WordPress 2.1.1 Dangerous, Upgrade Now!

This just came in across the WordPress dashboard. Thanks to Nick Mercer for emailing me about it as well.

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

It vital that you upgrade to WordPress 2.1.2 now. Don’t wait, just do it! Then again, if you upgraded to 2.1.1 before the cracker got in and hacked the codes, you should be OK, but why take the chance?


111 thoughts on “WordPress 2.1.1 Dangerous, Upgrade Now!”

  1. derrich says:

    Wow. Another one???

    1. Do you mean “another version” of WordPress or another cracker?!

      I only ask because I haven’t heard of cracked WordPress installs and was wondering if it’s happened before.

      1. ilker says:

        This was the reason why I choose Blogger over WP in response to a comment in my latest post. 😕

        1. Jonix says:

          I don’t like blogger, for me it’s worst than wordpress.

        2. Well, WP may be open-source and vulnerable to attackers, yet it offers more flexibility and has more stuff to play around with. I left blogger for WP too.

        3. Ashish Mohta says:

          There is always a downside of everything.It matters what you want and what you dont.Bloggers are not easy to digg in because of the tough API.People will get wordpress easy anytime and with so many plugins its a heaven

        4. Jez says:

          Naa, WordPress is far more flexible IMO

      2. derrich says:

        Yes…version. But obviously needed.

  2. Bryce says:

    See, I knew being slow with upgrades would come in handy 😯

    1. Eli says:

      Lol! I’ve been sort of the same way, most of my sites are using versions from two updates ago… I’m going to upgrade hopefully all of them to the latest version now.

    2. Yea, But i was misled to do the upgrade in my case. When i came to the wp-admin page before I slept for the night, it prompt a “Upgrade to 2.1.1) and I clicked it. Sigh.. wished I had never done it.

    3. Jez says:

      Being fast with upgrades is handier, you would everwrite this evil hack as a matter of course. I was reading about another blog which was hacked recently – the solution to the problem – upgrade….

  3. Oh man! Thanks for the heads up John!

    I’m backing up may database as we speak (or, as I type)!

    1. ilker says:

      Backing up?? The database?? 😯 😕

      1. Of course!

        Don’t you make backups of your entire blog?!?!?

        1. derrich says:

          What’s a backup. (kidding, of course)

      2. Jonix says:

        oh oh…ilker, backups are a daily task you allways must do!

        1. Agreed – although, I don’t do a daily backup. It’s more weekly for me.

          I know my host does nightly backups – I wonder if I could get a copy of the database from them if there was a problem…

      3. Yea. Depending on how often you write, it is a good idea to backup your entire database some frequently. It does not take much time either.

        In case of a server crash, or hacked attempt, you go less far back in restoring your files just before the things happen.

        1. The backup process is pretty quick!

          And, if you have a local copy of your entire blog, then restoring your site wouldn’t take much effort on your part because you’ve already done a lot of the leg work!

    2. Jez says:

      do you do that with PhpMyAdmin or just use the wordpress tool for a file backup, being lazy I only ever do the latter

  4. Das Brain says:

    Good thing I checked your blog first, I was about to download WordPress 2.1.1 for setting up another blog.
    Thanks for the heads up, I think I’ll wait a bit.

    Das Brain
    MoneyAccumulator.com

    1. Well, you wouldn’t have been able to download the corrupted version of 2.1.1. The archived version would be the clean one!

      1. Ashish Mohta says:

        Yeah i hope they are clear.But anyways ppl will always doubt on WP downloads now

    1. ilker says:

      LOL.. “the Root of All Evil himself” 😆

      1. Jonix says:

        You cannot run no more from your new nickname john 😀 “Root Of All Evil” AKA “ROAE” or “John, The ROAE”

        1. BlueFur.com says:

          I wonder if we can SEO those keywords to have johnchow.com come to a number one spot.

          1. That would be a great Google Bomb!

          2. derrich says:

            I’m game for a Google bomb.

          3. I am gamed too as well. So.. who else is starting one? 😀

          4. well, if you wanted to start one, all you would have to do is make that the link: The Root Of All Evil

  5. Tyler says:

    Woo for Custom Blog Scripts!

  6. Aniela says:

    Phew..I was just about to update today. I didn’t have time and had a few plugins that I wasn’t sure would work in 2.1.1. I’m glad I waited now :)

    1. ilker says:

      Hmmm.. so plugins don’t work all the time, eh? 😕

      1. No, they do work all the time.

        Sometimes, when you upgrade to a newer version of WordPress some plugins become unstable – but this is true of anything in the computer world, ie Vista and drivers

        Most plugin authors are quick to rewrite their code before an upgrade is released to there won’t be a compatibility problem, most but not all.

