Click Here To Download John Chow's Newest eBook - The Ultimate Online Profit Model
 

WordPress 2.1.1 Dangerous, Upgrade Now!

written by John Chow on March 2, 2007

Download my FREE eBook!

This just came in across the WordPress dashboard. Thanks to Nick Mercer for emailing me about it as well.

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

It vital that you upgrade to WordPress 2.1.2 now. Don’t wait, just do it! Then again, if you upgraded to 2.1.1 before the cracker got in and hacked the codes, you should be OK, but why take the chance?

Did you enjoy this post? Get John Chow Dot Com updates via email...

Stay up to date with all of John Chow’s tips for making money online and blog posts by subscribing via email. Your email will be kept private and never shared with anyone.

{ 102 comments }

derrich March 2, 2007 at 2:44 pm

Wow. Another one???

Saman Sadeghi March 2, 2007 at 3:28 pm

Do you mean “another version” of WordPress or another cracker?!

I only ask because I haven’t heard of cracked WordPress installs and was wondering if it’s happened before.

ilker March 2, 2007 at 3:36 pm

This was the reason why I choose Blogger over WP in response to a comment in my latest post. :???:

Jonix March 2, 2007 at 4:08 pm

I don’t like blogger, for me it’s worst than wordpress.

lyndonmaxewell March 3, 2007 at 3:15 am

Well, WP may be open-source and vulnerable to attackers, yet it offers more flexibility and has more stuff to play around with. I left blogger for WP too.

Ashish Mohta March 3, 2007 at 7:20 pm

There is always a downside of everything.It matters what you want and what you dont.Bloggers are not easy to digg in because of the tough API.People will get wordpress easy anytime and with so many plugins its a heaven

Jez March 5, 2007 at 12:05 am

Naa, Wordpress is far more flexible IMO

derrich March 2, 2007 at 5:10 pm

Yes…version. But obviously needed.

Bryce March 2, 2007 at 2:46 pm

See, I knew being slow with upgrades would come in handy :shock:

Eli March 2, 2007 at 5:29 pm

Lol! I’ve been sort of the same way, most of my sites are using versions from two updates ago… I’m going to upgrade hopefully all of them to the latest version now.

lyndonmaxewell March 3, 2007 at 3:17 am

Yea, But i was misled to do the upgrade in my case. When i came to the wp-admin page before I slept for the night, it prompt a “Upgrade to 2.1.1) and I clicked it. Sigh.. wished I had never done it.

Jez March 5, 2007 at 12:06 am

Being fast with upgrades is handier, you would everwrite this evil hack as a matter of course. I was reading about another blog which was hacked recently – the solution to the problem – upgrade….

Saman Sadeghi March 2, 2007 at 2:49 pm

Oh man! Thanks for the heads up John!

I’m backing up may database as we speak (or, as I type)!

ilker March 2, 2007 at 3:38 pm

Backing up?? The database?? :shock: :???:

Saman Sadeghi March 2, 2007 at 3:52 pm

Of course!

Don’t you make backups of your entire blog?!?!?

derrich March 2, 2007 at 5:11 pm

What’s a backup. (kidding, of course)

Jonix March 2, 2007 at 4:09 pm

oh oh…ilker, backups are a daily task you allways must do!

Saman Sadeghi March 2, 2007 at 5:05 pm

Agreed – although, I don’t do a daily backup. It’s more weekly for me.

I know my host does nightly backups – I wonder if I could get a copy of the database from them if there was a problem…

lyndonmaxewell March 3, 2007 at 3:18 am

Yea. Depending on how often you write, it is a good idea to backup your entire database some frequently. It does not take much time either.

In case of a server crash, or hacked attempt, you go less far back in restoring your files just before the things happen.

Saman Sadeghi March 3, 2007 at 10:20 am

The backup process is pretty quick!

And, if you have a local copy of your entire blog, then restoring your site wouldn’t take much effort on your part because you’ve already done a lot of the leg work!

Jez March 5, 2007 at 12:07 am

do you do that with PhpMyAdmin or just use the wordpress tool for a file backup, being lazy I only ever do the latter

Das Brain March 2, 2007 at 2:53 pm

Good thing I checked your blog first, I was about to download WordPress 2.1.1 for setting up another blog.
Thanks for the heads up, I think I’ll wait a bit.

Das Brain
MoneyAccumulator.com

Saman Sadeghi March 2, 2007 at 3:24 pm

Well, you wouldn’t have been able to download the corrupted version of 2.1.1. The archived version would be the clean one!

