WordPress 3.1.3 is available now and is a security update for all previous versions. It contains the following security fixes and enhancements:

• Various security hardening by Alexander Concha.
• Taxonomy query hardening by John Lamansky.
• Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
• Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
• Improves file upload security on hosts with dangerous security settings.
• Cleans up old WordPress import files if the import does not finish.
• Introduce “clickjacking” protection in modern browsers on admin and login pages.

Consult the change log for more details.

Download WordPress 3.1.3 or update automatically from the Dashboard ? Updates menu in your site’s admin area.

WordPress 3.2 Beta 2 also available

In other news, our development of WordPress 3.2 development continues right on schedule. We released Beta 1 thirteen days ago, and today we’re putting out Beta 2 for your testing pleasure.

This is still beta software, so we don’t recommend that you use it on production sites. But if you’re a plugin developer, a theme developer, or a site administrator, you should be running this on your test environments and reporting any bugs you find. If you’re a WordPress user who wants to open your presents early, take advantage of WordPress’ famous 5-minute install and spin up a secondary test site. Let us know what you think!

The plan is to start putting out release candidates in early June, and to release WordPress 3.2 by the end of the month. The more you help us iron out issues during the beta period, the more likely we are to hit those dates. To misappropriate and mangle a quote from Mahatma Gandhi: “Be the punctuality you want to see in the WordPress.” In other words, test now!

Here are some of the things that changed since Beta 1:

• Google Chrome Frame is now supported in the admin, if you have it installed. This is especially useful for IE 6 users (remember, IE 6 is otherwise deprecated for the admin).
• The admin is less ugly in IE 7.
• The blue admin color scheme has caught up to the grey one, and is ready for testing.
• We are now bundling jQuery 1.6.1. You should test any JS that uses jQuery. WordPress JavaScript guru Andrew Ozz has a post with more info.

Download WordPress 3.2 Beta 2

WordPress 3.1.2 is now available and is a security release for all previous WordPress versions.

This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts.

The issue was discovered by a member of our security team, WordPress developer Andrew Nacin, with Benjamin Balter.

We suggest you update to 3.1.2 promptly, especially if you allow users to register as contributors or if you have untrusted users. This release also fixes a few bugs that missed the boat for version 3.1.1.

Download 3.1.2 or update automatically from the Dashboard ? Updates menu in your site’s admin area.

WordPress 3.1.1 is now available. This maintenance and security release fixes almost thirty issues in 3.1, including:

• Some security hardening to media uploads
• Performance improvements
• Fixes for IIS6 support
• Fixes for taxonomy and PATHINFO (/index.php/) permalinks
• Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues

Version 3.1.1 also addresses three security issues discovered by WordPress core developers Jon Cave and Peter Westwood, of our security team. The first hardens CSRF prevention in the media uploader. The second avoids a PHP crash in certain environments when handling devilishly devised links in comments, and the third addresses an XSS flaw.

We suggest you update to 3.1.1 promptly. Download 3.1.1 or update automatically from the Dashboard ? Updates menu in your site’s admin area.

Our release haiku:

Only the geeks know
What half this stuff even means
Don’t worry — update

WordPress 3.0.5 is now available and is a security hardening update for all previous WordPress versions.

This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.

Three point oh point five
Enhances security
Three point one comes soon

The release addresses a number of issues and provides two additional enhancements:

Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.

Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

Thanks to Nils Jueneman and Saddy for their private and responsible disclosures to security@wordpress.org for two of the issues. The others were reported or repaired by our security team.

Download 3.0.5 or update automatically from the Dashboard > Updates menu in your site’s admin area. Please update immediately.

WordPress 3.1 Release Candidate 4 is also now available.

The Release Candidate 4 build includes the security fixes and enhancements included in 3.0.5 and addresses about two dozen additional bugs. This includes fixes for:

• Deleting a user and reassigning their posts to another user.
• Marking multiple users or sites as spam in multisite.
• PHP4 compatibility.

As outlined in previous RC posts, if you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:

• Post it to the Alpha/Beta area in the support forums
• Report it to the wp-testers mailing list
• Join the development IRC channel and tell us live at irc.freenode.net #wordpress-dev
• File a bug ticket on the WordPress Trac

To test WordPress 3.1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If any new issues become known, you’ll be able to find them here.

After nearly five months of development and testing, we think we’re very close to a final release. Users and developers, please test your themes and plugins.

Download WordPress 3.1 RC4 or WordPress 3.0.5 now.