        1. Jez says:

          They sometimes conflict though, Ive added the star rating only to find it kills threaded comments, I did modify some of the code myself tho 😳 😳

  7. Jason says:

    Boy … talk about a devious backdoor exploit! You’re a champ for posting this to your blog … imagine how many professional and amateur bloggers alike have vulnerable sites right now but don’t know it.

    Scary indeed.

    1. I have logged into WordPress a few times today but I don’t visit the Dashboard to often, I use direct links to write and edit!

    2. ilker says:

      I guess the cost of open source is vulnerabilities even for short time periods..

      1. Um, vulnerabilities are there in every program, it just takes time to find them.

        How many viruses and backdoors came out last year?

        1. Jonix says:

          Thousands of them! Even paid software have vulnerabilities and exploits. Like Windows for instance…

        2. Ashish Mohta says:

          forget about virus you will have smart viruses this year.Just wait for the year down

          1. Jez says:

            What do you mean by ‘smart viruses’?

    3. As we speak this very moment, there are still many vulnerable targets to be pondered on by the crackers. What an exploit by those people!

  8. marlon says:

    Thanks for the heads up. :smile:

  9. Shawn Knight says:

    Done… although I did so earlier today before you posted this blog, but thanks for the info. because I was unaware of the exploit!

  10. ❗ Did anyone else noticed that Firefox’s spell check works in the rich text editor again?! ❗

  11. Jonix says:

    allways the hackers 😥 ! thanks for the warning

  12. John Hok says:

    One of the main reasons I don’t immediately upgrade to new versions of software. I usually allow things to go “mainstream” before performing upgrades because no matter how much testing (we’ll in this case it wasn’t because of lack of testing) when software is released, people are bound to experience more problems if they exist once the software is streamlined to consumers.

    1. Ryan says:

      Maybe you didn’t read John’s post… but this is because someone modified the code a few days ago… not the original release!

      1. Maybe you didn’t read the entire comment you’re replying to!

        (we’ll in this case it wasn’t because of lack of testing)

    2. Tyler says:

      Sounds to me like what I do for Window releases. Like Vista! I had Ultimate for 15mins and back to WinXP. Think I’ll wait till SP1

      As for WordPress that’s definitely no fun! I mean having to update with a security patch

      1. Yeah, but it was an easy upgrade – and there were new features!

        1. Tyler says:

          Then why do people get scared to do updates with WordPress if you say it was an easy upgrade. Isn’t it usually just replacing a couple of files with new versions?

          I guess its mainly the plugins people don’t like to mess around with.

      2. Jez says:

        Very easy, full instructions on WP site, takes 5 – 10 mins

    3. Yea, it was no mistake by the staff of WP. It was crackers that crack up the script this time. Not much a matter of going along with the ‘mainstream;.

    4. Ashish Mohta says:

      Thats one good point.Even i prefer to upgrade till a stable version comes up but then they ask to update with security patches.that sucks big times

  13. Ryan says:

    Wow that’s not good.

    I hope they included my JavaScript spacing fix with 2.1.2. :mrgreen:

    1. Ashish Mohta says:

      didnt see any points on that .Good luck next time

  14. I was just finishing my post on The Secret Truth About The Plugins Security when I found out about WordPress 2.1.1.
    That’s why I never rush to upgrade to a new version as soon as it’s been released.

  15. Eli says:

    Thanks for posting this John, I check your RSS feed first :)

    I did happen to upgrade one of my sites to 2.1.1 just last a few nights ago… so I’m just going to upgrade all of them to 2.1.2 now.

  16. skintube says:

    Shit happens I suppose but this is a major blow to the credibility of the folks at WordPress. 😳 😳 Who’s to say that their servers are not further compromised or that the currently released version 2.1.2 isn’t in fact a release that was compromised along with the announcement asking users to upgrade? Put that in your pipe and smoke it.

    I’m going back to notepad local…unplugging from my router. :mrgreen: :mrgreen:

    1. “major blow to the credibility of the folks at WordPress”

      How? They got hacked! It’s not like they put the malicious code in there.

      1. skintube says:

        Exactly, they got hacked and the download release for version 2.1.1 was compromised with malicious code added to it. Why do you think they are urging everyone to upgrade so urgently?

        This is a wordpress ‘red-alert’. It doesn’t get anymore urgent than this. Any one of us running version 2.1.1 could very well be running the modified version and be wide open to whoever has the knowledge and the desire to mess up your site.

        This begs the question, what was the nature of this malicious code and what does it allow this individual to do?

        Also, even after we upgrade to 2.12, there is always the possibility that the evildoers have already messed up your wordpress db and added in some other malicious code. I haven’t seen any mention of this yet and the only way to be sure would be to go through your tables individually….yeah right.

        1. Nick says:

          Tomorrow it will come out with a new version and more bugs – thus the life of the internet.

