The last month has seen two WordPress mandatory security releases, and today, WordPress 3.0.4 brings another mandatory update.
To update, log in as the Administrator and click the update notification for one-click updates to your WordPress blog. WordPress.com blogs are automatically updated.
In writing up “Mandatory Security Update: WordPress 3.0.4 Released for WordCast, I stumbled upon a notification to all DreamHost customers alerting them of a WordPress hack:
A noticeable amount of customers who have not yet upgraded their copies of WordPress to the most recent version (3.0.4) have been reporting issues with logging into their dashboard. Upon further review, most of these customers have had code inserted into a large number of WordPress files.
They recommend all customers upgrade to WordPress 3.0.4, then provide instructions on how to remove the
eval(base64) hack from infected sites, which has little to do with the current WordPress update and a lot to do with an old infection hack that has been making the rounds of WordPress, Drupal, Joomla, and other publishing platforms for over a year.
I’d like to clear a little of the confusion up.
- To protect your WordPress blog, update immediately for every mandatory security update. These usually will not impact any WordPress Plugins or Themes, and change little in the core other than to lock up any security issues.
- WordPress 3.0.4 fixes an XSS security vulnerability bug in the
kses.phpfile that “sanitizes” posts. These “holes” can open a WordPress blog to potential exploitation, but upgrading immediately closes those holes, so hackers have to find new ways in. If you update with every mandatory update, rarely is your site exposed long enough to get hacked as these are typically found prior to public exposure.
base64hack was prevented by the release of WordPress 2.8.4. If you haven’t updated, do so now. I reported on this worm hack in fall of 2009 with extensive details on prevention and protection, as well as what to do if you’ve been infected.
- Please check your site carefully to see if you have been infected by the
base64worm or other hacks. Resources to test your site’s security include:
- BulletProof Security WordPress Plugin
- ServerBuddy WordPress Plugin
- AntiVirus WordPress Plugin
- Exploit Scanner WordPress Plugin
- Health Check WordPress Plugin
- Secure WordPress Plugin
- TAC (Theme Authenticity Checker) WordPress Plugin
- Ultimate Security Check WordPress Plugin
- WordPress File Monitor WordPress Plugin
- WP Security Scan WordPress Plugin
- WP-ServerInfo WordPress Plugin
- Security risks come from WordPress Plugins and Themes, so check these thoroughly and only download from official and well-known sites.
- WordPress is not broken nor a security risk: When these alerts and mandatory security releases are announced, a lot of naysayers claim WordPress is broken, out-of-date, or a security risk. Don’t be one of those. These releases and announcements are for your own good. They often come out within hours of the security vulnerability discovery, helping your WordPress site stay safe and secure faster than most publishing platforms. WordPress is only as strong as you make it, so make it so.
The article on WordPress 3.0.4 Security Release on WordCast offers more tips and information.
Please, update your WordPress blog immediately.