Upgrade to WordPress 2.2 or have your Admin PW stolen
OK It’s been a couple days now and this news is only spreading. If you haven’t heard already, there is an attack out there that allows the Admin PW to be compromised for any WordPress 2.1 and 2.0 blog. Only 2.2 and the yet unreleased version of 2.0 are safe and it will stay that way. The 2.1 is not a maintained version. So far, I’ve heard nothing about the plans to release a new 2.1. So at this point, for most people running 2.1, your only choice is to upgrade to 2.2.
I’ve stolen the admin PW of several 2.1 sites under my control and tested the sites of some of my friends to make sure they were safe even though they hadn’t upgraded.
There are two things that may make your 2.1 DB safe:
1. Your user named Admin is NOT user number 1.
2. Your database prefix is NOT wp_
If you want to upgrade safely and quickly, try my script. The latest post about it is always at: http://www.thecodecave.com/EasyWPUpdate
If you want to see how we handled this at b5media, read here:
Guide to Disaster: How The Tech Team Handled WordPress Security Flaw
Another good day
EasyWPUpdate ver 2.0 RC 1 – Just in time for WordPress 2.0.7
WP-Contract-Form 0.3 released
About Author
Justified text is considered harmful 😉
Any quick fix tutorials for changing your database prefix and admin user numbers?
Along with the bug fixes, WordPress 2.2 brings new bugs to the table: wp_mail removes the Content-Type, you can’t remove widgets in Firefox and all widgets are used by default… etc. You can check the bug list at trac.wordpress.org
The official install guide is quite hard to understand so i decided to write a tutorial with pictures about how to upgrade to wordpress 2.2 and i allso describe the compatibility issues on widgets.
I haven’t tried your script but sounds really good. Keep up the good work!