News Ticker

Attacks on older versions of WordPress

Picked this up in my reading this morning:

If you’re running a self-hosted WordPress blog that isn’t up-to-date (version 2.8.4), you’re advised to upgrade immediately to the latest version of the software to avoid an ongoing attack. Users of hosted blogs are not affected.

The warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of the blogging software, creating a new “hidden” Administrator account and getting right down to the database level. These attacks are said to be “growing by the hour”…

…All users are advised to upgrade to the latest version of WP, while those already affected are in for a trying weekend: you’ll likely need to export your all your content with the built-in XML WordPress export, uninstall and reinstall WordPress and re-import the content. It’s a nasty attack that goes all the way into the database, so exporting the database will result in exporting the hacked code too. [From WordPress Attack Underway: WordPress Users Must Upgrade [ALERT]]

As stated, the current version of WordPress is v2.8.4. This blog has been attacked in the past by someone trying to gain administrative privileges so I take upgrades seriously. ;-)

Update: This is real…the account of someone attacked.

4 Comments on Attacks on older versions of WordPress

  1. I hope users take this to heart and do it… now!

  2. Well, Earl, I took your advice. I finally upgraded from 2.5.1 to 2.8.4 and it actually went well! I feel safer already! :-)

  3. Yes, this is really an important thing. At the moment I am using blogger, but for various reasons I want to migrate to a wordpress based blog. The first thing I did was to google for security advisories and taking more then the standard approach to secure my installation. A good, yet slightly outdated approach is described in

  4. @Markus: Thanks for providing the link to the WordPress Security Whitepaper. There’s some good information there.

Leave a comment

Your email address will not be published.