Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!!
Update your WordPress blog before you continue reading this post. That’s how critical this issue is.
Things You Need to Know Now
Here is what you need to know right now, constantly updated with news as we get it.
UPDATE NOW! Reports are that this attack impacts ALL versions of WordPress up to 2.8.3 and 2.8.4, the most recent release.
Which Version of WordPress is Secure? I’ve just talked to Matt Mullenweg and have a better understanding of the version confusion. When this worm first hit the web, WordPress released 2.8.3 to deal with it. Since then, WordPress 2.8.4 was released, unrelated to the worm. Once the worm has infected your site, surface fixes do not remove the “back door” the worm injects into your database and system, as happened with Robert Scoble. Once infected, upgrading does not fix the issue, so those reporting they were now infected after upgrading, were infected before upgrading. Versions after WordPress 2.8.3 are safe, but upgrade to 2.8.4 anyway as it included other fixes.
What Version Am I Using? If you are using a WordPress version after 2.7, the nag screen on the WordPress Administration Panels will alert you to upgrade. If you are using an older version, upgrade now. Don’t know what version you are using? Without a nag screen to tell you to update, you’re using an old version. Checking the Administration Panels footer will help, but don’t waste time looking. Just update now!
Use a WordPress Plugin for Protection: Do not rely upon a WordPress Plugin to protect you. There are many reports of Plugins that will “help” in the comments. While they might help in other ways, please upgrade now. That is the only solution if your site has not been impacted.
How Does This Worm Work? We’re awaiting details from security experts on how this worm works. Personally, I’m waiting for the name of this thing since that does make searching for details on this worm easier. Anyone got a name for it yet? Since it isn’t exclusive to WordPress, calling it the WordPress Worm would not be appropriate.
WordPress is Not Secure: WordPress is incredibly secure and monitored constantly by experts in web security. This attack was well anticipated and so far, WordPress 2.8.4 is holding. If necessary, WordPress will immediately release a update with further security improvements. WordPress is used by governments, huge corporations, and me, around the world. Millions of bloggers are using WordPress.com. Have faith they are working overtime to monitor this situation and protect your blog.
Fear of Upgrading: This attack is serious enough to overcome all your fears of updating. If older WordPress Plugins are holding you back, update them to the latest version or replace them with new. If your Theme might break, contact the Theme author and update or replace it. There are thousands of free Themes to choose from, probably some better than what you are using. If you are using a recent version of WordPress, updating is as easy as clicking a couple buttons. If you are using an older version, download the most recent version and upgrade now.
Other Issues? Whatever your issue is that keeps you from updating WordPress, get over it and update now to protect your site.
