there are some edge-case hosting platforms, like versions of Lighttpd before 1.5 or over-agressive mod_security rules, which can break. If something isn’t working like it was looked in the screenshot, ask your host if there’s something on the server side which may be interfering. Hosts, feel free to join and post to our wp-testers mailing list if you have an environment that requires some extra code to work around. We’d be happy to include it in the next update.

Quick tip: in 2.5 you click the name of things to edit them, like your username to edit your profile or the title of a post to edit it.

The Community is Growing

More than growing, it’s on fire. We always talk about things like downloads, and the 2.3 branch has already had 1.92 million downloads as I write this post, but this time we have some far more interesting information I’d like to share.

There were over 1,200 commits to our repository since 2.3.0 and over 90 people were credited in them. This means in our core code, not plugins, there were at least 90 individual folks that contributed something high-quality enough that it made the cut to be part of the download you guys get today. I had no idea this group of people was so large.

Outside of the core commit team, there was particular help from these people, in rough order of number of credits and tickets: mdawaffe (Michael Adams), azaozz (Andrew Ozz), nbachiyski (Nikolay Bachiyski), andy (Andy Skelton), iammattthomas (Matt Thomas), tellyworth (Alex Shiels), josephscott (Joseph Scott), lloydbudd (Lloyd Budd), DD32 (Dion), filosofo (Austin Matzko), hansengel (Hans Engel), pishmishy, ffemtcj, Viper007Bond, ionfish (Benedict Eastaugh), jhodgdon (Jennifer Hodgdon), Otto42, thee17 (Charles E. Free-Melvin), and xknown. Also want to thank MichaelH and Lorelle on the documentation side, and moshu, Kafkaesqui, whooami, MichaelH, Otto42, and jeremyclark13 for helping with support.

The 2.5 branch is nicknamed “Brecker” in honor of Michael Brecker, an exceptionally talented saxophonist who could cross styles effortlessly and never stopped experimenting and pushing himself until he passed away last year.

New WordPress.org

All of this wasn’t enough, so in our copious spare time we decided to redesign WordPress.org to better match the aesthetics of the new dashboard and also to spruce up a few areas that needed lovin’. Some parts of the site, like the Codex, might show the old style for a day or two. We know, just give us a bit of time. Thanks to Matt Thomas for his epic effort in designing and coding the new site.

What’s Next

As always with WordPress, we don’t claim any of these features to be perfect, or to be better than everyone else in the world, but they are done by and for the people and the one thing we do promise is that with every release we listen and do our best to improve.

2.5 is a major milestone for WordPress not because it added dozens of user-requested features, but because it reaffirms that we’re as passionate about blogging as the day we started. Our community is too fierce to rest on its laurels — contrary to what pundits claim, blogging is far from “finished” and every improvement just whets our appetite for more. And more is coming.

It’s a good thing WordPress doesn’t limit the length of posts, because this one would have hit it. If you made it this far, thanks for sharing a bit of your day with us. I sincerely hope this new version of WordPress helps you do what you love to do.

As a little bonus, 2.3.2 allows you to define a custom DB error page. Place your custom template at wp-content/db-error.php. If WP has a problem connecting to your database, this page will displayed rather than the default error message.

For more detail on what’s new in 2.3.2, view the list of fixed bugs and see the changes between 2.3.1 and 2.3.2.

Special thanks to Alex Concha for his help on this release.

2.3.1 fixes over twenty bugs. Some of the notable fixes are:

• Tagging support for Windows Live Writer
• Fixes for a login bug that affected those with a Blog Address different than
  their WordPress Address
• Faster taxonomy database queries, especially tag intersection queries
• Link importer fixes

Unfortunately, some security issues were found in 2.3. Janek Vind found an XSS problem that can be exploited if your php setup has register_globals enabled. For this reason, upgrading to 2.3.1 is advised.

The full set of changes between 2.3 and 2.3.1 is available for viewing on trac.

Get 2.3.1 from the download page and enjoy.

