Upgrade Immediately to Wordpress 2.1.2!
Posted by Stephen on
March 2, 2007
If you’ve just recently upgraded to Wordpress 2.1.1, you’re going to need to upgrade again! If you haven’t upgraded to 2.1.1, don’t do it! 2.1.2 is a MUST DO UPGRADE. The reason is because Wordpress found out that someone cracked the 2.1.1 files and modified the code to do evil things. Funny enough, the Root of All Evil himself told me about this. I was wondering if I should take the warning seriously until I read it on Wordpress’s own site…
It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.
This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we’ll know immediately if something goes wrong for any reason.
Make sure you download the update right away and patch your installation. If you have any information on how this happened, or have any questions or concerns about this, Wordpress is asking you to email them at: 21securityfaq@wordpress.org
…
How long until the next update? To many hackers, not enough time.
Excellent blog btw!
-N
Welcome Nick! Thanks for the props!
At this rate, I’d say we’re looking at another update…next week?
It should be interesting – with this “hacker” having access to their system, who knows what all he/she got into and what they’ll find out next that was exploited. I’m just happy to see that they are quick on the ball to fix it and let us all know.
-N
I think Wordpress got off light. BLOGGER got taken down hard. That’s a lot of blogs that have suddenly gone dark
The exploit had to do with the RSS feed, I’m looking for the link to this info but can’t find it!
I guess I’ll rely on you to update my blog for me
I took care of my flock minutes after my own blog
I really hate upgrading wordpress. Having to cross my fingers and hope all my plugins still work stresses me out. But it’s better than having a compromised site.
The biggest problem I have is deactivating/reactivating all of the plugins! I’m using a lot of them.
I think someone should build a plugin that’s like a MASTER ON/OFF switch to turn off the plugins. It would save a lot of time.
Very true! I have to hit the page down button 4 times to access all of my plugins!
I didn’t even remember Blogger being hacked back then – must have missed that. Now days so many people have blogs, if they go down, everyone goes nuts.
dan1el; How many plugins you use? I have roughly 15 installed and never had an issue with upgrading – everything always just “works” right out of the box. Well except for the related post plugins – had some db issues yesterday.
-N
Holy Crap!!! I just counted, I have 46 plugins running! :O
It’s why I like having my own customer built Blog script. I don’t have to worry about incompatibility issues with plugins etc.
As for people finding exploits in my code, there could be some, but I definitely don’t get the traffic to worry yet about someone breaking it.
I wish I had the time to write my own code, but I am really happy with Wordpress! I honestly see no reason to use anything else!
Kind of a shame to see the talent some of these hackers have wasted on such trivial pursuits.
thats my theory – so much “intelligence” wasted on stupid acts…
The bigger problem; those amazing virus writers get hired by Microsoft in a heart beat
These guys are the same sort of people who are firebugs, except they’re good with computers. They just like to do damage for the sake of doing damage.
Does anyone else find it a little strange that they use the term “cracker”?
@dan1el – good point – it just seems to be a waste of mind – maybe I need to pull my head out of the sand ? lol
@Micheal – wordpress being racial?!
I did, is there a difference between a hacker and a cracker? I guess there is…