WordPress versions between 2.8.0 and 2.8.3 have a major security issue which allows anyone (not just hackers, but literally anyone) to change the admin password on your blog in a matter of minutes. Full info can be found here.
Version 2.8.4 was created to remedy that and I hope most of you already upgraded.
Many people will not click the upgrade link right away and even more will not bother to read the explanation on the development blog about the latest patch.
My feeling is that in a situation like this where security is severely compromised I feel WordPress should have another mechanism of displaying big red warning advising the user to upgrade immediately or even performing the upgrade by itself.
Suggested reading:
- Fastest way to install WordPress is through CPanel
- WordPress Plugin Development Beginner’s Guide released
- Check your WordPress site for viruses and malware
Posted in: WordPress
TAGS:analytics wordpress, can update wordpress, cannot upgrade wordpress, comment wordpress, install amazon widget wordpress, issues wordpress, necessary upgrade, problems upgrading wordpress, upgrade wordpress, upgrading wordpress, why need upgrade, wordpress issues, wordpress upgrade, wordpress upgrade invalid keys, wordpress upgrade problems, wordpress upgrading
21 Comments
now i've a website which is i can't login anymore.. because i didn't have time to upgrade.. so somebody kissed my blog..
what can i do now? is there any way to recover?
Upgrading the wordpress installation files may help you in your case. Try restoring a db backup (you keep those right?)
hi Vladimir,
My blog is running an older version of wordpress since I hate upgrading. It sounds like the security threat applies to older versions of 2.9 but not 2.7 and below. Is this true? I saw that you recommended above to someone running a 2.7 version to upgrade, but you didn't say why. So just to be clear, the threat is to previous 2.8 versions only, right? (I'd like any excuse to keep putting off upgrading... :) )
Steve, if I may be forgiven, your policies are beyond stupid. This is specially true in light of how easy it is to upgrade WP these days. I bet you don't do Windows or Suse updates either. You deserve to get hacked, with absolutely no sympathies from the rest of us.
Steve,
There are different security threats to WP 2.7 series blogs and yet other security issues with other earlier versions. That's why we have ... upgrades. :)
Honestly, you should upgrade. Example: I just finished cleaning up a newspaper that was running 2.7.1 and got hacked. 30,000+ pages to inspect. 27 hours later - and a big bill - it was cleaned up. Or, they could have kept it upgraded and paid... zero.
There is a legal concept called 'due diligence" that more hosting companies are using. This means that _you_, the end user, are responsible for your software upgrades, be they Windows, WordPress or whatever. A new client called me recently. She was running WP 2.1.2 at a hosting company. They suspended her blog, saying that it was a danger to others on her shared hosting. They gave her a day to upgrade it and get it current and that's where I came into the picture. Somehow, amazingly, she wasn't hacked yet.
Google has also grown impatient with hacked stuff. You can get your blog or website delisted at Google if it's hacked. Not good.
In other words, there are many, many reasons to upgrade and no reason not to. The math is easy. :)
I installed 2.8.4 and when I go to the widget section, only the left sidebar will display a widget list. I cannot open to edit any. The right widget list will not open. Does anyone have a solution?
wordpress have major issues with older version. It was not secure as per security reasons.So you need to upgrade your version.I am totally agree with this post.Really a nice post. Thanks
p.s. I should also mention that I did not get any response e-mails, even though I subscribed when I first commented. Is this just me, or does anyone else suffer this? (yes, I have checked my spam folder, nothing there).
Did you get this reply?
It is a new plugin I am using, that should send notifications only to the person you are replying to (instead of everyone..)
However maybe it doesn't work if a third person started a thread like Ozh did in that case.
Hi Vladimir
Sorry, no. I noticed your comment because I've kept the tab open... Does not work for me :-(
Darn, I thought this plugin was brilliant :)
I thank you for taking the initiative & agree that WordPress should have done more. I have been on their site ALL day looking for the best Current Seo optimized free theme page & this is the First time I have come across this information..... Thank You
Some of my blogs are still running on the latest 2.7 version.
Is 2.7.1 still consider safe?
thanks
I recommend using the latest version if you are able to.
It's not really a "major security issue", it's more an annoyance because it's just a pain in the ass to get a password changed. The malicious hacker cannot get it anyway, they just can annoy you.
But a hacker can do this in (short) regular intervals to lock out the admin or any other user practically out of the blog. Hacker didn't get into the blog but so can't you. Problem is most of the people will not know what is happening and in combination with a very easy way to do it is why I called it 'major'.
I tried this on several of my 2.8.3 WordPress blogs. I even tried it on a version 2.7 I've got sitting around and in every case it simply returned "Invalid key". It never reset my admin password.
But, the password is not actually reset until the admin clicks the link in the e-mail. I had quite a few of those on some of my blogs before the 2.8.4 was released.
I call it a major pain in the bum, but the hacker can not actually lock the admin out using this method.
I agree with your sentiment btw, I wrote about it a while back: http://mywordpress.com/changelog-wordpress-updates/
The admin does not have to click the link in the email. You need to call:
http://yoursite.com/wp-login.php?action=rp&key=
and the password is reset on any WP site using 2.8.0 - 2.8.3
Do that in a script every 5 sec and the admin is effectively locked out. Now that might be an annoyance for you or me who will digg up the issue, but for 99% of WP users that is a security problem.
I stand corrected. I was reading the bug as merely e-mailing the admin the password reset e-mail, yet not actually resetting it. Anyway, I have already upgraded, but I expect many still wait.
It is well known in both Linux and Windows circles that you have to constantly upgrade to keep ahead of the crackers. That the main reason for most of the upgrade patches is the plug security flaws. Those who wait will eventually get cracked. I would say that the deserve the rewards for their stupidity but on the other hand, the scumbag cracker shouldn't be given a free win either.
We need to start stuffing crackers, like McKinnon, behind bars for multiple decades each.