I don’t believe in updating every time some software developer comes out with a new version, but I do think now is the time to upgrade your WordPress. If you are on an earlier version of WordPress (current version is 2.8.4) then I think you should upgrade – fast!
There is a nasty worm going around preying on older versions of WordPress. Not all of them will be infected, but if you have an older version of WordPress then you are vulnerable. The worm works like this:
- A hacker registers as a Subscriber to your WordPress blog
- Once in, a bot changes the Subscriber status to Admin
- Malicious code is inserted on the index.php page of your blog
- You can delete the code, but it will come back and every time it comes back it also inserts itself on another page of your blog
- It won’t take long before the malicious code has infected several pages of your blog
As far as I know, the only way to combat this worm once infected is to delete all your Subscriber accounts. You could hunt for the one culprit and delete that account, but it’s a chore. It’s much easier to delete all Subscriber accounts and most of them are likely set up by spammers anyway.
The problem with doing this is that some of your Subscribers are actually legitimate commentators on your blog, not spammers. But they should understand if you explain your situation to them. We’ve recently had to do this on the Small Business Mavericks blog. If you have comments on the blog they are still published, but your Subscriber account has been deleted. We hope you’ll sign up for another account if you wish to continue commenting. And you’ll also need to sign in to your account every time you want to comment. I know it’s a hassle, but it’s a necessary security measure. These WordPress worms are getting nastier.
Now how about that upgrade?