WordPress 2.5 Released & My Needed Fix for Image Upload on servers with Mod_Security

WordPress.Org Version 2.5 Released March 29, 2008

WordPress 2.5 was finally released today, after much anticipation. Matt Mullenweg did a comprehensive post on the WordPress Blog about this new update and the changes to 2.5. I won’t go through all the major changes – – just read Matt’s post.. he’s done a nice job of explaining a few things and includes a video on some the enhancements. The WordPress.Org website has undergone a brand new re-design that coordinates with the new design of the WordPress Dashboard, as well. Some very nice improvements in the design you’ll notice when you upgrade to WordPress 2.5 – – it’s a little difficult to get used to, at first, but it’s a lighter interface with, overall, some very nice improvements. I think once users get over the initial shock of everything looking different and being moved around and renamed… the old design will be a distant memory as we all move forward. My only sticky point on the new interface design is that it is all left aligned. On my 1280 monitor – – it’s a little hard to take. But if that’s the worst of it – I’m good.

I ran into a little buggy issue with the image uploader in 2.5 that seems to revolve around the fact that my server runs mod_security. The new image uploader uses a Flash interface and mod_security was rejecting it completely. I could not upload images at all and kept getting errors. (Read my post in the WordPress Support Forum about this issue and the errors).

If you find this to be the case in your situation – disabling mod_security on one file, in particular, has solved the problem for me and I accomplished that by adding the following rules to the .htaccess file in my WordPress installation directory:

SecFilterEngine Off
SecFilterScanPOST Off

For me, that worked like a dream – – now the image uploader works fine and I’m able to take advantage of the gallery features with 2.5. Though, if everyone is shutting off security on that one single file – – it will become a file targeted for foolery and exploit, and it won’t take long, so the hole will need to be closed, eventually. Locking that file down to a particular IP is a solution for someone who has that kind of access.

When this weekend is over, I will have completed a PDF chapter that covers the changes in WordPress 2.5. This chapter will be available as a free, downloadable PDF document on Dummies.com, as well as being available here on my site for free download.

This free PDF chapter update for WordPress For Dummies is being done in tandem to the planning and writing of the second edition of WordPress For Dummies, due to be released a bit later this year. This weekend, I am revising the Table of Contents as I plan the content inclusion for the second edition, which will, of course, include WordPress 2.5 updates. Though, due to much feedback I’ve recieved from readers – – there’s much demand for more information on WordPress theme information: tweaking, modifying existing themes, theme development, CSS information , etc. Themes were covered in the first edition – – but on a pretty basic level. We’ll be looking at more in-depth information on themes, template tags and the like with the second edition, as well as more information on upgrading, using custom fields and plugin information.

I’m thrilled that the fine folks at Wiley Publishing recognize the popularity of the WordPress blogging platform and understand the community and the progressive nature of the software development, so much so that they want to keep the book project moving forward, rather than stagnating on the shelves with only a first edition that covers outdated development. This was one of my main concerns when entering into this book project – and they have answered the call. Good on them, I say!

Cross-posted to WPAssist and Blogs About Hosting

30 thoughts on “WordPress 2.5 Released & My Needed Fix for Image Upload on servers with Mod_Security”

  1. Pingback: WordPress 2.5 Released — WP Assist

  2. Hi Lisa,the new editon of wordpress has been a milestone and it can be still used with Xmark well.But as I know that the current Xmark theme has been released for quite long time.So do you have any idea on upgrading Xmark in the near future?As a user of Xmark,I hope to see more surprises from you.Thanks.

    (» Read liciece’s last blog post..习惯了)

  3. Pingback: My (sorta) painless upgrade to Wordpress 2.5.

  4. I’m really looking forward the second edition. I bought the 1st ed. of the book so I could learn about themes. So I’m exited that the second ed. will go more in depth about them. Hopefully someday you can write a ‘WordPress for Pros’ book, or something like that. 🙂

    (» Read Zeke’s last blog post..SXSW ‘08: Friday Plus the Last 24hrs)

  5. @liciece – Been planning to update xMark for quite sometime, now… finding the time to do it is a whole different story altogether. Although, I can say when I do find the time, I do plan on making upgrades and improvements to the theme and will update users on the xMark theme site – thanks for using it!

