Technorati has stopped indexing blogs that run WordPress versions prior to 2.3.3. They cite the numerous security issues as the reason. It reflects poorly on Technorati if a user clicks through to a blog through them and that blog infects the user’s computer with a virus.
Google does something similar with their “This web site may harm your computer” warnings. Although Google only does it when a web site has been infected. Technorati assumes that old WP blogs will be infected, it’s just a matter of time, so why not block them right away…
So if you haven’t yet upgraded to 2.3.3 (latest version in the 2.3 branch) or the brand spanking new 2.5, then your blog will no longer be updated in Technorati.
Although Technorati is no longer a “must-have” for bloggers, they still send some traffic.
The latest and greatest version of WordPress was released this weekend.
I’ve been running the release candidates of 2.5 on another smaller blog for a while, and the code has become significantly more stable during that time. But as usual you should expect a 2.5.1 bug fix release within a few weeks (after the developers have had some time to catch up on their sleep).
The focus for this release is on the admin side of WordPress. The new admin interface takes some time to get used to, but now I like it. It has a lot of new features which simplifies the life of a blogger.
You can read the official announcement and a description of all the new features here.
After almost six months of development WordPress version 2.5 is slated to be released today. (Version 2.4 was supposed to be released just after the Christmas holidays, but it was skipped.)
Here are some of the major new features:
- The admin pages have been extensively overhauled. They have a new, more “web 2.0” look.
- Avatars are supported in comments. By default Gravatars, recently purchased by Automattic (the company behind much of the WP development), is supported.
Not Another Upgrade…
I know it wasn’t long since you upgraded to 2.3.3 (I hope you did!) There are always bugs that slip into major releases and they are fixed in the next point version. Here’s a look at the history of major WordPress releases:
|Major Release||Release Date||First Bug Fix||Bug Fix Released|
|2.0||Dec 31, 2005||2.0.1||31 days later|
|2.1||Jan 22, 2007||2.1.1||30 days later|
|2.2||May 16, 2007||2.2.1||36 days later|
|2.3||Sep 24, 2007||2.3.1||32 days later|
As you can see from the history there is a new major release every 5-6 months, and a bug fix coming about 30 days later.
I want to focus on blogging. Do I have to upgrade?
If you’re not worried about keeping up with the Joneses in terms of sporting the latest and greatest WordPress software and plugins, then by all means stay on version 2.3.3. (If you’re on a version prior to 2.3.3 you should upgrade immediately due to security issues in all prior WordPress versions.)
The WordPress developers typically maintain the two latest major branches. That means 2.3.x code will be kept up to date with the latest security fixes as long as 2.5.x is the most current release. Once 2.6 is released (planned for July 7, 2008) the 2.3 branch will probably be orphaned and you would be highly advised to upgrade.
I want to be on the bleeding edge
Ok, come along for the ride…
- Do a complete backup your blog. See my video tutorial.
- There are not many theme related changes in 2.5 so most themes should continue to work. But there are some extensive changes to the plugin API, so some plugins are going to break. Check your theme and plugins against the known working/not working lists: Theme Compatibility and Plugin Compatibility. If your theme/plugin is on the not working list, then you should change your theme and delete the incompatible plugins. If your theme/plugin is not listed as not working, then that’s not a guarantee that it will work. You may be the guinea pig for testing and reporting any issues.
- I recommend that you don’t start with upgrading your live blog; you are bound to get some unhappy readers while you’re upgrading and fixing any issues that come up. Instead restore your backup to a new location, e.g. yourdomain.com/backupblog, and also restore the database to a different instance, e.g. wpbackup. Use this backup instance of your blog to upgrade and test things out first. Once you’re happy with how everything is working, then upgrade your live blog. I’ll have a video tutorial on this soon.
- Disable all plugins.
- Upload the new 2.5 WordPress files.
- Run the upgrade script: /wp-admin/upgrade.php
- Test your blog and enable plugins one by one.
- Write a post telling the world that you are running the latest and greatest WordPress software.
Lorelle has another good checklist of things to do before upgrading to 2.5.
What am I going to do?
I will upgrade one or two of my test blogs to make sure that the products I’m developing related to WordPress still work with 2.5. I will wait to upgrade this blog until 2.5.1 comes out. By then most of the initial bugs should be fixed and the plugins I can’t live without should also be upgraded to work with 2.5.
What are you going to do?
This file is a QuickTime movie. If you don’t have the free player you can download it here.
