With WordCamp 2009, it’s interesting that there’s been a slew of attacks and exploits being arrayed against WordPress. The first one is the Remote Admin Reset Vulnerability documented by Laurent Gaffié here and here. I’ve asked the question in StackOverflow and of course the intuitive answer would be:
“As I understand it, the patch closes that particular hole. However, another basic security measure I take on every WP site I administrate is to delete the “admin” user, and ideally never have any users’ usernames be the same as their display names. That doubles the security in that bad guys have to guess the usernames, as well as figure out a way to hack the passwords.
There are strange additions to the pretty permalinks, such as
example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.”
“I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.
A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)
2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.
Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you’ll be able to spot right away because it’s easy. Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.”
So there, that’s straight from Matt himself and if you have any doubts, you can always ask him personally at WordCamp Philippines 2009 (incidentally, registration just closed)!