If you updated WordPress in the past few days, download the new version and update it again. Someone was able to break in and malicious code was added to the download. The new version is WordPress 2.1.2.
For more information see: WordPress 2.1.1 dangerous, Upgrade to 2.1.2.
It appears that this is a mandatory upgrade for everyone, whether you upgraded previously or not. The security patches in this and the last few versions are necessary to protect your site.
This is a highly unusual situation and more information will be forthcoming. Check out the announcement for more details.
Site Search Tags: wordpress, wordpress news, wordpress upgrade, wordpress hack
Copyright Lorelle VanFossen, member of the 9Rules Network 
Subscribe
Lorelle on WordPress 
17 Comments
got 2.1.2… phew!
Apparently there’s an extra (unrelated) security fix in 2.1.2 so it might be worth upgrading regardless of when you downloaded 2.1.1.
2.1.1 hasn’t been out much longer than ‘a few days’ anyway (about a week and a half), and since we don’t know exactly when the server was cracked I personally would feel safer updating ALL 2.1.1 installs. If I didn’t happen to be sticking to the 2.0 branch, that is 🙂
I had to upgrade to WP 2.1.2 coz my blog was running 2.1.1 prior to this announcement/update. 🙂
Thanks Lorelle!
best regards
I install 2.1.1 using Fantasico on Tuesday night. Would this put me at risk? I personally do not know how to upgrade WordPress, so this will be a HUGE hassle for me.
I have four blogs I just updated in the last three days.
It’s a hassle for everyone, but now, new security measures will be in effect. You learn from the evil so the evil cannot be repeated, right?
Allow me to be the grammar whore:
“A hacker was able to add malicious code to the download.”
should read:
“A cracker was able to add malicious code to the download.”
Carry on. :o)
I come from the old school. A “cracker” was a nasty term for someone from the US state of Georgia. A “hacker” is someone who twisted and torqued code. 😉
It’s a shame that some people don’t have anything better to do with their time.
Back in the day, a hacker would breach a bank’s security to get fame and full time employment 😛
I just finished upgrading to 2.1.1 tonight and now this happens. Oh well, at least the security hole was quickly patched.
Actually, this is a mandatory upgrade for all 2.1.x users. Obviously the most egregious security hole is the one introduced by the cracker (which, as you note, only applies to people who downloaded within the past few days), but there is another security hole fixed by 2.1.2 (XSS vulnerability, publicly known). And 2.1.1 fixed vulnerabilities in 2.1, so you have several reasons to upgrade from 2.1 to 2.1.2
This is the work of a cracker, not a hacker. Hackers build, crackers destroy.
Lorelle,
I’ve posted a small tutorial about upgrading WordPress via Shell.
Would be great to have your thoughts on the same.
Ha ha! Yeah, I’m a bit older than my peers, as well. My friends and I always get a chuckle when we talk about a “cracker did this” or a “cracker did that.”
I upgraded to 2.1.1 the other day, then noticed a lot of, um, bad links in my content that had been installed via cross-site scripting. I have extensive mods in the code, so upgrading is a major pain. Therefore, I only upgraded the files that were changed from 2.1.0 to 2.1.1, using the changefiles Lorelle mentioned in an earlier post. This includes wp-admin/post.php which is what that girl again mentions above in the comments.
Thanks for the great advice. WordPress is such a great platform isn’t it – and the wide range of plug ins make it really exciting.
One of the best ones I found the other day was click tracking. Which gives you a heat map of your page showing where visitors are clicking most… rather like crazyegg does.
Very cool
Keep giving us great stuff – thanks
dan
I am amazed this post is still getting hits since WordPress is now on version 2.9.2
15 Trackbacks/Pingbacks
[…] Emergency Update Notification for WordPress 2.1+ wordpress Permalink You can leave a response, or trackback from your own site. […]
[…] WordPress Hacked: […]
[…] maggiori informazioni consultare il sito di Lorelle on WordPress e l’articolo “WordPress 2.1.1 dangerous, […]
升級 WordPress 2.1
今天終於把部落格升級了,順便也把一干軟體統統升級個夠…
mysql 4.1.21 升級 5.0.27
php 4.4.4 升級 5.2.0
apache 2.0.59 升級 2.2.4
activeperl 5.8.7 升級 5.8.8 (這不是WordPress必要的)
WordPress 由 1.5.2 升級…
WordPress 2.1.1 infiziert – deutsche Version nicht betroffen; Update auf 2.1.2 wird allen Nutzern empfohlen
Im Developers Blog von WordPress.org kann man es nachlesen:
Vor kurzem konnte ein Hacker Zugriff auf den offiziellen WordPress-Server nehmen und die dort gelagerte Version 2.1.1 von WordPress infizieren.
Wer also in den letzten Tagen WordPress 2.1.1 di…
[…] everyone should upgrade to 2.1.2 as this latest update fixes an unrelated security also – read it here and here on Lorelle’s blog/comments and also read the Diggd […]
wordpress.org Cracked, Exploit in 2.1.1 Release
As pointed out on the WordPress development blog, a cracker gained access to the wordpress.org servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!
It ma…
Important: Upgrade to WordPress 2.1.2
Оф.сайт ВордПресса очень советует обновится до версии 2.1.2
Для тех кто юзает линейку версий 2.0.х обновление не обьязательно, обьязательно л…
[…] horas, muchos blogs de referencia en el universo WordPress, como Geek Ramblings, Holy Shmoly!, Lorelle on WordPress y Techtites, han hecho hincapié en su necesidad. Entre nosotros, Blogpocket, La brújula verde, […]
[…] entradas de varios blogs de referencia en el universo WordPress, como Geek Ramblings, Holy Shmoly!, Lorelle on WordPress y Techtites. Entre nosotros, Blogpocket, La brújula verde, Diario a bordo y Mangas Verdes […]
[…] Lorelle’s Emergency Update Notification for WordPress 2.1+ […]
[…] Lorelle on WP: Emergency Update Notification for WordPress 2.1+ […]
[…] Lorelle on WP: Emergency Update Notification for WordPress 2.1+ […]
[…] WordPress Hacked: […]
[…] Emergency Update Notification for WordPress 2.1+ […]