Previously I’ve used Camtasia Studio to make video tutorials. I’ve now moved to the Mac and this is the first time I’m using Mac tools to create a video tutorial. Please leave a comment on this post not just about the content of the video, but also the quality. I’d really appreciate it.
There are several exploits targeting WordPress blogs that insert HTML into old posts or into the page template itself. Here are a few procedures that you should follow regularly to check on the health of your blog.
Search existing posts
- Goto Manage Posts in the WordPress admin section.
- In the “Search terms…” field enter one of the following:
- Click “Filter”
This will show any posts that contain the above HTML keywords. Unless you’re writing about HTML your posts will probably not contain these keywords. If they do show up in a post and it’s something that you wrote, don’t worry about it. The presence of these keywords are an indicator that someone else may have injected something into your posts. But if you wrote it, then you’re fine.
The reason I search for these particular keywords is that an attacker usually wants to gain something from your blog: a way to install badware on your visitors’ computers (iframe), a blanket way to manipulate your blog output (script), or a simple link (href).
Search existing comments
Repeat the above procedure for comments on the Comments admin page.
Visit your blog and view the HTML source. Search for the same iframe, script and href keywords on a couple of different types of pages:
- Home page
- And individual post
- Your about page
There will be a lot of matches on the href keyword, but the links should all go to your own blog or other places that you know you have linked to. If you find links to web sites that hawk various body enlargement pills, then you have probably been compromised.
Iframes are sometimes legitimately used by affiliate promotions, for example Amazon product links. Again if you trust the vendor you’re fine. Earlier in the week I wrote about a current exploit which adds an iframe to the wp-stats-php.info site. If you see any such iframes, that’s really bad.
Google Webmaster Tools
Google supposedly marks pages that have been banned from their index due to malware in their Webmaster Tools. You should definitely have a Google Webmaster Tools account to get information on how Googlebot sees your web site and lots of useful search statistics. The banned page indication is an extra bonus.
You should repeat all the above procedures on a regular basis. I know that’s a pain! But dealing with a compromised blog is much worse. Compared to the countless hours you spend on writing great blog posts and engaging in conversations with your readers, it doesn’t take that much time to keep your blog safe.
Imagine if a customer searching for your one of your top keywords in Google, and instead of finding your blog was greeted with this:
Over the past couple of weeks this is what has happened to many WordPress blog owners. Forums are filled with desperate and bewildered bloggers who don’t know what happened or how to fix the problem.
The root cause of these problems is a bug in a WordPress file called xmlrpc.php. This is not the first, nor the last, WordPress security issue. But in this case the bad guys are systematically exploiting the bug.
Automated scripts scan the Internet for vulnerable WordPress blogs. When they find one, a small snipped of HTML is added to an old blog post. This HTML snippet is an IFRAME that retrieves data from a server with the innocent looking name wp-stats-php.info. At first glance this may look like some server collecting WordPress stats. It isn’t. This web site, seemingly based in China, is part of the growing underground economy of badware. Their role in the ecosystem is to install IFRAMES on as many web sites as possible. They will then most likely sell their “iframe service” to another company that wants to install a small piece of bad software on as many computer as possible. Currently it looks like the payload they are distributing is a virus. But it could easily be changed to a trojan keylogger or a program that turns your computer into a node in a botnet. Pretty bad stuff; so Google is right in warning users from visiting hacked sites.
But what does that mean to you as a WordPress blogger?
With the millions of WordPress blogs out there, these criminals have found fertile ground for their exploits. Unless you have updated your WordPress blog to the latest version – 2.3.3 – you are exposed to this threat.
I know that I may sound like yet another security expert crying wolf again. In this case the threat is very real. Just ask one of the many bloggers who have been affected. In the very linked blogosphere it’s just a matter of time before the bad guys follow the links to your blog.
Here are some recent horror stories, should you need more convincing:
Even if the current outfit behind wp-stats-php.info is shutdown, there are others who are gearing up their operations.
What should you do?
- Backup your WordPress files and database
- Upgrade to WordPress 2.3.3
- Check your blog to make sure you haven’t already been infected
If you have done many customizations to your blog (theme and/or plugins) and you’re afraid something will break with the upgrade to 2.3.x, then at least install the latest version of the xmlrpc.php file. You can download it here and just FTP it over the existing file in your root WordPress directory.
More to come on this topic…
Unfortunately the details on what exactly happened with Fortin’s and Gore’s blogs are scant. But here are some general guidelines for keeping your WordPress blog safe.
Update to the latest secure version
No software is free from bugs and security holes. Make sure that you are running the latest secure version. For WordPress – as of this writing – that means versions 2.3.1, 2.2.3 or 2.0.11.
