Previous versions of WordPress were subject to a critical security vulnerability in which an attacker could gain control of a WordPress install and inject spam and malware into posts. While it does not appear that any SFU Blogs installations were compromised, we felt it prudent to proceed with an immediate upgrade to the most current version of WordPress, 2.8.4.
In addition to patching the security flaw, WordPress 2.8.4 brings an exciting new feature to SFU Blogs: theme uploads. Prior to today, themes could only be installed by an IT Services administrator, manually. Now, any Editor-level user can either choose a theme from the WordPress gallery or upload a ZIP archive and activate the new theme. Please note that the default “sfu_theme” is still the only supported theme; you’re welcome to choose different themes or upload your own, but you do so at your own risk.
WordPress has several types of users, including Administrators and Editors. Administrators have full reign over a WordPress installation, while Editors can manage posts, pages, links, etc. but little else. For security and stability very rarely give out Administrator privilegs to non-IT Services staff; one wrong setting change by and Administrator can render a WordPress install inoperative. A common request has been for more powers for Editors, and we’ve come through. Editors now have most of the same capabilities as Administrators, including:
A side note: some sites had non-IT Services Administrators, either by previous arrangement or by Editors elevating themselves to Administrator. Now that Editors have virtually the same power as Administrators, any non-IT admins have been changed back to Editors. Additionally, security features that prevent users being elevated to Administrator have been put into place.
Previously, adding, removing or modifying a user had to be done by IT Services staff. Additionally, options for user management was limited; we were limited to SFU users only, with no facility for adding external users or SFU maillists. Now, Editors can:
The first two options are fairly simple; you can add either an SFU user by entering their SFU computing ID, or an external user by creating a username (greater than eight characters) and a password. External users will have their login information emailed to them.
The third is a bit more complicated. Assume the following situation: you manage the blog for the basketweaving club. You have two maillists full of blog Editors and Authors: basketweving-blogeditors and basketweving-blogauthors. You can now specify that the membership of these list be synchronized to your blog daily. When the synchronization happens, the following takes place:
These modifications and enhancements have been in the works for some time and have been throughly tested, but even the best laid plans may have unintended consequences. The critical security vulnerability in previous versions of WordPress made proceeding with the upgrade immediately a necessity. Please take the time to throughly check your site and make sure it functions normally – if you notice anything wrong please contact us at email@example.com.