Oh god, I had this problem couple weeks ago and contacted Wordpress, they said their software was completely secure as far as they were concerned. Now the truth comes out after I lost a bunch of money. I mean all of my 20+ blogs were getting hacked like it was Sunday breakfast or something. Next time, please listen to the bloggers Wordpress security team, I don't bs.
Matt
· 3 months ago
I'm not sure who you contacted or talked to, but the current version of WordPress is completely secure. If you're on the current version you should be fine.
zedomax
· 3 months ago
That is good to hear Matt, I do however like that you are very honest and you did say the truth, that's why I keep using Wordpress and of course, I don't think there any other blog software that's better.
Nikolay Kolev
· 3 months ago
"Upgrading" is not always an option. Especially when you have a more complicated installation (tens of plugins) - you can't simply upgrade without doing proper testing first, which may take weeks. There are some obsolete plugins, essential for your blog, that may not be compatible with the latest release of WordPress. Anyway, this proves that WordPress is not enterprise-ready as enterprises do not like to be forced to upgrade to the latest version. In fact, enterprises are never on the latest version of any product.
Carl Hancock
· 3 months ago
Don't use plugins that aren't actively supported by their developer. If your blog is relying on plugins that are effectively dead, you aren't exactly thinking ahead as far as the future of your site. ALL cms and blog platforms are going to have security vulnerabilities. Thats why new versions are released. WordPress is ready for the enterprise, otherwise organizations such as CNN, New York Times and the NFL wouldn't be using it. Be smart about the plugins you use and you won't run into this problem.
Nikolay Kolev
· 1 month ago
Obviously you don't live in the Real World and I'll give you an example with probably one of the most enterprisey plugins there is - HyperDB, which got updated last month from supporting "up to 2.6" to "up to 2.8" (yes, it's skipped 2.7), which happened a few months after 2.8 got released. HyperDB is a plugin developed and used at WordPress.com by Automattic folks themselves, so, if this is not a trustworthy plugin, then I'm really lost!
Robert Basil
· 3 months ago
This has got to be one of the dumbest comments I've ever read on Mashable.
Tatesjourney
· 3 months ago
My goodness, that is a brilliant point................and Pinky says..."n...o..t".
shortformblog
· 3 months ago
Wow, good thing I upgraded the other day; I had been holding off out of fear that some plugins would break – which would be fatal for my site, because it uses a lot of customizations.
But this would be significantly worse.
The problem with upgrading for security is that it ignores the fact that you're avoiding upgrading for functionality. When I upgraded to 2.8, More Fields completely broke. I need that plugin to update my site, so that really sucked initially. (Fortunately, other people were on the case.)
You've heard of it? It's only hosting like 70 accounts so I'd be surprised. But I know the owner and he always used Wordpress.
Earn Money Online
· 3 months ago
It is always good to upgrade to latest version as soon as it is available for download. My personal wordpress blog too was hacked and injected some script in every .php page. This thought me a big lesson. I would suggest you to kindly go through this article: How to Secure your wordpress blog @ http://annanta.com/security/how-to-secure-your-...
zedomax
· 3 months ago
The best way to not get attacked this vulnerability is to disable user registrations, which most of you don't need anyways. According to Matt on the new worm:
"it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."
I've already gotten this worm 2 months ago, it's been going on for awhile now, FYI.
Jack Yan
· 3 months ago
Thanks for that, Zedomax. While we’ve now upgraded (with extreme difficulty, because the upgrade process takes hours and not the minutes that Wordpress claims), I have disabled user registrations on one of our installations. Like you, I always have huge problems getting these software companies to believe me, then months down the line I get proved right.
zedomax
· 3 months ago
Sure, if you have disabled user registrations, that takes care of 99% of the worms out there. Of course, Wordpress is a free software, that's why it's very vulnerable, there's not millions of dollars invested in it and it's not a huge team of developers. You can't blame them but there's ways to protect it by using encrypted passwords and disabling user registrations, which are pointless to visitors for most blogs anyways. I am not upgrading btw, I am already protected. :)
Iliyan Petrov
· 3 months ago
Windows has millions of dollars invested in it, and it's still the #1 target ;)
Matt
· 3 months ago
Yes if money could buy security Windows (and OS X) would never have any security updates.
Hesham
· 3 months ago
Oh! so I should be feeling not secure now?!! my setup is not complicated, I hink it can handle the upgrade, I will go for it!
ananymous
· 3 months ago
My site was hacked about a month ago because of lack of upgrade. My site was unknowingly selling every kind of precription drug know to man virtually overnight. Google de-listed me for vital keywords, had to clean site and re-submit, and I had to spend hundreds of dollars getting things fixed and now hundreds of dollars for ongoing maintenance protection because of fear of getting hit again. Lots of lost business too. I also was hesitant to upgrade, thinking it was no big deal. If I had to do it all over again, I would have upgraded! What a f(*+)+# nightmare.
mybrutegame
· 3 months ago
I recently updated my blog. I was worried about this. Ahead of the game! :)
AP
· 3 months ago
The most recent verison is 2.8.4a. I've heard that upgrading to that version will lead to me losing the admin rights. Is that true? Did anyone have any problems after upgradation?
mercime
· 2 months ago
2.8.4a is the most recent version for WPMulti-User not regular WP. And no, I had no problem upgrading WPMU nor WP to latest versions. Just make sure you have regular backups of your databases.
Tawnya Sutherland
· 3 months ago
Is there any fix for those of us who were hacked with the old version???
I was hacked and have upgraded. Also went into SQL and found the culprit Admin and deleted them as well plus fixed my permalinks. One thing I can't do however is delete this plugin http://guff.szub.net/2005/01/27/add-link-attrib... else it shuts down my whole blog. My guess is that this plugin is the backdoor in for this hack.
Free Wii Points
· 3 months ago
Yes you must upgrade because there is an exploit using a specially crafted URL which will hack into your Admin Account!
Name
· 2 months ago
Do I have to do anything at all? All I wanted to do was go on Glenn Becks site and respond to a comment. I don't have a word press site. Actually I'm not familiar with any of this.
rui
· 2 months ago
Olá, apenas para testar esta maneira de comentario
All Comments
But this would be significantly worse.
The problem with upgrading for security is that it ignores the fact that you're avoiding upgrading for functionality. When I upgraded to 2.8, More Fields completely broke. I need that plugin to update my site, so that really sucked initially. (Fortunately, other people were on the case.)
Be careful out there guys.
"it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."
I've already gotten this worm 2 months ago, it's been going on for awhile now, FYI.
Like you, I always have huge problems getting these software companies to believe me, then months down the line I get proved right.
my setup is not complicated, I hink it can handle the upgrade, I will go for it!
http://lorelle.wordpress.com/2009/09/04/old-wor...