Most of the blog sites I’ve set up for my clients run on WordPress. Late last night, I spent a couple of hours checking and upgrading sites to Version 2.8.4 ASAP because there’s a nasty worm making the rounds this weekend:
- WordPress blog: How to Keep WordPress Secure
- Lorelle: Old WordPress Versions Under Attack
- Mashable Social Media Guide: WordPress Attack Underway: WordPress Users Must Upgrade
I wrote to my favorite web host, Tiger Technologies in California, asking them if they knew about it the worm and whether they could tell if any sites had been compromised. The owner, Robert Mathews, wrote me back within a few minutes:
We were actually the ones who detected this new worm about three weeks ago, notified the WordPress people about it, and urged them to make a public announcement:
(See the "In addition to that, we’ve discovered something else interesting…" section.) Would have been nice if they’d given us some credit, but oh well.
Anyway, all our customer sites have been protected against this attack since August 12, because we saw exactly how it worked and added server-wide rules against it. Your sites won’t have been compromised (by this, anyway).
That said, the general tone of those posts is correct. You should always upgrade WordPress (or any software you use) the day a new version becomes available.
From painful experience of watching how thousands of customers manage their sites over the years, we can categorically say that if you do that with all software on your site, you will almost certainly never be compromised; if you don’t, you will almost certainly be compromised one day. 🙁
But we hope that helps set your mind at rest about the possibility of having been infected by this particular new worm.
Please let us know if there is anything else we can do. Thank you again!
— Robert Mathews, Tiger Technologies