If you use WordPress version 2.1.1, a dangerous security breach in that version has been discovered.
The announcement came late yesterday:
If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
[...] No downloads were altered except 2.1.1, so if you’ve downloaded any version of 2.0 you should be fine.
When a software alert includes the word “dangerous,” you know you need to take immediate action. Download version 2.1.2 and follow the excellent upgrade guide.
Please spread the word to anyone you know using WordPress version 2.1.1.
About Neville Hobson
I just popped on to see how your upgrade went. Aren’t you glad you didn’t dither much longer?
At least they seem to be on top of the ‘Dangerous WordPress’ thing. It smacks of shards of glass in your baby milk or flu-ridden Hungarian bootiful turkeys. It might even be an elaborate marketing ploy to get your average Joe to use the ‘safer’ wordpress.com.
I wouldn’t mind but 2.1.1 had just solved most of my problems.
Anyway, the tightening across my chest has started to subside with all the WordPress worry and I’ve even managed a move to a new host without anybody noticing a damn thing.
Things couldn’t be better, unless, of course, WordPress kills me in my sleep.
Hi Neville,
Please contribute to this list if you can! I am guessing you might know a few folks!
http://www.ventureblogalist.com/?p=266
The easiest way to suggest some folks is to use this —-
http://communityexperts.wetpaint.com/
I hope you find the list helpful too!
Best Regards,
Rob Finn
I haven’t yet upgraded this blog to the latest WordPress, Paul. I did upgrade last week to the security fix release 2.0.9 which is still the 2.0 branch of WordPress.
I have just upgraded my sandbox to 2.1.2, though. That was dead easy.
The theme’s the thing. Until I get clear in my mind what I’m going to do about that, I’ll not do the upgrade here. So basically, I’m still dithering…
Neville,
not that a seasoned, mature CMS couldn’t be hacked…it could. But…one of my arguments against blog platforms for public corporations is exactly this. Too easy.
It is a risk, Dee, I agree. Yet reading the accounts of what happened with this WordPress scare (a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file) leads me to think that something like this could happen with any application – whether it’s a blog, a database or a CMS – where access to files is based on the trust established with and from every user, reflected by the access grants.
Having said that, something like this is still a massive problem. WordPress’ reputation is at stake. Even if the problem relates only to the version 2.1.1. download files in a specific time window, I’d want to re-download the latest version 2.1.2 and reinstall the whole platform no matter when I’d originally installed 2.1.1. I’ve even seen a couple of posts saying that 2.1.2 contains some bug fixes.
All in all, this is not a good situation.