2.3.1 fixes over twenty bugs. Some of the notable fixes are:

• Tagging support for Windows Live Writer
• A login bug that affected those with a Blog Address different than
  their WordPress Address is fixed
• Faster taxonomy database queries, especially tag intersection queries
• Link importer fixes

More details will be provided in the final release announcement. Until then, download RC1 and let us know if it fixes a particular bug in 2.3 that was annoying you. If you find that something has broken since 2.3, please open a ticket so we can address the problem before the final 2.3.1 release.

The entire team is really proud of this release, and I’m happy that this is our second on-time release under our new development schedule. The grand experiment of a more agile WordPress with significant features in the hands of users more often is working. I could write a blog post about each new feature, but I’ll try to be brief:

1. Native tagging support allows you to use tags in addition to categories on your posts, if you so choose. We’ve included importers for the Ultimate Tag Warrior, Jerome’s Keywords, Simple Tags, and Bunny’s Technorati Tag plugins so if you’ve already been using a tagging plugin you can bring your data into the new system. The tagging system is also wicked-fast, so your host won’t mind.
2. Our new update notification lets you know when there is a new release of WordPress or when any of the plugins you use has an update available. It works by sending your blog URL, plugins, and version information to our new api.wordpress.org service which then compares it to the plugin database and tells you whats the latest and greatest you can use.
3. We’ve cleaned up URLs a bunch in a feature we call canonical URLs which does things like enforce your no-www preference, redirect posts with changed slugs so a link never goes bad, redirect URLs that get cut off in emails on similar to the correct post, and much more. This helps your users, and it also helps your search engine optimization, as search engines like for each page to be available in one canonical location. More info here.
4. Our new pending review feature will be great for multi-author blogs. It allows authors to submit a post for review by an editor or administrator, where before they would just have to save a draft and hope someone noticed it.
5. There is new advanced WYSIWYG functionality (we call it the kitchen sink button) that allows you to access some features of TinyMCE that were previously hidden.

You’ll notice that two of those features are straight out of the most-voted for ideas list. That’s just the user facing stuff, if you’re a developer you’ll be interested in:

1. Full and complete Atom 1.0 support, including the publishing protocol.
2. We’re using the new jQuery which is “800% faster.”
3. Behind the user-facing tags system is a really kickass taxonomy system, which adds a ton of flexibility. It’s probably the biggest schema upgrade since version 1.5.
4. The importers have been revamped to be more memory efficient, and you can now add an importer through a plugin.
5. Through hooks and filters you can now override the update system, the dashboard RSS feeds, the feed parser, and tons more than you could in 2.2.
6. The new $wpdb->prepare() way of doing SQL queries.
7. Finally there were over 351 tickets in Trac closed for this release, with over a hundred people contributing. This is the polish, the hundreds of tiny bug fixes and features that make WordPress what it is.

You can view the Codex for more information about the release and some screenshots. And of course the place to download is always the same. Before you upgrade you may want to check out our Preparing for 2.3 post and the list of compatible plugins on the Codex.

A number of people are hosting upgrade parties around the world, including myself in San Francisco. If you are let me know and I’ll promote it on my blog.

And a big thanks to those of you who have been testing the betas and now the RC. Your efforts make 2.3 better for everyone.

On our Trac you can see the bugs closed and the files changed for 2.2.3.

To get 2.2.3, please see our download page.

As always, upgrade instructions including an extended upgrade guide are available.

Thanks to Alexendar Concha, Aaron Newman, and xknown for identifying and helping us fix the security vulnerabilities.

On our Trac you can see the bugs closed for 2.2.2 and 2.0.11 to get more details about the problems fixed. With a little more Trac magic you can see all the changed files for 2.2.2 or 2.0.11.

Our download page is always the best place to get the latest release, and our legacy page now has the latest in the 2.0 branch.

As always, we have upgrade instructions available and an extended upgrade guide.

Thanks to Alex C. and Benjamin Flesch for help with this release.