A few words about the RISKS of WordPress 1.2, 1.5, 2.0 or anything less than 2.0.4
Summary
As the security risks in legacy versions of WordPress become more widely known, the hacking of sites that haven’t updated will become a more common event. Your site about pet rocks or the joys of train spotting may not be at the top of the attack lists, but you probably don’t want to loose everything you’ve ever written either.
Google searches can identify you as a vulnerable site and as simple defacements become boring, the deletion of posts and comments will become an east way to wrack up points on the hacker bragging lists and punish those “stupid enough” not to upgrade.
The danger of having your name on the “Vulnerable Sites” list will only increase.
The general WordPress user may not get a sense of urgency from the release announcements. So, this article will attempt to describe the danger in continuing to rely on old software and trusting it to keep your website safe.
Conclusion
I know… I know!
The conclusion is supposed to come at the end of the article. Yeah, but this message it too important to be at the end!
Here it is: If you are not running WordPress 2.0.5: upgrade today! Based on exploits already publish, available and used on the web, all of the work you’ve put into your blog could be lost.
Right now a large number of people have the knowledge to:
1. Erase any/all of your posts or comments.
2. Replace your admin password with one of their own choosing.
3. Replace files on your system including index.php.
4. Run commands against your database.
5. Grab any file with a known file name from your directory – even php files – even those with your database password.
In short, they have the ability to use your site to do whatever they want WITHOUT you having to click on anything. Now, most of these holes were closed with WordPress 2.0.3, but it still leaves some LARGE holes open even in 2.0.4. There is no reason not to upgrade to a more recent version right now.
If your convinced, great. Go out and download 2.0.5. If your not convinced, read on and these pages will hopefully scare the willies out of you and get you to upgrade!
Techno-sailing through WordPress FAQs
WordPress 2.0.5: Top 5 Reasons to upgade
Answered: Help! WordPress keeps missing my scheduled posts!
About Author
im sorry — youre really long winded, and this isnt new content OR news. And maybe it’s just me, but you seem a little “full of yourself”.
Finally, the “long post”. I’m glad you found time to finish it.
Another aspect to the “hackers seek fame” bit: Of course, defacing the site on “pet rocks” doesn’t bring you fame. But defacing 24.5 million (or even only 10.000) sites on pet rocks and other assorted special interests in a single batch surely brings you fame as well. Doing a Google search for your leet-speak-hackername and getting millions of results for sites you “hacked” makes you a semi-god.
OK, now get this post to Digg, Slashdot, Gadgetopia etc.
To Bleh: I do know what you mean. It is long winded, and that’s why it stayed in the draft folder for so long. It was originally going to be a very technical article describing five attacks I’d picked out. But as I wrote, I kept on thinking about my target audience and had to step back a little further and include more of the foundational knowlege. I’m not targetting the tech people. I’m not targeting those who have already upgraded. Most techies have already upgraded.
So, yes, it’s old news to us, but I’m reaching out to those who have had one or two years. I’m hoping I’ve correctly targeted this article to them. I can follow up on it with more technical stuff in days to come. I’m still talking about attacks on version 1.5 and 2.0 sites, but at least it will be a little more… is geekalicious a word? No… I don’t think it is….