Check Your WordPress Security
April 14th, 2008Matt Mullenweg from the WordPress team has posted a message about the security of WordPress, which MarsEdit users who run WordPress should take a look at. It’s particularly timely because there are a number of attacks going around that impact older WordPress blogs that haven’t been updated to to the most recent version.
In my customer support for MarsEdit, I have been seeing these security problems pop up quite a bit lately. The so-called “spam injection” attacks often inject spam links at the oblivious expense of how these links might mess up the XMLRPC interface which blog clients such as MarsEdit use to interact with your blog. It’s gotten to the point where error messages from the blog such as “Parse error. Not well formed.” are almost certain to be symptoms of such a spam injection attack. Updating to the latest WordPress almost always fixes the problem immediately.
Matt’s advice is pretty basic: update to the latest WordPress, and check your posts for signs of tampering. But it’s nice to have advice “from the top,” so to speak. I will be glad to see this wave of blog-attacks pass us by as more and more users get updated to the latest release of WordPress.
I commented on the post, suggesting that what WordPress would really benefit from is some kind of automated updater, so that users can easily update without having to worry about whether they’re doing it right or whether they’ll mess up their blog. The great news is Matt replied saying that they are in fact working on such a feature for 2.6.
Looking forward to a built-in automatic updater for WordPress! But in the mean time, be sure to stay current so you avoid the nasty attacks that are going around.
April 14th, 2008 at 3:38 pm
Incidentally, the injection that I had happened with WordPress 2.3.3–which, at the time, was the latest version. Staying up-to-date didn’t help me there.
That’s not to say that it’s a bad idea; just that it’s not foolproof. A real security solution involves multiple defenses: up-to-date code, a strong password (both on your blog and on your hosting account), etc.
April 14th, 2008 at 3:57 pm
The thought of posts being modified is scary! Anyone thinking of a PGP signing capability to lock down posts? Would be really nice to have that level of protection.
April 23rd, 2008 at 8:37 am
Your defense is only as strong as the weakest link? How well protected is the entry point for the files which will be updated automatically? Against an insider?