Most of us have just upgraded to Wordpress 2.5 when it’s now time for another upgrade. This time it’s a more urgent upgrade since it includes a security fix and about 70 bug fixes:

We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.

My guess is that this security fix is related to this post, but that’s just my guess.

Read more in the Wordpress blog or go directly to the download page to get the latest version.

Popularity: 17% [?]

The latest version of Wordpress is only a few days old when I noticed this urgent post in the TrendLabs blog regarding the old version of Wordpress (version 2.3.3 that is). It’s always important to upgrade your software, and this time it can really hurt your visitors and subscribers if you don’t

This javascript injection is createing a directory called 1 in your wp-content directory. So to find out if your blog has been hijacked you should search for a directory called that. This directory will be full of infected files containing links to other infected files so you need to remove them all if your blog has been infected.

If you blog gets infected, then all your blog pages will be filled with links to other infected pages.

TrendLabs is giving this advice to blog owners:

As of this writing, a fix for this vulnerability has yet to be issued by WordPress. (You may, however, find this and this sites useful.) As a workaround, users may want to close their registration feature. Also, be wary of third-party plug-ins you install in your blog sites.

Popularity: 29% [?]

If you’re using Wordpress you should make sure that you’re using the latest version (at the moment 2.3.3) and that you’ve removed all the old files so no one can take advantage of a security leak in the old files. Shoemoney.com is reporting that people claim to have hidden links (or even iframes) injected into their latest installations of Wordpress.

Shoemoney.com says:

First I want to say I have never seen any evidence of a fresh 2.3.3 install of Wordpress.

The issue most likely comes from either a previous exploitable file still existing in your Wordpress install directory or from someone who has already hijacked your admin cookie. You see there were some wicked exploits in earlier versions that allowed people to hijack your admin cookie which authenticates you (keep me logged in).

So the advice is to always keep your installations up to date, change passwords regularly and to remove old files used in previous version of your installation. This is not only true for Word press, but for all installations on your server like for example phpBB.

A good idea is also to keep a backup on your database at some other location then your current server. Wordpress got a few good plugins that can email your database to you on a daily basis, or if you can you should setup so your web server is sending a backup of your entire site to some remote FTP account.

Popularity: 27% [?]