Ashish Mohta March 3, 2007 at 7:22 pm

Yeah i hope they are clear.But anyways ppl will always doubt on WP downloads now

Tyler March 2, 2007 at 2:59 pm

Woo for Custom Blog Scripts!

Aniela March 2, 2007 at 3:03 pm

Phew..I was just about to update today. I didn’t have time and had a few plugins that I wasn’t sure would work in 2.1.1. I’m glad I waited now :)

ilker March 2, 2007 at 3:42 pm

Hmmm.. so plugins don’t work all the time, eh? :???:

Saman Sadeghi March 2, 2007 at 3:55 pm

No, they do work all the time.

Sometimes, when you upgrade to a newer version of WordPress some plugins become unstable – but this is true of anything in the computer world, ie Vista and drivers

Most plugin authors are quick to rewrite their code before an upgrade is released to there won’t be a compatibility problem, most but not all.

Jez March 5, 2007 at 12:09 am

They sometimes conflict though, Ive added the star rating only to find it kills threaded comments, I did modify some of the code myself tho :oops: :oops:

Jason March 2, 2007 at 3:08 pm

Boy … talk about a devious backdoor exploit! You’re a champ for posting this to your blog … imagine how many professional and amateur bloggers alike have vulnerable sites right now but don’t know it.

Scary indeed.

Saman Sadeghi March 2, 2007 at 3:26 pm

I have logged into Wordpress a few times today but I don’t visit the Dashboard to often, I use direct links to write and edit!

ilker March 2, 2007 at 3:48 pm

I guess the cost of open source is vulnerabilities even for short time periods..

Saman Sadeghi March 2, 2007 at 3:56 pm

Um, vulnerabilities are there in every program, it just takes time to find them.

How many viruses and backdoors came out last year?

Jonix March 2, 2007 at 4:12 pm

Thousands of them! Even paid software have vulnerabilities and exploits. Like Windows for instance…

Ashish Mohta March 3, 2007 at 7:23 pm

forget about virus you will have smart viruses this year.Just wait for the year down

Jez March 5, 2007 at 12:10 am

What do you mean by ‘smart viruses’?

BlueFur.com March 2, 2007 at 4:31 pm
lyndonmaxewell March 3, 2007 at 3:21 am

As we speak this very moment, there are still many vulnerable targets to be pondered on by the crackers. What an exploit by those people!

Saman Sadeghi March 3, 2007 at 10:24 am

They’re relentless: Hackers target Symantec>

marlon March 2, 2007 at 3:20 pm

Thanks for the heads up. :smile:

Shawn Knight March 2, 2007 at 3:51 pm

Done… although I did so earlier today before you posted this blog, but thanks for the info. because I was unaware of the exploit!

Saman Sadeghi March 2, 2007 at 3:59 pm

:!: Did anyone else noticed that Firefox’s spell check works in the rich text editor again?! :!:

Jonix March 2, 2007 at 4:05 pm

allways the hackers :cry: ! thanks for the warning

John Hok March 2, 2007 at 4:05 pm

One of the main reasons I don’t immediately upgrade to new versions of software. I usually allow things to go “mainstream” before performing upgrades because no matter how much testing (we’ll in this case it wasn’t because of lack of testing) when software is released, people are bound to experience more problems if they exist once the software is streamlined to consumers.

Ryan March 2, 2007 at 4:17 pm

Maybe you didn’t read John’s post… but this is because someone modified the code a few days ago… not the original release!

Saman Sadeghi March 2, 2007 at 5:15 pm

Maybe you didn’t read the entire comment you’re replying to!

(we’ll in this case it wasn’t because of lack of testing)

Tyler March 3, 2007 at 12:20 am

Sounds to me like what I do for Window releases. Like Vista! I had Ultimate for 15mins and back to WinXP. Think I’ll wait till SP1

As for Wordpress that’s definitely no fun! I mean having to update with a security patch

Saman Sadeghi March 3, 2007 at 10:25 am

Yeah, but it was an easy upgrade – and there were new features!

Tyler March 3, 2007 at 1:55 pm

Then why do people get scared to do updates with Wordpress if you say it was an easy upgrade. Isn’t it usually just replacing a couple of files with new versions?

I guess its mainly the plugins people don’t like to mess around with.

Jez March 5, 2007 at 12:12 am

Very easy, full instructions on WP site, takes 5 – 10 mins

lyndonmaxewell March 3, 2007 at 3:24 am

Yea, it was no mistake by the staff of WP. It was crackers that crack up the script this time. Not much a matter of going along with the ‘mainstream;.

