The last month has seen two WordPress mandatory security releases, and today, WordPress 3.0.4 brings another mandatory update.
To update, log in as the Administrator and click the update notification for one-click updates to your WordPress blog. WordPress.com blogs are automatically updated.
In writing up “Mandatory Security Update: WordPress 3.0.4 Released for WordCast, I stumbled upon a notification to all DreamHost customers alerting them of a WordPress hack:
A noticeable amount of customers who have not yet upgraded their copies of WordPress to the most recent version (3.0.4) have been reporting issues with logging into their dashboard. Upon further review, most of these customers have had code inserted into a large number of WordPress files.
They recommend all customers upgrade to WordPress 3.0.4, then provide instructions on how to remove the eval(base64)
hack from infected sites, which has little to do with the current WordPress update and a lot to do with an old infection hack that has been making the rounds of WordPress, Drupal, Joomla, and other publishing platforms for over a year.
I’d like to clear a little of the confusion up.
- To protect your WordPress blog, update immediately for every mandatory security update. These usually will not impact any WordPress Plugins or Themes, and change little in the core other than to lock up any security issues.
- WordPress 3.0.4 fixes an XSS security vulnerability bug in the
kses.php
file that “sanitizes” posts. These “holes” can open a WordPress blog to potential exploitation, but upgrading immediately closes those holes, so hackers have to find new ways in. If you update with every mandatory update, rarely is your site exposed long enough to get hacked as these are typically found prior to public exposure. - The
base64
hack was prevented by the release of WordPress 2.8.4. If you haven’t updated, do so now. I reported on this worm hack in fall of 2009 with extensive details on prevention and protection, as well as what to do if you’ve been infected. - Please check your site carefully to see if you have been infected by the
base64
worm or other hacks. Resources to test your site’s security include:- BulletProof Security WordPress Plugin
- ServerBuddy WordPress Plugin
- AntiVirus WordPress Plugin
- Exploit Scanner WordPress Plugin
- Health Check WordPress Plugin
- Secure WordPress Plugin
- TAC (Theme Authenticity Checker) WordPress Plugin
- Ultimate Security Check WordPress Plugin
- WordPress File Monitor WordPress Plugin
- WP Security Scan WordPress Plugin
- WP-ServerInfo WordPress Plugin
- Security risks come from WordPress Plugins and Themes, so check these thoroughly and only download from official and well-known sites.
- WordPress is not broken nor a security risk: When these alerts and mandatory security releases are announced, a lot of naysayers claim WordPress is broken, out-of-date, or a security risk. Don’t be one of those. These releases and announcements are for your own good. They often come out within hours of the security vulnerability discovery, helping your WordPress site stay safe and secure faster than most publishing platforms. WordPress is only as strong as you make it, so make it so.
The article on WordPress 3.0.4 Security Release on WordCast offers more tips and information.
Please, update your WordPress blog immediately.
28 Comments
Looks like that 2.9.x installs do not get hacked.
@hakre: All WordPress versions prior to WordPress 3.0.4 have vulnerabilities, which is why it is important to update immediately when a security release is announced. Specific versions are not exempt. There were several security releases during the 2.9 trunk.
automatic update failed have to manually update wordpress to latest version, now have to look that i’m infected or not.
thanks a lot for sharing plugins to check out whether you are infected or not.
If automatic update failed, it could be that your server either isn’t updated with current versions of PHP and MySQL, or your installation was old, or that there is something else that could be going on. Good for you to check on this thoroughly.
automatic update its oke….
i can’t installing BulletProof Security WordPress Plugin, error.
AntiVirus WordPress Plugin, use it, it’s okey
@Lorelle: Yeah I checked it. As 3.1 is not out yet, shouldn’t there be some security release for 2.9? I’ll file a patch in trac:http://core.trac.wordpress.org/ticket/16042 – No Idea for the other security issues so far, I think they have not yet been backported.
@hakre: I checked and WordPress is currently only supporting one branch back, which is 2.9, but when 3.1 is out, that support will move to 3.0.
Lorelle
Thanks for the warning – you were pretty quick to notify us on this one.
Good to see that you have your finger on the pulse.
Any suggestions on a good post or video for doing a manual update?
I find the WordPress site a little difficult to follow.
Have a great 2011.
There are a variety of videos and guides but for those manually updating, the Updating WordPress article on the Codex is still your best bet. Just print it out and follow it step-by-step and within minutes, it’s done. However, I recommend that you use the auto update feature. It’s fast and easy. If it isn’t working, consider contacting your host and asking in the WordPress Support Forum to figure out why and fix it. Thanks.
