If you’re a WordPress user and are using version 2.1.1 it is crucial that you upgrade to the latest version (2.1.2) – particularly if you upgraded in the last 3-4 days. The reason is that there has been a hacker compromise that version and add/change code.
For further details see the WordPress Blog
PS: Thanks to the many people who emailed me about this. I did see it first on the WP blog before checking email this morning.
Aaaahhhh… secruity update… quick…. do it now!
I hate to hijack a post, but I have to ask on a blog that has ‘knowledgable’ users.
What is the suggested and most commonly used time frame for the maximum visit length? You know, the amount of time that has elapsed since a visitor last visited a page on your website, before that visitor is then considered unique again.
I would have thought 24 hrs, but I’ve read suggestions that it should be around 6 hrs. What do you think? I’m wanting my ‘stats’ to be accurate.
P.S. I don’t mind if you delete this Darren, just as long as you send me an email with the answer. ;-)
Does it compromise versions 2.1.1 AND LOWER, or simply 2.1.1?
Thanks,
Enrique
Did you all notice that Firefox’s Spell Check is working in WordPress 2.1.2’s Rich Text Editor again?!
Enrique, it’s only 2.1.1.
It compromises only 2.1.1. The article states that a hacker modified the download directly on wordpress.org in the last few days. Slightly older versions of 2.1.1 might not be affected, but it’s probably still a good idea to upgrade anyway. 2.1 and below do not have this problem. (Yay for being too lazy to upgrade!)
In short, to be safe, if you have 2.1.1, upgrade or you could be in for a very nasty surprise.
Boy am I glad I didn’t rush to “upgrade” to 2.1.1.
Its good they found but now everbody will have a doubt everytime they upgrade.They have to come up with something strong
Thanks. If I hadn’t seen your post I would have honestly never known.
One thing everyone running a wordpress blog should do is subscribe to the wordpress development blog rss feed. That way, you get rapid notification of problems such as this, and you can reduce the time window during which your site is vulnerable. The feed is here:
http://wordpress.org/development/feed/
Dan Mossop
Website Security Services
[…] On the off chance that you haven’t heard the news yet. You should upgrade your WordPress install straight away. Don’t hesitate, do it now. Don’t pause to grab a cup of coffee. If you’re just waking up then rub the sleep from your eyes and jump to the download page and grab WordPress 2.1.2. […]
Thanks for your info, i have been upgraded my wordpress.
“Does it compromise versions 2.1.1 AND LOWER, or simply 2.1.1?”
I think it just 2.1.1 version.
Thanks everybody for your replies. I have an older version.
The problem I face with wordpress is that I made so many changes in the files that it would be a lot of work to upgrade.
[…] Thanks to Probbloger […]
[…] 03 March, 2007 Having just upgraded my WordPress installation because of a security flaw discovered last week, I’ve got WordPress on the brain. And, while I’m still relatively new to the platform, I thought it would be fun to share with you the WordPress plugins I’ve found useful so far. […]
[…] On the off chance that you haven’t heard the news yet. You should upgrade your WordPress install straight away. Don’t hesitate, do it now. Don’t pause to grab a cup of coffee. If you’re just waking up then rub the sleep from your eyes and jump to the download page and grab WordPress 2.1.2. […]
Thank you! I simply use my backup changing back to 6.11
“Does it compromise versions 2.1.1 AND LOWER, or simply 2.1.1?”
As already stated, it’s only 2.1.1 and only if downloaded in about the last week – but if you have 2.1.1 you should probably upgrade anyway to be safe, regardless of when you downloaded it.
I think it should be highlighted that the WordPress team have dealt with this in an open, professional and responsible manner. I’m sure they’ll take great care to ensure that this cannot happen again.
There’s upgrade instructions on the WordPress site at http://codex.wordpress.org/Upgrading_WordPress and I’ve also documented the steps I took on my blog at http://blog.preshweb.co.uk/?id=15
[…] Sure, most of you must have already upgraded, if not, and you haven’t heard the news yet. You should upgrade your WordPress 2.1.1 install right away. Don’t delay further, just download WordPress 2.1.2, and head over to updgradation. Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately. […]
I just want to add that if you are on a cpanel server and use WP through Fantastico they have updated to 2.1.2, however their version of 2.1.1 was not compromised anyway.
[…] Last week I read from Problogger.net that there’s a severe security issue with the WordPress 2.1.1 installation. A hacker had altered the WP source code, so it was important to make this upgrade. Thanks to the WP crew, there’s a really good guide for upgrading to WP 2.1.2. I thought about writing the instructions here, but the guide is so good and rich in detail, so there was no sense writing it all over again. But I wanted to share my thoughts on this upgrade and also add info about the tools that helped me. First, the time wasted on this upgrade must be massive. It took me 30-45 min to make the upgrade in addition to read the upgrade guide, so in total it took roughly 1 hour. Now think about those millions of WP users, that had to make this 1 hour effort… MILLIONS OF HOURS just because one individual had to show off his black hat skills. I hope you break your hand or something equally painful… I thank you for teaching me patience. […]
gracias
[…] If you’re a WordPress user and are using version 2.1.1 it is crucial that you upgrade to the latest version (2.1.2) – particularly if you upgraded in the last 3-4 days. The reason is that there has been a hacker compromise that version and add/change code. March 11, 2007 · WordPress · .adHeadline {font: bold 8.5pt Arial; text-decoration: underline; color: #0000FF;float: right;} .adText {font: normal 9.5pt Arial; text-decoration: none; color: #000000;float: right;} […]
[…] It is amazing the things you miss online after being gone a few weeks. 3 weeks in cyber world is like 3 months in real life. I missed the whole WordPress 2.1.1 hacking scare. Good thing I was only running 2.0.5. […]