Ashish Mohta March 3, 2007 at 7:24 pm

Thats one good point.Even i prefer to upgrade till a stable version comes up but then they ask to update with security patches.that sucks big times

Ryan March 2, 2007 at 4:16 pm

Wow that’s not good.

I hope they included my JavaScript spacing fix with 2.1.2. :mrgreen:

derrich March 2, 2007 at 5:14 pm

Dream on. :roll: :mrgreen:

Ashish Mohta March 3, 2007 at 7:25 pm

didnt see any points on that .Good luck next time

inspirationbit March 2, 2007 at 5:09 pm

I was just finishing my post on The Secret Truth About The Plugins Security when I found out about Wordpress 2.1.1.
That’s why I never rush to upgrade to a new version as soon as it’s been released.

Eli March 2, 2007 at 5:32 pm

Thanks for posting this John, I check your RSS feed first :)

I did happen to upgrade one of my sites to 2.1.1 just last a few nights ago… so I’m just going to upgrade all of them to 2.1.2 now.

skintube March 2, 2007 at 5:46 pm

Shit happens I suppose but this is a major blow to the credibility of the folks at Wordpress. :oops: :oops: Who’s to say that their servers are not further compromised or that the currently released version 2.1.2 isn’t in fact a release that was compromised along with the announcement asking users to upgrade? Put that in your pipe and smoke it.

I’m going back to notepad local…unplugging from my router. :mrgreen: :mrgreen:

Saman Sadeghi March 2, 2007 at 6:11 pm

“major blow to the credibility of the folks at Wordpress”

How? They got hacked! It’s not like they put the malicious code in there.

skintube March 2, 2007 at 6:21 pm

Exactly, they got hacked and the download release for version 2.1.1 was compromised with malicious code added to it. Why do you think they are urging everyone to upgrade so urgently?

This is a wordpress ‘red-alert’. It doesn’t get anymore urgent than this. Any one of us running version 2.1.1 could very well be running the modified version and be wide open to whoever has the knowledge and the desire to mess up your site.

This begs the question, what was the nature of this malicious code and what does it allow this individual to do?

Also, even after we upgrade to 2.12, there is always the possibility that the evildoers have already messed up your wordpress db and added in some other malicious code. I haven’t seen any mention of this yet and the only way to be sure would be to go through your tables individually….yeah right.

Nick March 2, 2007 at 6:47 pm

Tomorrow it will come out with a new version and more bugs – thus the life of the internet.

lyndonmaxewell March 3, 2007 at 3:29 am

I agree that it is a little hard to believe which story is the real thing. Like what you may suggest, the story to upgrade once again may be put up by the hacker.

I believe, give WP sometime and they may explain how it happens, what it does and the measures that they are taking to prevent it.

Besides the point, there will always be smarter people lurking around in the corners of the world, and it would be hard to beat all the crackers out there.

Saman Sadeghi March 3, 2007 at 10:27 am

there is always the possibility that the evildoers have already messed up your wordpress db and added in some other malicious code

While it’s a possibility, I’m sure the Wordpress crew is checking their server logs and patching any holes!

Ashish Mohta March 3, 2007 at 7:27 pm

yeah they have a major blow there.I hope they come out with something good

James Britton March 2, 2007 at 6:45 pm

I just spread the word on my blog Thanks for the pointer.

skintube March 2, 2007 at 7:47 pm

May be prudent for folks to change passwords for their Wordpress db (update wp-config.php accordingly of course) and perhaps even existing WP user passwords.

lyndonmaxewell March 3, 2007 at 3:32 am

I agree. Treat your blog like one of your internet-banking accounts. Frequently change your passwords, and keep them secure. I had personally learned a lesson from that. Tough luck.

Ashish Mohta March 3, 2007 at 7:29 pm

they should add one feature that can email them telling your password expires in 10 days.That will keep them to toe

Saman Sadeghi March 3, 2007 at 10:28 am

That’s a really great idea – one I had never thought off…

Thanks!

Jez March 5, 2007 at 12:13 am

Good point, have not done this yet

Jeff Kee March 2, 2007 at 9:47 pm

… NOT AGAIN… AAHHH

lyndonmaxewell March 3, 2007 at 3:13 am

Yea I got hacked since last night. To be exact, it was 18 hours ago. Was spending the past hour trying to reinstall WP, and restoring my blog entries. What a wastage of time! grr..

skintube March 3, 2007 at 8:06 am

You got hacked? Was your blog defaced or anything otherwise obvious? If not, how do you know you were ‘hacked’?

lyndonmaxewell March 3, 2007 at 9:26 am

Yes my site was defaced. I had it up showing on my blog as a warning to the rest of the other 2.1.1 to quickly do their upgrade. No kidding.

