WordPress 2.5 Released & My Needed Fix for Image Upload on servers with Mod_Security

WordPress.Org Version 2.5 Released March 29, 2008

WordPress 2.5 was finally released today, after much anticipation. Matt Mullenweg did a comprehensive post on the WordPress Blog about this new update and the changes to 2.5. I won’t go through all the major changes – – just read Matt’s post.. he’s done a nice job of explaining a few things and includes a video on some the enhancements. The WordPress.Org website has undergone a brand new re-design that coordinates with the new design of the WordPress Dashboard, as well. Some very nice improvements in the design you’ll notice when you upgrade to WordPress 2.5 – – it’s a little difficult to get used to, at first, but it’s a lighter interface with, overall, some very nice improvements. I think once users get over the initial shock of everything looking different and being moved around and renamed… the old design will be a distant memory as we all move forward. My only sticky point on the new interface design is that it is all left aligned. On my 1280 monitor – – it’s a little hard to take. But if that’s the worst of it – I’m good.

I ran into a little buggy issue with the image uploader in 2.5 that seems to revolve around the fact that my server runs mod_security. The new image uploader uses a Flash interface and mod_security was rejecting it completely. I could not upload images at all and kept getting errors. (Read my post in the WordPress Support Forum about this issue and the errors).

If you find this to be the case in your situation – disabling mod_security on one file, in particular, has solved the problem for me and I accomplished that by adding the following rules to the .htaccess file in my WordPress installation directory:

SecFilterEngine Off
SecFilterScanPOST Off

For me, that worked like a dream – – now the image uploader works fine and I’m able to take advantage of the gallery features with 2.5. Though, if everyone is shutting off security on that one single file – – it will become a file targeted for foolery and exploit, and it won’t take long, so the hole will need to be closed, eventually. Locking that file down to a particular IP is a solution for someone who has that kind of access.

When this weekend is over, I will have completed a PDF chapter that covers the changes in WordPress 2.5. This chapter will be available as a free, downloadable PDF document on Dummies.com, as well as being available here on my site for free download.

This free PDF chapter update for WordPress For Dummies is being done in tandem to the planning and writing of the second edition of WordPress For Dummies, due to be released a bit later this year. This weekend, I am revising the Table of Contents as I plan the content inclusion for the second edition, which will, of course, include WordPress 2.5 updates. Though, due to much feedback I’ve recieved from readers – – there’s much demand for more information on WordPress theme information: tweaking, modifying existing themes, theme development, CSS information , etc. Themes were covered in the first edition – – but on a pretty basic level. We’ll be looking at more in-depth information on themes, template tags and the like with the second edition, as well as more information on upgrading, using custom fields and plugin information.

I’m thrilled that the fine folks at Wiley Publishing recognize the popularity of the WordPress blogging platform and understand the community and the progressive nature of the software development, so much so that they want to keep the book project moving forward, rather than stagnating on the shelves with only a first edition that covers outdated development. This was one of my main concerns when entering into this book project – and they have answered the call. Good on them, I say!

Cross-posted to WPAssist and Blogs About Hosting

30 Responses to “WordPress 2.5 Released & My Needed Fix for Image Upload on servers with Mod_Security”

  1. […] to Lisa Sabin-Wilson’s blog and Blogs About […]

  2. liciece says:

    Hi Lisa,the new editon of wordpress has been a milestone and it can be still used with Xmark well.But as I know that the current Xmark theme has been released for quite long time.So do you have any idea on upgrading Xmark in the near future?As a user of Xmark,I hope to see more surprises from you.Thanks.

    (» Read liciece’s last blog post..习惯了)

  3. […] a dummy, like Roger – Or myself, TheBlogSearcher. lol. Last night, I noticed a tweet came in from Lisa Sabin-Wilson about the new WordPress 2.5. And I followed her link to her site and read about the new […]

  4. Zeke says:

    I’m really looking forward the second edition. I bought the 1st ed. of the book so I could learn about themes. So I’m exited that the second ed. will go more in depth about them. Hopefully someday you can write a ‘WordPress for Pros’ book, or something like that. :)

    (» Read Zeke’s last blog post..SXSW ‘08: Friday Plus the Last 24hrs)

  5. Lisa says:

    @liciece – Been planning to update xMark for quite sometime, now… finding the time to do it is a whole different story altogether. Although, I can say when I do find the time, I do plan on making upgrades and improvements to the theme and will update users on the xMark theme site – thanks for using it!

    @Zeke – thanks for dropping by and I’m excited about the second edition, as well :) Thanks for reading!

  6. I was here looking for your thoughts on 2.5, I knew they’d be here ;)

    I’ll be looking for your updated chapter for the changes…

    (» Read Gary LaPointe’s last blog post..I’m looking for Detroit Local Tweeters (Twitters))

  7. michin says:

    Yay it worked! thnks! I copy pasted the code into the htaccess file above most of the text there and reuploaded. This worked on an add-on domain I have. yay.