    @Zeke – thanks for dropping by and I’m excited about the second edition, as well 🙂 Thanks for reading!

  6. Yay it worked! thnks! I copy pasted the code into the htaccess file above most of the text there and reuploaded. This worked on an add-on domain I have. yay.

  7. Pingback: Rebekah Renford [Web Dev.] » Blog Archive » Wordpress 2.5 Released

  8. Thanx ! This really helped. For code dummies as myself I would like to add my .htaccess as example how the code implementation can look like. To be honest, I had to try & error a bit. 🙂 I had to put the 2 new rules
    SecFilterEngine Off
    SecFilterScanPOST Off
    to the end of my code. – Hope this helps

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    SecFilterEngine Off
    SecFilterScanPOST Off

  9. Pingback: How to fix Wordpress 2.5 image upload issue

  10. A better fix?
    This morning I go to a client’s site and my server is deleting the htaccess file. This is happening on all my wordpress blogs. Even when I delete the fix. I have a ticket in with my parent host. Anyone else run into this?

    If there is a new fix for this issue (which worked till the auto delete thing began)? I assume, my perent host saw the exploit and took action.

    (» Read 12thharmonic’s last blog post..Follow Up: The Green Scare – The Government and Eco-Terrorism)

  11. I have altered the htaccess code many times now and I still get this message.
    Fatal error: Call to undefined function wp_constrain_dimensions() in /home2/newyorka/public_html/wp-admin/includes/image.php on line 173
    I’m using safari and FF on a Mac OS 10.5

    Help please.

    (» Read Sage’s last blog post..Adi visits)

  12. Hi Lisa,

    It seems like everyone is advocating the fix by editing .htaccess. I tried that but it gives me fatal error and worsens the matter further – it couldn’t even show the upload box.

    Sad 🙁

  13. Hi Lisa,

    This is a major problem and there are thousands of Google entries reporting it. Your solution worked for me but I have seen other proposed solutions that open mod_security for every file, which seems quite dangerous.

    I’m amazed that there is no mention of this issue in the official release notes, and I have no idea how to reach the developers in order to escalate the problem. Perhaps you might be able to elevate it further.


    P.S. Loved your book!

  14. Gary,

    The problem is still there in 2.5.1, unless you apply the htaccess mod. I doubt there is any way to fix it within the WordPress code unless they develop a different method of uploading files.

    One has to assume that WordPress 2.5 and 2.5.1 were only tested on servers with mod_security disabled, otherwise this bug would have been a show-stopper.


  15. I haven’t installed it yet. But when implementing something nice a new Flash unloader I can’t believe they didn’t leave in the code for the old uploader (just in case); especially with more and more mobile devices coming out I’d hate to exclude WordPress from my choices someday since I need it to work with an non-Flash device.


  16. Here’s the weird thing for me.

    Mine uploads the files fine (did not mod anything). I can FTP in to the site and see them, and when I look in the “media library” they’re there.

    It’s when I hit “insert into post” the flash frame goes blank and it never inserts my photos. This happens on my leopard Mac in Safari and Firefox (flash 9.x).

    Very strange….

  17. 2 more things:
    1) The files are in my media library and appear to be tied to the post.

    2) did you stop using the “Read Gary’s last blog post” plug-in? If so, any reason why? (I was thinking of using it, but if the cool kids aren’t using it any more…)

  18. Pingback: Upgraded: WordPress 2.6 | Lisa Sabin-Wilson

  19. Hi Lisa,

    It seems like everyone is advocating the fix by editing .htaccess. I tried that but it gives me fatal error and worsens the matter further – it couldn’t even show the upload box.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top