Wordpress 2.1.1 Dangerous, Upgrade Now!
written by John Chow
This just came in across the Wordpress dashboard. Thanks to Nick Mercer for emailing me about it as well.
Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.
It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.
It vital that you upgrade to Wordpress 2.1.2 now. Don’t wait, just do it! Then again, if you upgraded to 2.1.1 before the cracker got in and hacked the codes, you should be OK, but why take the chance?
Find out what I am doing right now by following me on Twitter! If you like this post then please consider subscribing to my full feed RSS. You can also subscribe by Email and have new posts sent directly to your inbox.
(9 votes, average: 3.56 out of 5)
Loading ...
Here's A Few More Related Posts
Wow. Another one???
Do you mean “another version” of WordPress or another cracker?!
I only ask because I haven’t heard of cracked WordPress installs and was wondering if it’s happened before.
This was the reason why I choose Blogger over WP in response to a comment in my latest post.
I don’t like blogger, for me it’s worst than wordpress.
Well, WP may be open-source and vulnerable to attackers, yet it offers more flexibility and has more stuff to play around with. I left blogger for WP too.
There is always a downside of everything.It matters what you want and what you dont.Bloggers are not easy to digg in because of the tough API.People will get wordpress easy anytime and with so many plugins its a heaven
Naa, Wordpress is far more flexible IMO
Yes…version. But obviously needed.
See, I knew being slow with upgrades would come in handy
Lol! I’ve been sort of the same way, most of my sites are using versions from two updates ago… I’m going to upgrade hopefully all of them to the latest version now.
Yea, But i was misled to do the upgrade in my case. When i came to the wp-admin page before I slept for the night, it prompt a “Upgrade to 2.1.1) and I clicked it. Sigh.. wished I had never done it.
Being fast with upgrades is handier, you would everwrite this evil hack as a matter of course. I was reading about another blog which was hacked recently - the solution to the problem - upgrade….
Oh man! Thanks for the heads up John!
I’m backing up may database as we speak (or, as I type)!
Backing up?? The database??
Of course!
Don’t you make backups of your entire blog?!?!?
What’s a backup. (kidding, of course)
oh oh…ilker, backups are a daily task you allways must do!
Agreed - although, I don’t do a daily backup. It’s more weekly for me.
I know my host does nightly backups - I wonder if I could get a copy of the database from them if there was a problem…
Yea. Depending on how often you write, it is a good idea to backup your entire database some frequently. It does not take much time either.
In case of a server crash, or hacked attempt, you go less far back in restoring your files just before the things happen.
The backup process is pretty quick!
And, if you have a local copy of your entire blog, then restoring your site wouldn’t take much effort on your part because you’ve already done a lot of the leg work!
do you do that with PhpMyAdmin or just use the wordpress tool for a file backup, being lazy I only ever do the latter
Good thing I checked your blog first, I was about to download WordPress 2.1.1 for setting up another blog.
Thanks for the heads up, I think I’ll wait a bit.
Das Brain
MoneyAccumulator.com
Well, you wouldn’t have been able to download the corrupted version of 2.1.1. The archived version would be the clean one!
Yeah i hope they are clear.But anyways ppl will always doubt on WP downloads now
[...] out that someone cracked the 2.1.1 files and modified the code to do evil things. Funny enough, the Root of All Evil himself told me about this. I was wondering if I should take the warning seriously until I read it [...]
LOL.. “the Root of All Evil himself”
You cannot run no more from your new nickname john
“Root Of All Evil” AKA “ROAE” or “John, The ROAE”
I wonder if we can SEO those keywords to have johnchow.com come to a number one spot.
That would be a great Google Bomb!
I’m game for a Google bomb.
I am gamed too as well. So.. who else is starting one?
well, if you wanted to start one, all you would have to do is make that the link: The Root Of All Evil
Woo for Custom Blog Scripts!
Phew..I was just about to update today. I didn’t have time and had a few plugins that I wasn’t sure would work in 2.1.1. I’m glad I waited now
Hmmm.. so plugins don’t work all the time, eh?
No, they do work all the time.
Sometimes, when you upgrade to a newer version of WordPress some plugins become unstable - but this is true of anything in the computer world, ie Vista and drivers
Most plugin authors are quick to rewrite their code before an upgrade is released to there won’t be a compatibility problem, most but not all.
They sometimes conflict though, Ive added the star rating only to find it kills threaded comments, I did modify some of the code myself tho
Boy … talk about a devious backdoor exploit! You’re a champ for posting this to your blog … imagine how many professional and amateur bloggers alike have vulnerable sites right now but don’t know it.
Scary indeed.
I have logged into Wordpress a few times today but I don’t visit the Dashboard to often, I use direct links to write and edit!
I guess the cost of open source is vulnerabilities even for short time periods..
Um, vulnerabilities are there in every program, it just takes time to find them.
How many viruses and backdoors came out last year?
Thousands of them! Even paid software have vulnerabilities and exploits. Like Windows for instance…
forget about virus you will have smart viruses this year.Just wait for the year down
What do you mean by ’smart viruses’?
Blogger has been hacked too…
http://it.slashdot.org/article.pl?sid=02/10/25/1658229&mode=thread&tid=172
As we speak this very moment, there are still many vulnerable targets to be pondered on by the crackers. What an exploit by those people!
They’re relentless: Hackers target Symantec>
Thanks for the heads up.
Done… although I did so earlier today before you posted this blog, but thanks for the info. because I was unaware of the exploit!
allways the hackers
! thanks for the warning
One of the main reasons I don’t immediately upgrade to new versions of software. I usually allow things to go “mainstream” before performing upgrades because no matter how much testing (we’ll in this case it wasn’t because of lack of testing) when software is released, people are bound to experience more problems if they exist once the software is streamlined to consumers.
Maybe you didn’t read John’s post… but this is because someone modified the code a few days ago… not the original release!
Maybe you didn’t read the entire comment you’re replying to!
“(we’ll in this case it wasn’t because of lack of testing)“
Sounds to me like what I do for Window releases. Like Vista! I had Ultimate for 15mins and back to WinXP. Think I’ll wait till SP1
As for Wordpress that’s definitely no fun! I mean having to update with a security patch
Yeah, but it was an easy upgrade - and there were new features!
Then why do people get scared to do updates with Wordpress if you say it was an easy upgrade. Isn’t it usually just replacing a couple of files with new versions?
I guess its mainly the plugins people don’t like to mess around with.