Nick March 3, 2007 at 9:30 am

That sucks – hey, atleast you got it fixed and your good to go now

Saman Sadeghi March 3, 2007 at 10:30 am

That does suck!! I’d love to see a screen cap though, just to see what it looked like.

Saman Sadeghi March 3, 2007 at 10:33 am

Oh, I see you have one on your site – sorry!

Ashish Mohta March 3, 2007 at 7:30 pm

dang! that must have sucked big time.Do you take backup every day if not start doing

Owen March 3, 2007 at 3:39 am

Wow. Good thing I never moved onto that version!

James Britton March 3, 2007 at 4:48 am

I didn’t have to worry about version 2.1.1, since I never got around to it this week, but I upgraded to 2.1.2 anyway. I was surprised that DreamHost got around to adding it to their one click installs so quickly. As an added bonus, their interface got a facelift in the past few days as well. Kudos to DreamHost, I highly recommend them!

Ashish Mohta March 3, 2007 at 7:32 pm

I heard about it too.But do they over rite a complete folder or do they digg down the folder and then replace? SO in case if i have a folder inside it doenst get deleted

Nick March 3, 2007 at 9:12 am

Most sites aren’t big enough people are even going to worry about hacking them – it’s just a matter of how so many people try to ruin it for those who make their living off the internet.

lyndonmaxewell March 3, 2007 at 9:34 am

I agree. When there is a loophole in the process, what’s stopping those people from bullying, the weak or the strong?

Nick March 3, 2007 at 9:40 am

Thats the course of nature when it comes to the internet – constantly those trying to find loopholes and hacks – but for what reason? Just to be famous for 5 minutes and then fade away?

Saman Sadeghi March 3, 2007 at 10:36 am

I get that question all the time from layman about hackers: “Why do they do it?”

It really does seem silly, we’ll forget their name in an hour – unless we were the one to get hacked…

Nick March 3, 2007 at 10:38 am

Thats exactly the point – infamous hackers go down in history – How many people don’t know who Kevin Mitnick is?

Wordpress is huge – but a hack on wordpress will not make you go down in history, it will just make you be talked about for a day and then forgotten.

lyndonmaxewell March 3, 2007 at 10:43 am

Yea you are right. I am never gonna forget the ‘name’ of the one that did that to me.. Well, for a while, that is.

Ashish Mohta March 3, 2007 at 7:34 pm

Its not about being famous,Its more about passions.Like you like to blog they like to find hacks and they do it..may be for money but its a passion

lyndonmaxewell March 3, 2007 at 10:45 am

You will never know what is on their minds or what they are thinking at the moment. Funny creatures, they are. Besides the point, there’s a television program that is entitled 5mins of fame, for those people to indulge in a little of fame.

Nick March 3, 2007 at 2:04 pm

5 Minutes of fame – I don’t understand why it’s so needed?

5 Minutes makes you nothing – having a long term knowledge of who you are is what matters. I guess people need to learn that before all this silly crap will stop happening.

Adam F March 3, 2007 at 12:29 pm

Thanks for letting me know

Stuart March 3, 2007 at 1:41 pm

thanks for the warning, I’ve got to update mine ASAP

Ajay March 3, 2007 at 7:23 pm

Hi, I’d just like to point you towards my article on Upgrading WordPress via Shell for those who have SSH access to their accounts.

Ashish Mohta March 3, 2007 at 7:35 pm

That one is really good i read that.But still i would like to do manually.I better know what i am doing

Jez March 5, 2007 at 12:04 am

Really glad you posted this, I recently did an install for a friend with a download taken at this time, nasty stuff, easily upgraded fortunately

ilker March 2, 2007 at 3:39 pm

LOL.. “the Root of All Evil himself” :lol:

Jonix March 2, 2007 at 4:10 pm

You cannot run no more from your new nickname john :D “Root Of All Evil” AKA “ROAE” or “John, The ROAE”

BlueFur.com March 2, 2007 at 4:30 pm

I wonder if we can SEO those keywords to have johnchow.com come to a number one spot.

Saman Sadeghi March 2, 2007 at 5:10 pm

That would be a great Google Bomb!

derrich March 2, 2007 at 5:12 pm

I’m game for a Google bomb.

lyndonmaxewell March 3, 2007 at 3:19 am

I am gamed too as well. So.. who else is starting one? :grin:

Saman Sadeghi March 3, 2007 at 10:22 am

well, if you wanted to start one, all you would have to do is make that the link: The Root Of All Evil