A few words about the RISKS of WordPress 1.2, 1.5, 2.0 or anything less than 2.0.4
How can you make a difference?
1. Upgrade your blog and explain why you did it.
This is the best way to protect WordPress from getting a bad name it doesn’t deserve. The WordPress developers have taken steps to make it a safe system, but only you can upgrade your site.
2. Write an article on your blog.
I’ve made this post as long as it is so that people can have enough material to write their own posts quickly and easily. URGE YOUR READERS TO UPDATE THEIR OWN BLOGS.
3. Use Google to find blogs that haven’t updated and ask them to upgrade to a safe version.
Here are the searches for the most vulnerable sites:
Version 1.2
Version 1.5
Version 2.0-2.0.2
Make a comment or send the admin an email telling them to upgrade. Link to your article or mine, I don’t care. Here’s some sample text, you can replace the link to this article with a link to your own:
Hi! I see you are running an older version of WordPress. Did you know that just about anyone can get into your site and delete your posts? PLEASE update to a version of WordPress that was written in the last year. We don’t want WordPress to get a bad name in the security world just because a few people don’t update. Here’s an article explaining the risks:
<a href=”http://www.thecodecave.com/article249″ title=”You really should upgrade”>A few words about the RISKS of WordPress 1.2, 1.5, 2.0 or anything less than 2.0.4</a>. If I can find your site and tell you to update, so can the hackers who will want destroy your site.
Those are three easy tasks. You have a choice. Do you help your fellow blogger by saving them the heartache of a lost site, or do you ignore the issue? I couldn’t ignore the issue. I hope you can’t either.
Post script
This post was started a long time ago and has gone through many revisions and I debated where I fell on the Obscure/Announce debate. I’d originally planned to briefly explain how to do each of the first six attacks I mentioned. However, I’ve backed off on that. I think I’ve given sufficient detail, that actual code would help make things clearer. This post is long enough as it is and it is important enough that I don’t want to delay any longer. Giving more detail will only cause fewer people to reach the end of the article. If you can think of other ways to improve the impact of this article, please let me know. I’m sure there will be spelling mistakes, grammar mistakes and more. Just leave a comment on the page with the problem, and I’ll clean it up. Thanks!- B
WordPress News for the week of 3/6/2006
WordPress 2.0.6 is released. Make sure you get this one!
WP-Contract-Form 0.3 released
About Author
im sorry — youre really long winded, and this isnt new content OR news. And maybe it’s just me, but you seem a little “full of yourself”.
Finally, the “long post”. I’m glad you found time to finish it.
Another aspect to the “hackers seek fame” bit: Of course, defacing the site on “pet rocks” doesn’t bring you fame. But defacing 24.5 million (or even only 10.000) sites on pet rocks and other assorted special interests in a single batch surely brings you fame as well. Doing a Google search for your leet-speak-hackername and getting millions of results for sites you “hacked” makes you a semi-god.
OK, now get this post to Digg, Slashdot, Gadgetopia etc.
To Bleh: I do know what you mean. It is long winded, and that’s why it stayed in the draft folder for so long. It was originally going to be a very technical article describing five attacks I’d picked out. But as I wrote, I kept on thinking about my target audience and had to step back a little further and include more of the foundational knowlege. I’m not targetting the tech people. I’m not targeting those who have already upgraded. Most techies have already upgraded.
So, yes, it’s old news to us, but I’m reaching out to those who have had one or two years. I’m hoping I’ve correctly targeted this article to them. I can follow up on it with more technical stuff in days to come. I’m still talking about attacks on version 1.5 and 2.0 sites, but at least it will be a little more… is geekalicious a word? No… I don’t think it is….