

Wordpress.org Warns of Active Worm Hacking Blogs 103
Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."
Re:Hey Wordpress... (Score:3, Informative)
As outlined in TFA (yes, I know, I know) that's snake oil. You can run response tests to determine a version.
Comment removed (Score:2, Informative)
Re:Why people don't update (Score:5, Informative)
There is also a interesting point regarding software repository support. I have a server running Ubuntu 8.04 LTS Server which is supposed to be supported till April 2011, however Wordpress is in the Universe repository and not updated since November 2008 and is vulnerable to a few attacks that delete content.
If these packages are not going to be updated should there not be at least a warning, or method to bar such packages from being installed after security issues have been raised?
Wordpress 2.3.3 [ubuntu.com] in 8.04 LTS Universe repository.
Re:Why people don't update (Score:5, Informative)
*sigh* I don't think you understand how package management and security fixes in debian / ubuntu works. New releases of software almost invariably introduce new features, as well as bug fixes. For that reason, important fixes for security issues are backported, and the version number stays the same. (Introducing new features to a LTS / stable release wouldn't be acceptible.)
Now, what you said is technically true - if it's not being actively maintained for security fixes it *should* be removed - but the fact that Ubuntu's universe package of wordpress is still at 2.3.3 doesn't in and of itself mean that it hasn't been patched with the latest security fixes.
Thats why I use www.SimpleScripts.com (Score:2, Informative)
Re:Why people don't update (Score:5, Informative)
I understand the Debian/Ubuntu package management and security release system quite well; I happen to work or a certain "Large Virtual Server Company" and I've been using Debian almost exclusively on my systems for almost ten years.
Re:maybe if they used their release notification l (Score:3, Informative)
The admin dashboard alerts you whenever a new version is available. You don't even need to register with/check their site.