Wordpress 2.5 and Security
I’ve learned my lesson the hard way. I’ve been running this blog on the older version of Wordpress, and some day it got hacked, and hidden spam links were inserted into the blog entries. I must say that was brilliant, nobody could see the spam links, but the search engines were indexing them. Luckily, the problem was visible at least in the RSS aggregator. So I started digging trying to figure out what’s going on and to my horror it turned out that these kinds of hacks are very common, especially against the outdated versions of Wordpress:
- Detailed Post-Mortem of a Website Hack Through WordPress
- Support ยป Weird and Dangerous
- Justaddwater.dk hacked
- Another Day, Another WordPress Hack
I checked with Wordpress folks on the #wordpress IRC channel, and was advised to purge the compromised install and redo it from scratch, and I did…
And the main lesson here is to pay attention to new Wordpress releases and upgrade when new security update is out. This entry sums it up nicely. On top of that, I decided to use the BARE MINIMUM of external plugins to minimize the risk.
Just in time, a new version of Wordpress has just been released, v2.5, so I took the opportunity to upgrade, since quite some changes were specifically improving the security situation. Also, I decided to change the theme for the blog. Using the default one was getting pretty old, too damn many blogs use it!
And so far, I like the new version, the admin interface is much cleaner and useable. But I’m not really sure that some “usability” improvements are useful, things like one-click plugin updates. After the security breach, I’m paranoid on this issue, and I’d like to minimize what can be done via web interface. Yes, doing manual updates via command line is not as fun, but I’d prefer it to stay that way.
P.S. If you’d like to make sure your blog is not hacked, just take a look into HTML code for your latest blog entry and make sure there are no hundreds of links at the end of it. 