TECH.BLORGE.com
VISTA.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

September 5, 2009 |

WordPress blogs under serious attack; immediate upgrades the only defense

By Sean P. Aune





WordPress blogs under serious attack; immediate upgrades the only defenseIf you are running your own copy of the mega-popular WordPress blog software, you are in serious danger of your site being hacked this weekend unless you upgrade immediately.

WordPress has become synonymous with blogging over the past several years, so it only makes sense that this would also paint a huge target on its back for hackers to want to crack it.  According to reports, that is exactly what has happened, and the scale of the attack is only getting bigger by the hour.

According to Lorelle on WordPress, this latest attack is impacting all versions of WordPress prior to the most recent update, version 2.8.4.  If you have not yet upgraded to the latest version, the folks at WordPress are suggesting that you upgrade immediately by any means you can: using the automatic upgrade feature included in the past few updates, doing an old-fashioned FTP upload or using something like SimpleScripts provided by your host.

The attack apparently uses some form of backdoor to let the hackers in to your database and allows them to create a fake admin account.  From there they can do pretty much anything they want with your blog, including locking you out of it.  Lorelle has two tips for telling if it may already be too late for your blog:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

The moral of the story is that if you have not yet upgraded, now is the time. No matter if it is going to break a plugin, destroy your theme or any other possibilities, but if you want your blog to survive this attack, those are small prices to pay.

Related:

  • WordPress already moving on to version 2.6
  • WordPress launches WP.me URL shortener – Yes, another one
  • Read Wordpress.com blogs in real-time using RSS Cloud
  • Movable Type vs Wordpress: Battle for the bloggers
  • WordPress turns Five; Five must have WordPress Plug-ins




    • Sign up for the BLORGE daily email newsletter

    Entry was posted on Saturday, September 5th, 2009 at 3:19 pm under Blogosphere, Security.

    Read more entries by Sean P. Aune.
    StumbleUpon Toolbar Stumble It!

    Leave a Reply:

    Copyright © 2008 Engaging and compelling blogs that entertain and inform