Secure your WordPress Blog. Upgrade Now!

September 5, 2009 by Emily  

Around the Web

There is a worm that has been making it’s way around since yesterday that is attacking WordPress blogs with older versions. If you haven’t upgraded to the current version, please do so right now. Otherwise there is a very high chance your blog will be compromised and it’s much harder to clean up a hacked blog than to upgrade it and keep it secure in the first place.

I’ve noticed some confusion among users at other sites, so I want to make this clear. If you have the current version of WP, which is 2.8.4, you are safe, your blog is immune from this worm. If you have an older version, especially a much older version, you need to upgrade ASAP. Also, this only applies to self-hosted WP blogs. Blogs on wordpress.com aren’t affected because they are always current.

Matt goes into specifics about this worm and the importance of upgrading over on the dev blog and I encourage you to go read it.

If you have version 2.7 or above you should be able to upgrade automatically. It’s extremely simple. In your WP admin, just click on Tools>Upgrade and click on the button that says “Upgrade Automatically”. It takes about 10 seconds and you’re done. I’ve upgraded hundreds of blogs this way and have never had any problems. (Note: this doesn’t mean you shouldn’t make a backup beforehand, you should be making regular backups of your blog anyway!)

The only thing that might be an issue as far as the automatic upgrades is if you are using either of the default WP themes. Those WILL get overwritten. The best way to guard this from happening is to rename your theme. You can follow the simple instructions here. As long as you aren’t using the default theme, though, your theme will NEVER be touched in an automatic upgrade.

If you have an older version of WP that doesn’t have automatic upgrades or your host doesn’t support that feature or you’d just feel safer doing it yourself, it’s still very easy to upgrade WordPress. I wrote a tutorial about upgrading WP a few years ago and the instructions still apply today.

Whether you spend the 10 seconds upgrading your blog automatically or the 5 minutes to upgrade manually, it’s extremely important that you always upgrade when a new version comes out. The new version is always the best, most secure version to have. And if the developers at WP find a new problem they will keep putting out new versions until that problem has been fixed (this is especially true since the automatic upgrades have been introduced). If you don’t upgrade you are opening yourself up to being taken advantage of by people that want to exploit these problems that the developers work so hard to fix.

So what do you do if you’ve already been hacked? Here are several helpful posts with instructions to fix it:

• WordPress Permalink and RSS Problems
• WordPress Blog Permalinks Hacked By “ElijahHastings65″!

I also wrote several posts about how to clean up a hacked WP blog and prevent it from happening again:

• Fixed a hacked site and prevent it from happening again – Part 1
• Web 101: Fixed a hacked site and prevent it from happening again – Part 2

And if your blog is just totally, irrevocably screwed up (which has not been my experience with this particular hack, I’ve fixed 3 blogs already just using the first link above), here’s a good tutorial for getting a copy of your content and starting fresh:

• How To Completely Clean Your Hacked WordPress Installation

And just a reminder to Swank Web Hosting customers: Upgrades are free! I encourage you to use the automatic upgrade feature, but if you have a really old version of WP or you aren’t sure about upgrading yourself, please contact us and we’ll get you set up with the current version of WP.