Why you need to upgrade to WordPress 2.8.4 immediately (if you haven’t already done so)

WordPress versions between 2.8.0 and 2.8.3 have a major security issue which allows anyone (not just hackers, but literally anyone) to change the admin password on your blog in a matter of minutes. Full info can be found here.

Version 2.8.4 was created to remedy that and I hope most of you already upgraded.

Many people will not click the upgrade link right away and even more will not bother to read the explanation on the development blog about the latest patch.

My feeling is that in a situation like this where security is severely compromised  I feel WordPress should have another mechanism of displaying big red warning advising the user to upgrade immediately or even performing the upgrade by itself.


More like this:


Posted in: WordPress
TAGS:, , , , , , , , , , , , , , ,
Both comments and trackbacks are currently closed.

21 Comments

  1. seqizz
    Oct 18th, 2009 2:30 PM

    now i've a website which is i can't login anymore.. because i didn't have time to upgrade.. so somebody kissed my blog..
    what can i do now? is there any way to recover?

    • Oct 19th, 2009 10:14 AM

      Upgrading the wordpress installation files may help you in your case. Try restoring a db backup (you keep those right?)

  2. Sep 2nd, 2009 11:04 PM

    hi Vladimir,
    My blog is running an older version of wordpress since I hate upgrading. It sounds like the security threat applies to older versions of 2.9 but not 2.7 and below. Is this true? I saw that you recommended above to someone running a 2.7 version to upgrade, but you didn't say why. So just to be clear, the threat is to previous 2.8 versions only, right? (I'd like any excuse to keep putting off upgrading... :) )

    • Sep 10th, 2009 1:57 PM

      Steve, if I may be forgiven, your policies are beyond stupid. This is specially true in light of how easy it is to upgrade WP these days. I bet you don't do Windows or Suse updates either. You deserve to get hacked, with absolutely no sympathies from the rest of us.

    • Sep 12th, 2009 7:25 PM

      Steve,

      There are different security threats to WP 2.7 series blogs and yet other security issues with other earlier versions. That's why we have ... upgrades. :)

      Honestly, you should upgrade. Example: I just finished cleaning up a newspaper that was running 2.7.1 and got hacked. 30,000+ pages to inspect. 27 hours later - and a big bill - it was cleaned up. Or, they could have kept it upgraded and paid... zero.

      There is a legal concept called 'due diligence" that more hosting companies are using. This means that _you_, the end user, are responsible for your software upgrades, be they Windows, WordPress or whatever. A new client called me recently. She was running WP 2.1.2 at a hosting company. They suspended her blog, saying that it was a danger to others on her shared hosting. They gave her a day to upgrade it and get it current and that's where I came into the picture. Somehow, amazingly, she wasn't hacked yet.

      Google has also grown impatient with hacked stuff. You can get your blog or website delisted at Google if it's hacked. Not good.

      In other words, there are many, many reasons to upgrade and no reason not to. The math is easy. :)

  3. Aug 30th, 2009 12:48 PM

    I installed 2.8.4 and when I go to the widget section, only the left sidebar will display a widget list. I cannot open to edit any. The right widget list will not open. Does anyone have a solution?

  4. Aug 26th, 2009 9:36 AM

    wordpress have major issues with older version. It was not secure as per security reasons.So you need to upgrade your version.I am totally agree with this post.Really a nice post. Thanks

  5. Aug 25th, 2009 12:58 AM

    p.s. I should also mention that I did not get any response e-mails, even though I subscribed when I first commented. Is this just me, or does anyone else suffer this? (yes, I have checked my spam folder, nothing there).

    • Aug 25th, 2009 7:57 AM

      Did you get this reply?

      It is a new plugin I am using, that should send notifications only to the person you are replying to (instead of everyone..)

      However maybe it doesn't work if a third person started a thread like Ozh did in that case.

      • Aug 25th, 2009 8:18 AM

        Hi Vladimir

        Sorry, no. I noticed your comment because I've kept the tab open... Does not work for me :-(

        • Aug 26th, 2009 9:40 AM

          Darn, I thought this plugin was brilliant :)

  6. mae
    Aug 24th, 2009 11:07 PM

    I thank you for taking the initiative & agree that WordPress should have done more. I have been on their site ALL day looking for the best Current Seo optimized free theme page & this is the First time I have come across this information..... Thank You

  7. Aug 23rd, 2009 3:25 PM

    Some of my blogs are still running on the latest 2.7 version.

    Is 2.7.1 still consider safe?

    thanks

    • Aug 24th, 2009 8:49 PM

      I recommend using the latest version if you are able to.

  8. Aug 22nd, 2009 6:13 PM

    It's not really a "major security issue", it's more an annoyance because it's just a pain in the ass to get a password changed. The malicious hacker cannot get it anyway, they just can annoy you.

    • Aug 22nd, 2009 6:19 PM

      But a hacker can do this in (short) regular intervals to lock out the admin or any other user practically out of the blog. Hacker didn't get into the blog but so can't you. Problem is most of the people will not know what is happening and in combination with a very easy way to do it is why I called it 'major'.

      • greg
        Aug 23rd, 2009 12:10 AM

        I tried this on several of my 2.8.3 WordPress blogs. I even tried it on a version 2.7 I've got sitting around and in every case it simply returned "Invalid key". It never reset my admin password.

      • Aug 24th, 2009 1:20 PM

        But, the password is not actually reset until the admin clicks the link in the e-mail. I had quite a few of those on some of my blogs before the 2.8.4 was released.

        I call it a major pain in the bum, but the hacker can not actually lock the admin out using this method.

        I agree with your sentiment btw, I wrote about it a while back: http://mywordpress.com/changelog-wordpress-updates/

        • Aug 24th, 2009 8:40 PM

          The admin does not have to click the link in the email. You need to call:

          http://yoursite.com/wp-login.php?action=rp&key=

          and the password is reset on any WP site using 2.8.0 - 2.8.3

          Do that in a script every 5 sec and the admin is effectively locked out. Now that might be an annoyance for you or me who will digg up the issue, but for 99% of WP users that is a security problem.

          • Aug 25th, 2009 12:56 AM

            I stand corrected. I was reading the bug as merely e-mailing the admin the password reset e-mail, yet not actually resetting it. Anyway, I have already upgraded, but I expect many still wait.

            • Oct 19th, 2009 9:21 AM

              It is well known in both Linux and Windows circles that you have to constantly upgrade to keep ahead of the crackers. That the main reason for most of the upgrade patches is the plug security flaws. Those who wait will eventually get cracked. I would say that the deserve the rewards for their stupidity but on the other hand, the scumbag cracker shouldn't be given a free win either.

              We need to start stuffing crackers, like McKinnon, behind bars for multiple decades each.

  • ManageWP