Upgrade WordPress to Prevent Hacks

November 13, 2008

Keep Your WordPress Blog Installs Current to Protect Against Hacking AttemptsIf you blog using WordPress as your content management system (CMS) and you’re running an old install, upgrade — but upgrade carefully. Recently we’ve upgraded several blogs from WordPress 2.0.3 to the current WordPress 2.6.3 (released on 23 October 2008). WordPress 2.0.3 was released on. . .June 1, 2006. Which is light years ago in Internet terms. Almost every WordPress release contains security patches, so it’s important to keep your install current. But don’t be fooled by any site which may offer an upgrade to WordPress 2.6.4. It doesn’t exist.

The next WordPress upgrade — expected to be released around the end of November — will be v 2.7. You can stay on top of current releases at the official WordPress website. The bogus 2.4 release, which surfaced last week, is a lesson in the need to keep your WordPress install current. It relied on older versions of WordPress to introduce its exploit of pluggable.php, targeting users who hadn’t upgraded to at least WordPress v 2.3. The fake Wordpresz.org site (since taken down) offered what purported to be version 2.6.4 of the open source blogging tool. In reality, all but one of the files was identical to the latest legitimate (2.6.3) version of WordPress. The crucial difference came in the form of a Trojanized version of pluggable.php. In the Trojan, the altered PHP file, now called WPHack-A Trojan by Sophos, a well-respected security website, called back to Wordpresz; no outcome is known. The Trojan tried to steal cookies and other credentials, in what amounted to a phishing scam.

Peter Westwood, WordPress DeveloperOne of WordPress’ lead developers, Peter Westwood, responded to an article about the Trojan which appeared in The Register, saying: “We recommend that people upgrade as soon as possible when we release a security release so as to ensure they are not vulnerable to issues which will likely have exploits in the wild. Also, in the upcoming 2.7 release of WordPress, we are including a built-in upgrade mechanism within WordPress which will allow people to upgrade automatically with ease. I would, however, stress the need with any piece of software to check that an upgrade is real by visiting the website of the software provider manually rather than relying on a link that you have been provided. Otherwise, as with bank phishing scams, there is the potential for someone to trick you into doing something you didn’t want to do.”

Read a funny post about some prospective WordPress clients.

Copyright ©2008 pajamadeen.com

« Previous PageNext Page »