This past weekend John and I took the ferry over to Victoria to participate in WordCamp Victoria. I was slated to speak as a part of a blogger panel with Lorraine Murphy and Mike Vardy, as well as give a talk about securing WordPress (for beginners, just the basics). While no voice-over commentary is included, you can view my slides here:

During my session there was a question from Twitter about plugins and that since they are third party applications, they should not be trusted.

My response was that you can’t fear all plugins, but you can look out for the most effective and least damaging. Look for the version number and the date it was last edited. If a plugin was submitted yesterday and has no feedback, it may not be the best idea to install it. You want trusted plugins that have been updated, reviewed, and that work with your version of WordPress. Also, always install plugins from the WordPress directory and not third party websites.

As you can see form Lloyd’s response (he works with Automattic), plugins added to the official directory are vetted for malicious code. I would also add that the community is pretty good at policing plugins as well. If something’s not working, you’ll hear about it in the feedback, comments, and probably even on Twitter.

Should you have any questions about the basics of securing WordPress, please feel free to drop a note in the comments.

Finally, having organized WordCamp Whistler and WordCamp Vancouver before, we can appreciate all of the time and effort organizers put into these events and I must say, WordCamp Victoria was pretty stellar. Over 175 people showed up to participate, present, ask questions, and have stimulating discussions in the coffee room. Lunch was provided and Twitter was abuzz with backchannel chatter. Kudos to Paul Holmes and his team on another successful event.

WordPress version 2.8.4 came out in early August, and now there is a serious issue that has come to light for users whose installations are operating with previous versions.

Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!! [lorelle.wordpress.com]

Lorelle’s post is very in depth regarding the various aspects of what this major security vulnerability entails and should not be taken lightly.

In addition, Matt Mullenweg has an even more informative post on the official WordPress.org Blog with even more specifics of these attacks and the severity of them.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again. [wordpress.org]

The battle wages on. The full read is very intriguing and worth the click to finish reading.

For information about how to upgrade your WordPress on a self-hosted installation, the WordPress Codex offers directions on how to do that. If you need assistance getting the upgrade done, feel free to contact us so you can get your content protected as soon as possible.

It’s been a busy few weeks in between when WordPress 2.6.2 was launched and now, but it’s worth mentioning nonetheless. The main reason is because this release is a critical security upgrade, vital at keeping your site safe from anything malicious being done to your content.

If you are unsure about the status of your WordPress install or need help getting it upgraded, contact us.