Wordpress.org Warns of Active Worm Hacking Blogs

Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."

Re:Hey Wordpress...

[zn0k]

As outlined in TFA (yes, I know, I know) that's snake oil. You can run response tests to determine a version.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Why people don't update

[phoebe]

There is also a interesting point regarding software repository support. I have a server running Ubuntu 8.04 LTS Server which is supposed to be supported till April 2011, however Wordpress is in the Universe repository and not updated since November 2008 and is vulnerable to a few attacks that delete content.

If these packages are not going to be updated should there not be at least a warning, or method to bar such packages from being installed after security issues have been raised?

Wordpress 2.3.3 [ubuntu.com] in 8.04 LTS Universe repository.

Re:Why people don't update

[choongiri]

*sigh* I don't think you understand how package management and security fixes in debian / ubuntu works. New releases of software almost invariably introduce new features, as well as bug fixes. For that reason, important fixes for security issues are backported, and the version number stays the same. (Introducing new features to a LTS / stable release wouldn't be acceptible.)

Now, what you said is technically true - if it's not being actively maintained for security fixes it *should* be removed - but the fact that Ubuntu's universe package of wordpress is still at 2.3.3 doesn't in and of itself mean that it hasn't been patched with the latest security fixes.

Thats why I use www.SimpleScripts.com

[Patheos]

I personally use www.SimpleScripts.com for this exact reason. I use a ton of open source software for my websites and it is hard to keep track of all the updates made to them. SimpleScripts emails me every time an update comes out and it provides me a one click upgrade to the latest version for Wordpress, phpBB and Drupal which are the 3 systems I use the most.

Re:Why people don't update

[palegray.net]

I've verified that the OP's assessment of the situation is valid with respect to WordPress (a fresh install from the repos exposes unpatched vulnerabilities long after patches are released to correct the situation).

I understand the Debian/Ubuntu package management and security release system quite well; I happen to work or a certain "Large Virtual Server Company" and I've been using Debian almost exclusively on my systems for almost ten years.

Re:maybe if they used their release notification l

[Zancarius]

What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.

The admin dashboard alerts you whenever a new version is available. You don't even need to register with/check their site.