WordPress 2.6 is now available. We have mentioned from of the security improvements in an earlier post. The latest version promises a number of security enhancements as follows:

• XML-RPC is turned off by default, but is easy to turn on again. Historically, attacks were possible through the XMLRPC services. We don’t know how many bloggers use the XMLRPC services (i.e. blogger clients), however, we think this will improve the security by limiting exposure.
• Full SSL Core Support. This means no plugin is needed, it’s even possible to force an SSL connection.
• Improvements around session and database management.

This new version also fixes over 194 bugs and the user interface is apparently more user-friendly.

Sounding good so far? The biggest improvement from our point of view is the version control around content management. It’s now to track co-author changes.

The full package can be gained as usual from the official download page.
But as with every new major release, we recommend you wait for the first minor update as new features may present new security holes, as experience has shown.

We are still waiting for WordPress to perform a full code review and application security test. We really think this will be beneficial to both the user and WordPress.