WordPress version 2.8.4 came out in early August, and now there is a serious issue that has come to light for users whose installations are operating with previous versions.
Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!! [lorelle.wordpress.com]
Lorelle’s post is very in depth regarding the various aspects of what this major security vulnerability entails and should not be taken lightly.
In addition, Matt Mullenweg has an even more informative post on the official WordPress.org Blog with even more specifics of these attacks and the severity of them.
Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.
I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again. [wordpress.org]
The battle wages on. The full read is very intriguing and worth the click to finish reading.
For information about how to upgrade your WordPress on a self-hosted installation, the WordPress Codex offers directions on how to do that. If you need assistance getting the upgrade done, feel free to contact us so you can get your content protected as soon as possible.