If you have installed WordPress 2.2 you absolutely MUST upgrade to the latest version 2.2.1. This new version not only addresses the few bug fixes but most importantly several security issues. Read all issues addressed here.

At least one of them already has an exploit out “in the wild”. XML-RPC exploit affects ONLY WordPress 2.2 and only blogs that allow registration or blogs that already have registered members as it relies on existing account to perform SQL injection and allows attacker to take full control of your blog. Here are some details on this exploit on WordPress support forums and here is a post by someone who already been hacked.

Second security issue addressed was PHPMailer and if you use Sendmail on your blog for mail function – you need to check this one.

Upgrade Notes: If running 2.2 then you must upgrade, this is not optional if you want to save yourself pain of recovering from hack. Here is some information you might find useful.

I have just upgraded 2 of my blogs and there doesn’t seem to be any changes to database – just the files. Simply uploading new version of core system and overwriting old files did the trick for me. You still do need to run upgrade.php script but it will tell you that no databases changes required. On my blog I have even done it against recommendations and performed upgrade without deactivating plugins. My reasoning was that all the fixes address files that shouldn’t affect plugins I have currently in use. It worked for me – but I would recommend you test it in development environment first or follow recommended procedures. I did do a backup before running upgrade.

What to do if you can upgrade immediately?

If you already have registered users – upgrade now. However if there are no user you can simply go to Options –> General and remove check mark from option “Anyone can register”. Save your settings. This will not make your system secure but it will hold you over the short time you need to upgrade.

Please be advised – I highly recommend you upgrade ASAP. The option above might only prevent exploit for a short period of time.