Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.
Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.
A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.
All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:
- Upgrade your blog to the latest WP. This shouldn’t be hard. There are plugins for it, if you’re techy use Subversion, there is the standard FTP method, and finally Media Temple, Dreamhost, and Bluehost (through SimpleScripts) all have been pretty good about having their one-click upgrade systems ready with new versions within a day or two of a release. If your host is chronically behind, vote with your wallet and switch.
- If you need someone to help you upgrade, consider hiring help on the wp-pro mailing list. (It has close to a thousand subscribers and consultants on it.) Or you could always ply a geeky friend with caffeine, libations, food, or gadgets. Just get them to setup a system lik the above so you can do it yourself next time.
- Change your passwords, for yourself and any other users you have on the system. If the attacker grabbed your password when you were on an old version, they can still log in after you’ve upgraded if you don’t change it. There’s a new password strength meter in 2.5 helps you pick a good password.
- Search through your posts for any that might have been modified, and comb through the directories on your web server looking for anything out of the ordinary. Your host may be able to help you with the latter.
If you’re on the latest version, you’ve changed all your passwords, and something still happens to your blog, don’t panic. It’s not your (or WP’s) fault, but there is likely another account on the server which is malicious and the server you’re on is set up in a way that your neighbors can modify your files. The best thing to do here is to contact your host or sysadmin and have them check things out. They can look at the other accounts and log files in a forensic fashion to identify and find the source.
I follow or am involved with many, many WordPress blogs – some that receive millions of pageviews a day and have pageranks of 8 or 9 and are huge targets all the way to small personal blogs. Those that have followed the two basic tenets — keep up with upgrades and use good passwords — have never had a problem. Those that fall behind upgrades, like Al Gore did, have.
If you’re tech-savvy, take a look through your blogroll and see if anyone is on an old version. If they are, consider contacting them to help out. Like a barn raising, if we all work together it’ll happen a lot faster.
I often hear reasons why people don’t want to upgrade, here’s the most common and my best response:
- I’m scared something will break, or I don’t know how. Ask a friend to help or hire a professional on the aforementioned wp-pro list. Long-term, try to use a plugin like WPAU or a host that will do upgrades.
- One of my plugins doesn’t work with the new version. This is getting rarer as we have a very public testing cycle for plugin authors to try their stuff with the latest version, but still common. I would suggest checking for an upgrade to the plugin on the author’s site, contacting the author about the incompatibility you found, maybe even donate some money, or finally search for an alternative plugin that provides similar functionality but works with the latest and greatest version of WordPress. In the big picture, though, having a secure site is much more important than the functionality of a single plugin, so you should seriously consider turning off a plugin for a few days instead of putting off core upgrades.
- I don’t like the new version, they moved my cheese. We believe every new release is better, but sometimes people just aren’t comfortable with a change, which is fine. The good news is that we constantly improve things based on feedback, including interfaces, and that more importantly for almost everything you can imagine annoying you there is a plugin that changes it. For example in 2.5 the page is fixed-width to allow for greater readability, but there’s a plugin to make it stretch to the full width of the window.
- I modified core files, so upgrades are hard. You should never ever modify core files in WP. If you find you have to, file a ticket for a new hook or filter so your modifications can be a plugin — it makes things so much easier.
- Upgrades are too frequent. If it takes you more than 5 minutes to upgrade your blog, you’re doing it wrong. Historically we do a major release about 3 times a year, and a minor release about once a month. Minor releases almost never break anything, so they are the easiest. (And often the most important.) WordPress is fast-evolving software, so this is a good problem to have.
- I don’t know when there’s an upgrade. No excuses here. Since 2.3 we include a big honking notice at the top of your dashboard when there’s a new release available. It’s also worth subscribing to our dev blog, it’s not like it’s going to flood your RSS reader.
Of course the millions of blogs on WordPress.com never worry about any of this, nor do the folks on good hosts that have one-click upgrades. The WP community takes security very seriously and has always done its best to respond diligently to any known problems, but all that work is for naught if you don’t upgrade. Hosting an application yourself is a responsibility. In the future we’re hoping to make this whole thing easier, for example with built-in functionality like WPAU. Until that day though, I hope the above helps. Feel free to copy, republish, or steal this post in whole or part for whatever you like.