  8. Lisa says:

    @Gary – have I become so predictable? :-b

    @michin – happy it worked for you :D

  9. Diane says:

    Thanks for the fix, Lisa.

    The gallery is working and it’s a great improvement.

  10. Http500 says:

    Hello, WP 2.5 is good relase?

    (» Read Http500’s last blog post..Juventus – Parma sospesa per lutto)

  11. Http500 says:

    Now install it! :d

    (» Read Http500’s last blog post..Juventus – Parma sospesa per lutto)

  12. 12thharmonic says:

    You Rock!
    That fix worked a treat. Let’s hope a better option comes up without the risk.

  13. Baard Vidar says:

    Thanks, Lisa.

    That fix saved my day!

  14. […] about in the WordPress forums however if you are having a similar problem I suggest checking out Lisa Sabin-Wilson’s blog as she seems to have found a solution to the problem she was having with the media […]

  15. Stefan says:

    Thanx ! This really helped. For code dummies as myself I would like to add my .htaccess as example how the code implementation can look like. To be honest, I had to try & error a bit. :) I had to put the 2 new rules
    SecFilterEngine Off
    SecFilterScanPOST Off
    to the end of my code. – Hope this helps

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    SecFilterEngine Off
    SecFilterScanPOST Off

  16. Pajama Mommy says:

    Pajama MOmmy just updated thanx to my assistant. I like the new look it is definitely something to get used to but I haven’t had any issues with it yet *croses fingers*

    (» Read Pajama Mommy’s last blog post..Tostito’s Recipes and Contest!)

  17. […] upload any image through the new AJAX image uploader. After i search through internet, i found this post, which teach user how to fix this […]

  18. 12thharmonic says:

    A better fix?
    This morning I go to a client’s site and my server is deleting the htaccess file. This is happening on all my wordpress blogs. Even when I delete the fix. I have a ticket in with my parent host. Anyone else run into this?

    If there is a new fix for this issue (which worked till the auto delete thing began)? I assume, my perent host saw the exploit and took action.

    (» Read 12thharmonic’s last blog post..Follow Up: The Green Scare – The Government and Eco-Terrorism)

  19. Sage says:

    I have altered the htaccess code many times now and I still get this message.
    Fatal error: Call to undefined function wp_constrain_dimensions() in /home2/newyorka/public_html/wp-admin/includes/image.php on line 173
    I’m using safari and FF on a Mac OS 10.5

    Help please.

    (» Read Sage’s last blog post..Adi visits)

  20. Lisa says:

    @Sage – I did a quick Google search on that error message and found this. Give it a shot – good luck!

  21. Yan says:

    Hi Lisa,

    It seems like everyone is advocating the fix by editing .htaccess. I tried that but it gives me fatal error and worsens the matter further – it couldn’t even show the upload box.

    Sad :-(

  22. Wonderer says:

    Hi Lisa,

    This is a major problem and there are thousands of Google entries reporting it. Your solution worked for me but I have seen other proposed solutions that open mod_security for every file, which seems quite dangerous.

    I’m amazed that there is no mention of this issue in the official release notes, and I have no idea how to reach the developers in order to escalate the problem. Perhaps you might be able to elevate it further.


    P.S. Loved your book!

  23. Lisa,
    Does 2.5.1 fix this?

  24. Wonderer says:


    The problem is still there in 2.5.1, unless you apply the htaccess mod. I doubt there is any way to fix it within the WordPress code unless they develop a different method of uploading files.

    One has to assume that WordPress 2.5 and 2.5.1 were only tested on servers with mod_security disabled, otherwise this bug would have been a show-stopper.


  25. I haven’t installed it yet. But when implementing something nice a new Flash unloader I can’t believe they didn’t leave in the code for the old uploader (just in case); especially with more and more mobile devices coming out I’d hate to exclude WordPress from my choices someday since I need it to work with an non-Flash device.


  26. Just wanted to say thanks so much for publishing that fix. My site requires a lot of images to be posted, and I thought I was up the creek without a paddle for a moment there!

  27. Here’s the weird thing for me.

    Mine uploads the files fine (did not mod anything). I can FTP in to the site and see them, and when I look in the “media library” they’re there.

    It’s when I hit “insert into post” the flash frame goes blank and it never inserts my photos. This happens on my leopard Mac in Safari and Firefox (flash 9.x).

    Very strange….

  28. 2 more things:
    1) The files are in my media library and appear to be tied to the post.

    2) did you stop using the “Read Gary’s last blog post” plug-in? If so, any reason why? (I was thinking of using it, but if the cool kids aren’t using it any more…)

  29. […] I still require the .htaccess fix in order to successfully utilize the flash-based image uploader. I posted about this issue when 2.5 first came out (Although, you can now toggle between the Flash uploader and the classic browser-based uploader […]

  30. ek gelir says:

    Hi Lisa,

    It seems like everyone is advocating the fix by editing .htaccess. I tried that but it gives me fatal error and worsens the matter further – it couldn’t even show the upload box.