Skip navigation

Emergency Update Notification for WordPress 2.1+

WordPress NewsIf you updated WordPress in the past few days, download the new version and update it again. Someone was able to break in and malicious code was added to the download. The new version is WordPress 2.1.2.

For more information see: WordPress 2.1.1 dangerous, Upgrade to 2.1.2.

It appears that this is a mandatory upgrade for everyone, whether you upgraded previously or not. The security patches in this and the last few versions are necessary to protect your site.

This is a highly unusual situation and more information will be forthcoming. Check out the announcement for more details.


Site Search Tags: , , ,
Copyright Lorelle VanFossen, member of the 9Rules Network Feed on Lorelle on WordPress Subscribe

Member of the 9Rules Blogging Network

17 Comments

  1. Posted March 2, 2007 at 2:53 pm | Permalink

    got 2.1.2… phew!

  2. Posted March 2, 2007 at 3:14 pm | Permalink

    Apparently there’s an extra (unrelated) security fix in 2.1.2 so it might be worth upgrading regardless of when you downloaded 2.1.1.

    2.1.1 hasn’t been out much longer than ‘a few days’ anyway (about a week and a half), and since we don’t know exactly when the server was cracked I personally would feel safer updating ALL 2.1.1 installs. If I didn’t happen to be sticking to the 2.0 branch, that is :)

  3. Posted March 2, 2007 at 3:31 pm | Permalink

    I had to upgrade to WP 2.1.2 coz my blog was running 2.1.1 prior to this announcement/update. :)

  4. Posted March 2, 2007 at 3:47 pm | Permalink

    Thanks Lorelle!

    best regards

  5. Posted March 2, 2007 at 3:48 pm | Permalink

    I install 2.1.1 using Fantasico on Tuesday night. Would this put me at risk? I personally do not know how to upgrade WordPress, so this will be a HUGE hassle for me.

  6. Posted March 2, 2007 at 4:18 pm | Permalink

    I have four blogs I just updated in the last three days.

    It’s a hassle for everyone, but now, new security measures will be in effect. You learn from the evil so the evil cannot be repeated, right?

  7. Posted March 2, 2007 at 4:36 pm | Permalink

    Allow me to be the grammar whore:

    “A hacker was able to add malicious code to the download.”

    should read:

    “A cracker was able to add malicious code to the download.”

    Carry on. :o)

  8. Posted March 2, 2007 at 4:43 pm | Permalink

    I come from the old school. A “cracker” was a nasty term for someone from the US state of Georgia. A “hacker” is someone who twisted and torqued code. ;-)

  9. Posted March 2, 2007 at 5:31 pm | Permalink

    It’s a shame that some people don’t have anything better to do with their time.

    Back in the day, a hacker would breach a bank’s security to get fame and full time employment :P

  10. Posted March 2, 2007 at 9:01 pm | Permalink

    I just finished upgrading to 2.1.1 tonight and now this happens. Oh well, at least the security hole was quickly patched.

  11. Posted March 2, 2007 at 10:30 pm | Permalink

    If you have only upgraded to WordPress 2.1, this does not apply to you. If you upgraded immediately after WordPress 2.1.1 was released, you should be okay. This appears to apply only to downloads within the last three or four days.

    Actually, this is a mandatory upgrade for all 2.1.x users. Obviously the most egregious security hole is the one introduced by the cracker (which, as you note, only applies to people who downloaded within the past few days), but there is another security hole fixed by 2.1.2 (XSS vulnerability, publicly known). And 2.1.1 fixed vulnerabilities in 2.1, so you have several reasons to upgrade from 2.1 to 2.1.2

  12. Posted March 3, 2007 at 12:49 am | Permalink

    This is the work of a cracker, not a hacker. Hackers build, crackers destroy.

  13. Posted March 3, 2007 at 4:11 am | Permalink

    Lorelle,

    I’ve posted a small tutorial about upgrading WordPress via Shell.

    Would be great to have your thoughts on the same.