        2. I agree that it is a little hard to believe which story is the real thing. Like what you may suggest, the story to upgrade once again may be put up by the hacker.

          I believe, give WP sometime and they may explain how it happens, what it does and the measures that they are taking to prevent it.

          Besides the point, there will always be smarter people lurking around in the corners of the world, and it would be hard to beat all the crackers out there.

        3. there is always the possibility that the evildoers have already messed up your wordpress db and added in some other malicious code

          While it’s a possibility, I’m sure the WordPress crew is checking their server logs and patching any holes!

    2. Ashish Mohta says:

      yeah they have a major blow there.I hope they come out with something good

  17. I just spread the word on my blog Thanks for the pointer.

  18. skintube says:

    May be prudent for folks to change passwords for their WordPress db (update wp-config.php accordingly of course) and perhaps even existing WP user passwords.

    1. I agree. Treat your blog like one of your internet-banking accounts. Frequently change your passwords, and keep them secure. I had personally learned a lesson from that. Tough luck.

      1. Ashish Mohta says:

        they should add one feature that can email them telling your password expires in 10 days.That will keep them to toe

    2. That’s a really great idea – one I had never thought off…

      Thanks!

    3. Jez says:

      Good point, have not done this yet

  19. Jeff Kee says:

    … NOT AGAIN… AAHHH

  20. Yea I got hacked since last night. To be exact, it was 18 hours ago. Was spending the past hour trying to reinstall WP, and restoring my blog entries. What a wastage of time! grr..

    1. skintube says:

      You got hacked? Was your blog defaced or anything otherwise obvious? If not, how do you know you were ‘hacked’?

      1. Yes my site was defaced. I had it up showing on my blog as a warning to the rest of the other 2.1.1 to quickly do their upgrade. No kidding.

        1. Nick says:

          That sucks – hey, atleast you got it fixed and your good to go now

          1. That does suck!! I’d love to see a screen cap though, just to see what it looked like.

          2. Oh, I see you have one on your site – sorry!

    2. Ashish Mohta says:

      dang! that must have sucked big time.Do you take backup every day if not start doing

  21. Owen says:

    Wow. Good thing I never moved onto that version!

  22. I didn’t have to worry about version 2.1.1, since I never got around to it this week, but I upgraded to 2.1.2 anyway. I was surprised that DreamHost got around to adding it to their one click installs so quickly. As an added bonus, their interface got a facelift in the past few days as well. Kudos to DreamHost, I highly recommend them!

    1. Ashish Mohta says:

      I heard about it too.But do they over rite a complete folder or do they digg down the folder and then replace? SO in case if i have a folder inside it doenst get deleted

  23. Pingback: DropsTech.org
  24. Nick says:

    Most sites aren’t big enough people are even going to worry about hacking them – it’s just a matter of how so many people try to ruin it for those who make their living off the internet.

    1. I agree. When there is a loophole in the process, what’s stopping those people from bullying, the weak or the strong?

      1. Nick says:

        Thats the course of nature when it comes to the internet – constantly those trying to find loopholes and hacks – but for what reason? Just to be famous for 5 minutes and then fade away?

        1. I get that question all the time from layman about hackers: “Why do they do it?”

          It really does seem silly, we’ll forget their name in an hour – unless we were the one to get hacked…

          1. Nick says:

            Thats exactly the point – infamous hackers go down in history – How many people don’t know who Kevin Mitnick is?

            WordPress is huge – but a hack on wordpress will not make you go down in history, it will just make you be talked about for a day and then forgotten.

          2. Yea you are right. I am never gonna forget the ‘name’ of the one that did that to me.. Well, for a while, that is.

          3. Ashish Mohta says:

            Its not about being famous,Its more about passions.Like you like to blog they like to find hacks and they do it..may be for money but its a passion

        2. You will never know what is on their minds or what they are thinking at the moment. Funny creatures, they are. Besides the point, there’s a television program that is entitled 5mins of fame, for those people to indulge in a little of fame.

          1. Nick says:

            5 Minutes of fame – I don’t understand why it’s so needed?

            5 Minutes makes you nothing – having a long term knowledge of who you are is what matters. I guess people need to learn that before all this silly crap will stop happening.

  25. Adam F

    says:

    Thanks for letting me know

  26. Stuart says:

    thanks for the warning, I’ve got to update mine ASAP

  27. Ajay says:

    Hi, I’d just like to point you towards my article on Upgrading WordPress via Shell for those who have SSH access to their accounts.

    1. Ashish Mohta says:

      That one is really good i read that.But still i would like to do manually.I better know what i am doing

  28. Jez says:

    Really glad you posted this, I recently did an install for a friend with a download taken at this time, nasty stuff, easily upgraded fortunately

Comments are closed.