If you use self-hosted WordPress for your blog and you’re not using the latest version, 2.8.4, you’re running a severe risk of your site security being compromised and even hacked.
So do these three things right now:
1. Log in to your WordPress admin dashboard and check what version of WordPress you have installed. If you’re running any version higher than 2.7, you’ll see a text like this in the ‘Right Now’ module at the top of your screen (if you don’t see that module, check your screen options settings):
2. Change all your passwords including admin, for each user if you have multiple users and FTP access. Then check the list of users to see if there are any you don’t recognize. If so, remove them.
3. If the version text on your dashboard says anything other than “You are using WordPress 2.8.4,” you’ll need to upgrade. You can do it from within your WordPress admin if you’re using a recent version (if you’re not, then you really are at risk). Or check your hosting service to see if they offer an easy upgrade method, eg, like 1-Click, the simple and secure method offered by DreamHost, my hosting service, or something like Fantastico offered by many others.
If you do have to upgrade, by whatever method you use, please still follow the detailed how-to guide in the WordPress Codex, the detailed documentation system for all things WordPress, paying special attention to the prep you need to do before you execute the upgrade.
Or, check out my 6 tips for upgrading WordPress including the 10-minute audio guide.
It never ceases to surprise me how some bloggers don’t upgrade (I’ve been guilty, too). Yes, it can be inconvenient and a bit time consuming especially if you rigorously do the prep including disabling all plugins.
Yet the consequences for not doing it can be catastrophe. So it’s worth the time invested.
If you are interested in the details of exactly what this security issue is all about, including the tell-tale signs that suggest your site may have been compromised, read Lorelle VanFossen’s post with the alert about this issue. She also has links to some terrific resources on how to strengthen your blog security.
Stay secure!
Hi Neville, great first post here! I learned my lesson the hard way – I didn’t upgrade once and ended up with someone posting hidden spam on my blog. It took ages to get rid of – it’s well worth upgrading every time WordPress puts out even a minor update.
Yep, immediately upgraded all my blogs too. My passwords are all 64 random characters now. Hard to manage but at least it is safe.
And Neville; welcome to our blog!
It’s great that wordpress have taken action immediately on this
Too bad that wp has soon many securitybissues. They need to really address this in a robust way.
My other cms of choice does mot sufferbfrom ANY security issues
Hey guys, there is also a plugin called WordPress Automatic Upgrade (http://techie-buzz.com/wordpress-plugins/wordpress-automatic-upgrade-12-release.html) which automates the whole proccedure of upgrading for you, plus making backups of the SQL database, tables, etc before upgrading. Consider it posting in a future post. ;)
Strange to see security issues like this in wordpress platform
Thanks for the welcome. Glad to be here :)
Agree, Martin – upgrade every time a new WP comes out, even if the hassle factor seems high. Apart from some new features or functionality, newest versions usually address any security vulnerabilities.
So, Wally, what suggestions do you have for the WordPress community?
Apostolos, I’ve heard that the auto-upgrade feature is ok although I’ve not used it myself (I prefer DreamHost’s 1-Click). You still need to do the prep beforehand, though, no matter what method you use to upgrade.
We’ve written an official posts for people on this:
http://wordpress.org/development/2009/09/keep-wordpress-secure/
security issues
http://blog.live-point.net
http://www.live-point.net
Thanks Neville for sharing.
Thank you
I upgraded the Code
WordPress is great at catching this stuff early and fixing it fast.