@Jason: If you are doing a full upgrade to a major version, then yes, that’s an optional route. For a security update where no feature changes are included, it is usually unnecessary to take all those extra steps and they are handled by the auto update.
Many thanks Lorelle
Will give it a go.
Have a great 2011
I’m afraid to upgrade! I upgraded to 3.02 after I got the message in the dashboard. That’s when my admin area slowed down, giving a fatal error time out after 30 seconds. Then, I upgraded to 3.03 after I got the message in the dashboard. That’s when my admin area slowed down even slower. Could I have a security breech?
Thank you.
Were you updating through the automatic upgrade feature or manually? You need to be more specific when asking such questions. Are you using a cache Plugin? Did you clear it? There are so many questions needing answers before you can get more help or tell if your site has been hacked.
Hello Lorelle, I did the automatic upgrade through fantastico in cpanel.
That means you were using a server provided tool. Contact them for assistance as they may have problems on their end, or at least, can help you through the process.
You know, I just used clean wordpress 3.04 installation for my new website. After several days, I’m noticing something weird. My published post date can automatically change by itself. For e.g. old post published on Jan 3rd 2011, can suddenly become the latest post published. Is this something new in wordpress 3.04? How do I stop this?
Please report this in the WordPress Support Forums or the bug tracker. It may have nothing to do with WordPress or your upgrade but with a Plugin you are using. Either way, they can help you there.
@Lorelle, after checking plugin, you are right. I found out that one of my plugins offer “promote old post” option. I think this is the reason my old posts date changes automatically. Thanks again.
You are welcome. Good luck and glad you upgraded. There is some nasty stuff going around which is impacting older versions.
thanks for update me too, i hope its not error like 3.0.2 ^^
I upgraded from 3.0.3 to 3.0.4 using the automatic upgrade and it went like a dream.
Just love WordPress.
Lorelle – which is the best plugin to test for site infection?
You list 11.
I’m looking for something that won’t use too much bandwidth.
If you upgrade the moment an upgrade notification comes out, then you are usually safe and need little else. If you need to check to see if your Theme or site has an infection, use the run once tools, which do not keep active after running. For blocking, there are so many options…who knows which have any impact on server or bandwidth. You’ll have to check them out individually. See for more info, too.
Hi,I have recently upgraded wordpress version to 3.0.4 but i found that comments from my site disappeared. I could view all comments on dashboard but none shows in website.Do you know what may be the problem.My hosting site had also gone through the problem but they are hlpless
i have a lot of problems with new wordpress…. especially with space… it requirs at least 32mbyte for minimum plugins…
I don’t understand. The zip file is 3 Megs. That’s microscopic for today’s publishing platforms. The WordPress Plugins you choose are optional, and they vary from a couple kilobytes to megabytes, depending upon what you choose. Godaddy, one of the cheapest web hosts, offers 1 gig disk space for $5 a month. For under $10, you can get 10 gigs. 32 megabytes is tiny comparatively. So I’m not sure I understand your issue or complaint.
meanwhile there is 3.0.5…
I’ve upgraded my wp on several other blogs. Good info. Thank you.
11 Trackbacks/Pingbacks
[…] Lorelle: Update WordPress Now: WordPress 3.0.4 […]
[…] Update WordPress Now: WordPress 3.0.4 […]
[…] has already been used, has been seen en masse by some hosts and at least closely mirrors hacks that affected earlier versions of WordPress or may simply be a case of sites not updating WordPress since […]
[…] has already been used, has been seen en masse by some hosts and at least closely mirrors hacks that affected earlier versions of WordPress or may simply be a case of sites not updating WordPress since […]
[…] Go here to read the rest: Update WordPress Now: WordPress 3.0.4 « Lorelle on WordPress […]
[…] Update WordPress Now: WordPress 3.0.4 […]
[…] since found a little more information here and here. The second link has more links at the bottom of it for further […]
[…] I tried to update my WordPress CMS software to the latest version 3.0.4 as Lorelle had stated that it has crucial security updates. When I first started blogging, I used […]
[…] find anything. I thought it was because I upgraded WordPress to 3.0.4. Finally I come a across one comment that sheds light on it all. The answer is right below the first […]
[…] find anything. I thought it was because I upgraded WordPress to 3.0.4. Finally I come a across one comment that sheds light on it all. The answer is right below the first […]
[…] Lorelle – Update WordPress Now […]