A few weeks ago, I warned students about the necessity of keeping their WordPress blog updated. If your blog is hosted on wordpress.com, it is updated. This warning is for self hosted blogs. The latest version, WordPress 2.8.4, closes a hole in previous versions that allowed hackers to create a backdoor administrator account on your blog.

Unfortunately, a lot of WordPress bloggers did NOT heed the warning to update that appeared at the top of their blog administration panel. A serious attack has been launched this weekend and hundreds of blogs have already been affected. Mashable it doing their part to spread the word about this attack and the need to upgrade immediately to WordPress 2.8.4.

How serious is this threat? Lorelle VanFossen tells her readers to stop reading her post until the reader is sure that their blog is updated. Don’t worry about finding out if your blog is affected first. She instructs WordPress bloggers to do the update first, then take a look to see if the blog was compromised. Lorelle offer two clues to look for:

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

What to do if your blog is affected?

These hacks are digging down deep into WordPress installations, even the database may be affected. The severity of the attack will determine how much work you have to do to eradicate it. Lorelle’s post details options and instructions on how to repair the damage. In addition, prevention is always the best route and Lorelle reviews some of the best measures to secure your blog. Even if you blog is not affected, it is well worth your time to review her advice on securing your blog.

Please note: I have seen a number of bogus registration attempts on blogs this past week. Even if your blog is up to date, you can help secure your blog by turning off the Anyone can register option. Go to Settings > Membership options to turn off this feature.

If you aren’t running WordPress 2.8.4, you could be in trouble.
Since WordPress 2.8 was released last spring, WordPress has released four bug/security fixes. Each of these fixes are important. One of the drawbacks of being a popular open source platform is that you catch people’s attention, even hackers. One of the ways that WordPress helps keep your blog secure is by staying on top of potential security holes and repairing them as soon as possible.

One of the best ways that YOU can secure your blog is to make sure that you update your blog whenever a security update is available. On your dashboard, WordPress will tell you when and what kind of update is available. If it is a security update, you will want to update your blog as soon as possible.

1. Back up your files
2. Update any of your plug-ins that are flagged
3. Click the Update button on your Dashboard
4. Sit back and relax knowing that your blog is now more secure