Archived Blog
Wordpress Users, Are You Safe?
09.09.2009 - 10:09 AM
If you are running an older version of Wordpress, meaning less than 2.8.4, you ABSOLUTELY want to read this.
A worm that can post malware and spam to vulnerable Wordpress installations has recently been discovered in the wild and unless you’re running the very latest version of Wordpress, you are at risk. Seriously at risk.
The vulnerability allowing the attack was discovered August 11 and was immediately fixed by the Wordpress team in the 2.8.4 security release. If you are using version 2.8.4 or better of Wordpress, or host your blog on Wordpress.com, you are safe.
The newly discovered worm is pretty sneaky to say the least. In a nutshell, it crawls the web looking for vulnerable Wordpress installations, makes itself an administrator account, takes full control of the website and posts malware and spam to it. It’s also been reported that it will sometimes disable Defensio and other anti-spam plugins. It can be very hard to detect the new malicious administrator user since it hides itself from the users list using Javascript.
Bah… This stuff never happens to me!
If rock star blogger Robert Scoble can be hacked, you probably can as well. This vulnerability is serious, so please treat it as such.
Have I already been hacked?
As Lorelle VanFossen wrote on her blog:
There are two clues that your WordPress site has been attacked.
There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER %5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.
How do I prevent my site from being targeted?
It’s easy. Upgrade. If you are using a somewhat recent version of Wordpress (2.7+), upgrading is easy since the functionality is now built-in. But if you are not, you should take a look at the excellent InstantUpgrade plugin which makes upgrading Wordpress a single-click operation.
If you have already been hacked, you will need to delete the malicious admin user as well. Changing all your passwords is also strongly recommended.
You might also want to check out How to Keep Wordpress Secure and the My Site Was Hacked FAQ.
How can I keep my Wordpress blog safe in the future?
Wordpress is generally a safe platform. However, we recommend that you always use the latest and greatest version to make sure that all known security exploits are patched. You should also make sure that your passwords are not easily guessable, either by a human or a machine. A password of at least 8 characters which includes at least 1 uppercase, 1 lowercase and 1 digit is generally considered “strong”. Following @websenselabs, @wordpress, and @defensio on Twitter is also a good way to stay up to date.