  14. Posted March 3, 2007 at 8:47 am | Permalink

    I come from the old school. A “cracker” was a nasty term for someone from the US state of Georgia. A “hacker” is someone who twisted and torqued code. ;-)

    Ha ha! Yeah, I’m a bit older than my peers, as well. My friends and I always get a chuckle when we talk about a “cracker did this” or a “cracker did that.”

  15. Posted March 3, 2007 at 8:53 am | Permalink

    I upgraded to 2.1.1 the other day, then noticed a lot of, um, bad links in my content that had been installed via cross-site scripting. I have extensive mods in the code, so upgrading is a major pain. Therefore, I only upgraded the files that were changed from 2.1.0 to 2.1.1, using the changefiles Lorelle mentioned in an earlier post. This includes wp-admin/post.php which is what that girl again mentions above in the comments.

  16. Posted March 10, 2007 at 5:26 am | Permalink

    Thanks for the great advice. WordPress is such a great platform isn’t it – and the wide range of plug ins make it really exciting.

    One of the best ones I found the other day was click tracking. Which gives you a heat map of your page showing where visitors are clicking most… rather like crazyegg does.

    Very cool

    Keep giving us great stuff – thanks

    dan

  17. Posted February 26, 2010 at 1:24 pm | Permalink

    I am amazed this post is still getting hits since WordPress is now on version 2.9.2


15 Trackbacks/Pingbacks

  1. […] Emergency Update Notification for WordPress 2.1+ wordpress Permalink You can leave a response, or trackback from your own site. […]

  2. […] WordPress Hacked:  […]

  3. […] maggiori informazioni consultare il sito di Lorelle on WordPress e l’articolo “WordPress 2.1.1 dangerous, […]

  4. 升級 WordPress 2.1

    今天終於把部落格升級了,順便也把一干軟體統統升級個夠…

    mysql 4.1.21 升級 5.0.27
    php 4.4.4 升級 5.2.0
    apache 2.0.59 升級 2.2.4
    activeperl 5.8.7 升級 5.8.8 (這不是WordPress必要的)

    WordPress 由 1.5.2 升級…

  5. WordPress 2.1.1 infiziert – deutsche Version nicht betroffen; Update auf 2.1.2 wird allen Nutzern empfohlen

    Im Developers Blog von WordPress.org kann man es nachlesen:
    Vor kurzem konnte ein Hacker Zugriff auf den offiziellen WordPress-Server nehmen und die dort gelagerte Version 2.1.1 von WordPress infizieren.
    Wer also in den letzten Tagen WordPress 2.1.1 di…

  6. […] everyone should upgrade to 2.1.2 as this latest update fixes an unrelated security also – read it here and here on Lorelle’s blog/comments and also read the Diggd […]

  7. wordpress.org Cracked, Exploit in 2.1.1 Release

    As pointed out on the WordPress development blog, a cracker gained access to the wordpress.org servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!
    It ma…

  8. Important: Upgrade to WordPress 2.1.2

    Оф.сайт ВордПресса очень советует обновится до версии 2.1.2
    Для тех кто юзает линейку версий 2.0.х обновление не обьязательно, обьязательно л…

  9. […] horas, muchos blogs de referencia en el universo WordPress, como Geek Ramblings, Holy Shmoly!, Lorelle on WordPress y Techtites, han hecho hincapié en su necesidad. Entre nosotros, Blogpocket, La brújula verde, […]

  10. […] entradas de varios blogs de referencia en el universo WordPress, como Geek Ramblings, Holy Shmoly!, Lorelle on WordPress y Techtites. Entre nosotros, Blogpocket, La brújula verde, Diario a bordo y Mangas Verdes […]

  11. […] Lorelle’s Emergency Update Notification for WordPress 2.1+ […]

  12. […] Lorelle on WP: Emergency Update Notification for WordPress 2.1+ […]

  13. […] Lorelle on WP: Emergency Update Notification for WordPress 2.1+ […]

  14. […] WordPress Hacked: […]

  15. […] Emergency Update Notification for WordPress 2.1+ […]

Post a Comment

Follow

Get every new post delivered to your Inbox.

Join 21,259 other followers

%d bloggers like this: