Alternate Title: “Dr Wormpress: Or How I Learned to Stop Worrying and Love the Worm“.
If you haven't seen this movie, then go see Dr. Strangelove right after reading this post.
Late last week I started getting emails from some old (see: not upgraded) wordpress installations I have out there on the web. The emails were telling me that there were new users registering. No good.
Not long afterward I started hearing reports of others having similar experiences followed by some problems with their Wordpress blogs. Immediately I notified everybody on this Wordpress newsletter to hopefully save them some trouble.
I’m not going to go into exactly what the worm did. Suffice it to say that it wasn’t too terrible, but it wasn’t pleasant either. (If you want to know more about the worm or are still having problems with it, then check out the resources at the bottom of this page.)
What made this worm remarkable is that it was so widespread. There have always been worms going around Wordpress, but none have been as widespread as this one.
What was also remarkable is that this worm affected only non-upgraded wordpress blogs. If you were running 2.8.4, then you were safe.
Why did this worm only affect older versions of Wordpress?
Well the brains behind wordpress saw the vulnerability a while back and made a security patch. So if you upgraded you were sitting pretty. The rest of us were very much vulnerable.
I’m not a hacker myself. Nor do I write or ever plan to write malicious code. But the people out there who do tend to be smart. Smart people like them could easily watch the developer community of Wordpress to see when new versions come out.
And when new versions of Wordpress come out, it is openly stated why, and what vulnerabilities they are fixing. Any smart hacker could then build a script that takes advantage of that security hole in outdated versions. To make this a bit simpler, it’s a bit like Wordpress saying “We had to make a new version because it turns out that anyone can break into the house by crawling through the attic. This new version locks the attic.” Now the hackers can go and climb through the attic of all the blogs that aren’t upgraded. See what I mean?
In other words, if you aren’t running the lastest version of Wordpress, then your blogs weaknesses and dirty laundry are hanging out there for everyone to see. And the bad guys know just where to look.
What’s the Moral?
Simply: Upgrade when you see the alert on your wordpress dashboard.
As Matt (the Wordpress Pope) says, upgrading consistently is the only way to ensure you stay ahead of the bad guys. So do it. It’s easy
That’s it? No insights? Geez.
Well since you asked…
I’ve come away with a few different thoughts. I’m not sure how to string them together, so I’ll be lazy and put them in a list.
- The Web Is Insecure: Yup, it is. Get over it. You protect your Windows computer with antivirus software, why would you assume Wordpress is any different. Give them a break. If you have a blog that has to be safe, you need to hire someone to lock it down (bottom of the page).
- Wordpress will die someday: As much as I hate to think of it and say it, this makes it clear that Wordpress will some day go by the wayside. I hope it’s a long time from now. As WP gets more popular, it will become a bigger target. This by no means should make ANYONE avoid using Wordpress… I’m talking extremely long-term here.
- DiveIntoMark is an awesome blog: I’ve thought this for a while, but this post about blog security reminded me why Mark is the man.
Wordpress Worm Resources
If you are still being haunted by the Wordpress Worm or have some sort of sick fascination with it, here are some fun resources:
{ 1 trackback }
{ 0 comments… add one now }