Upgrade Immediately to WordPress 2.1.2!

If you’ve just recently upgraded to WordPress 2.1.1, you’re going to need to upgrade again! If you haven’t upgraded to 2.1.1, don’t do it! 2.1.2 is a MUST DO UPGRADE. The reason is because WordPress found out that someone cracked the 2.1.1 files and modified the code to do evil things. Funny enough, the Root of All Evil himself told me about this. I was wondering if I should take the warning seriously until I read it on WordPress’s own site…

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we’ll know immediately if something goes wrong for any reason.

Make sure you download the update right away and patch your installation. If you have any information on how this happened, or have any questions or concerns about this, WordPress is asking you to email them at: 21securityfaq@wordpress.org

  • http://michaelkwan.com Michael Kwan

    Does anyone else find it a little strange that they use the term “cracker”?

    • http://www.oubipaws.org Nick

      @dan1el – good point – it just seems to be a waste of mind – maybe I need to pull my head out of the sand ? lol

      @Micheal – wordpress being racial?!

    • http://samanathon.com Saman Sadeghi

      I did, is there a difference between a hacker and a cracker? I guess there is…

  • http://www.leochiang.com Leo

    Kind of a shame to see the talent some of these hackers have wasted on such trivial pursuits.

    • http://www.oubipaws.org Nick

      thats my theory – so much “intelligence” wasted on stupid acts…
      The bigger problem; those amazing virus writers get hired by Microsoft in a heart beat

    • http://thewrongadvices.com dan1el

      These guys are the same sort of people who are firebugs, except they’re good with computers. They just like to do damage for the sake of doing damage.

  • http://www.tyleringram.com Tyler

    It’s why I like having my own customer built Blog script. I don’t have to worry about incompatibility issues with plugins etc.

    As for people finding exploits in my code, there could be some, but I definitely don’t get the traffic to worry yet about someone breaking it.

    • http://samanathon.com Saman Sadeghi

      I wish I had the time to write my own code, but I am really happy with WordPress! I honestly see no reason to use anything else!

  • http://www.oubipaws.org Nick

    I didn’t even remember Blogger being hacked back then – must have missed that. Now days so many people have blogs, if they go down, everyone goes nuts.

    dan1el; How many plugins you use? I have roughly 15 installed and never had an issue with upgrading – everything always just “works” right out of the box. Well except for the related post plugins – had some db issues yesterday.

    -N

    • http://samanathon.com Saman Sadeghi

      Holy Crap!!! I just counted, I have 46 plugins running! :O

  • http://thewrongadvices.com dan1el

    I really hate upgrading wordpress. Having to cross my fingers and hope all my plugins still work stresses me out. But it’s better than having a compromised site.

    • http://samanathon.com Saman Sadeghi

      The biggest problem I have is deactivating/reactivating all of the plugins! I’m using a lot of them.

      • http://www.futurelooks.com Stephen

        I think someone should build a plugin that’s like a MASTER ON/OFF switch to turn off the plugins. It would save a lot of time.

        • http://samanathon.com Saman Sadeghi

          Very true! I have to hit the page down button 4 times to access all of my plugins!

  • http://www.leochiang.com Leo

    I guess I’ll rely on you to update my blog for me ;)

    • http://www.futurelooks.com Stephen

      I took care of my flock minutes after my own blog ;)

  • http://www.oubipaws.org Nick

    It should be interesting – with this “hacker” having access to their system, who knows what all he/she got into and what they’ll find out next that was exploited. I’m just happy to see that they are quick on the ball to fix it and let us all know.
    -N

    • http://www.futurelooks.com Stephen

      I think WordPress got off light. BLOGGER got taken down hard. That’s a lot of blogs that have suddenly gone dark :(

      • http://samanathon.com Saman Sadeghi

        The exploit had to do with the RSS feed, I’m looking for the link to this info but can’t find it!

  • http://www.oubipaws.org Nick

    How long until the next update? To many hackers, not enough time.
    Excellent blog btw!

    -N

    • http://www.futurelooks.com Stephen

      Welcome Nick! Thanks for the props!

      At this rate, I’d say we’re looking at another update…next week?