Home » Defense in Depth

Lazy WordPress Bloggers Put Blogs At Risk

Posted 6 Sep 2009 | Comments Off on Lazy WordPress Bloggers Put Blogs At Risk | 7,950 views

WordPress bloggers that do not keep their sites up to date are putting their reputations at risk. According to a recent announcement on the WordPress blog, a worm is making its way around the internet. The worm is exploiting vulnerabilities in older versions of WordPress to insert content into older posts that site owners may not notice.

The worm takes advantage of an now-fixed vulnerability in the permalink functions. Blogs using older versions of WordPress may find an extra admin and tons of links to spam and malware in their old posts. The extra links are used to increase the search rankings of spam sites and drive users to malware sites.

At the time of this post, the latest WordPress version is 2.8.4. All WordPress users not at this version should consider upgrading as soon as possible. If an upgrade is not immediately possible due to a version depenancy, owners should consider some other mitigation technique such as using ModSecurity. Blogs hosted on WordPress.com are not affected by the worm.

The WordPress dashboard provides a quick link to update the blog to the latest version.  For most bloggers this will be sufficient method to get their blogs current. For others, they may need to upload the current version and use the upgrade page (/wp-admin/upgrade.php) to fix the site.

Comments are closed.