OK It’s been a couple days now and this news is only spreading. If you haven’t heard already, there is an attack out there that allows the Admin PW to be compromised for any WordPress 2.1 and 2.0 blog. Only 2.2 and the yet unreleased version of 2.0 are safe and it will stay that way. The 2.1 is not a maintained version. So far, I’ve heard nothing about the plans to release a new 2.1. So at this point, for most people running 2.1, your only choice is to upgrade to 2.2.
I’ve stolen the admin PW of several 2.1 sites under my control and tested the sites of some of my friends to make sure they were safe even though they hadn’t upgraded.
There are two things that may make your 2.1 DB safe:
1. Your user named Admin is NOT user number 1.
2. Your database prefix is NOT wp_
If you want to upgrade safely and quickly, try my script. The latest post about it is always at: http://www.thecodecave.com/EasyWPUpdate
If you want to see how we handled this at b5media, read here:
Guide to Disaster: How The Tech Team Handled WordPress Security Flaw