Since WordPress gives plug-ins and themes full access to your blog, you also need to keep your plug-ins up-to-date. With the latest 2.3 series of WordPress you are notified in the admin screen when the plug-ins that you have installed are released in new versions.
Only download and install trusted code
Just like you shouldn’t click on email attachments coming from people you don’t trust, you shouldn’t install software on your blog from untrusted sources. Only download code from the authors’ web site.
Since WordPress and most themes and plug-ins are released as open source, anyone can modify the code with malicious intent and put up the badware for download to unsuspecting web surfers.
Don’t be the guinea pig for the latest plug-ins. Take a cautious approach and wait until you see a plug-in being used by many other trusted bloggers.
Ad networks also pose another problem if you don’t have control over who is allowed to advertise on your network. Google applies the guilt by association principle: If you are advertising for a site that has badware on it, your site may be blacklisted too.
Write-protect your themes directory
There appears to be an exploit going around that modifies installed WordPress themes to add spam links or malicious iframes. One way to make this exploit more difficult is to modify the file permissions of your WordPress themes directory to 755. The drawback is that you will now have to ftp modified files to your web server each time you want to make changes to your theme.
Unfortunately you cannot apply the same write protection to the plug-ins directory since many plug-ins write data to the directory where it’s installed.
Use strong passwords
This is an obvious good security practice, but too often forgotten. Make sure all your passwords are strong: your admin account, the ftp account and any other WordPress accounts that have any edit privileges.
There are numerous articles online about selecting good passwords so I won’t repeat that information here. Just make sure that you follow the advice in these articles and don’t copy the actual passwords they list.
View the HTML source of your site often
Should you abandon WordPress?
I love the WordPress platform because it’s so powerful, flexible and extensible. The downside to all these extensions is that it only takes one weak link to compromise your blog. Even though the core WordPress developers mostly follow good security practices for the code they write, that cannot be extended to all the thousands of WordPress theme and plug-in developers.
Since WordPress is the most popular blog platform, they suffer the same problem as Microsoft does with their products: they’re also the most popular target for security exploits. Therefore we are going to have to live with constant security vigilance. If you are not willing to at least follow the six steps in this article, then WordPress is probably not the best blogging platform for you.
Are you practicing safe blogging?
I still haven’t been able to track down the exact exploit used to compromise all these WordPress blogs. All the compromised blogs that I’ve examined run older versions of WordPress (<= 2.0.6). There are several older vulnerabilities that allow an attacker to assume admin privileges.
With admin privileges the attacker can use the Theme Editor to add their spam links to the footer template. Using the Theme Editor gets around the problem of knowing which file to edit since each theme is installed in a separate directory. If the attacker only had access to the file system (e.g. via ftp), then there is no easy way to know which is the active WordPress theme.
In a most likely unrelated note, GigaOM has a post about security issues in WordPress Themes. It turns out that some bad guys are taking free WordPress themes and modifying them slightly so that they can run arbitrary code on each web server running that WordPress theme. This is a huge security risk!
Follow the basic security rule: Don’t download files from untrusted sources. Just because someone is advertising their free WordPress template site on AdWords doesn’t mean that the site is legitimate.
The reason I say that the two security issues are unrelated is because the compromised blogs do not share a common WordPress theme.
If anyone who has been compromised would be willing to share their web access logs, I would be very interested in examining them.
After closer examination I realized that all compromised sites had the exact same AdSense code:
getme('http://pagead2.googlesyndication.com/pagead/show_ads.js? 636D6071685F676C255D5A68385E565D545C612E64334D100E4D5 45652090A0E5252564840083D414A4641354C0FF83E3E3C32F306');
Someone at Google should be able to find out who is benefiting financially from that AdSense code. Money always leaves a trail.
A story has been making the news today about Al Gore’s web site being hacked. (Original story broken by Stuart @ Earners Blog.) Actually it was a blog on climatecrisis.net that appears to have been forgotten – the last post is from September 2006. Nevertheless the blog has a PageRank of 5 which is an attractive target for link hackers.
The site has been cleaned up now, but you can view a cached version of the compromised page courtesy of Yahoo. (In IE you need to view source to see the links. In my Firefox they show up as grey text links at the bottom of the page.)
The attack has at least three steps:
- A blog at westmont.edu was compromised and several pages were added promoting Viagra and other related pills.
- Several other blogs were compromised and links to the first site was added at the bottom of each page. The latter is what happened to climatecrisis.net/blog. Al Gore’s site is probably the best know of the compromised sites, but there are many more: The Cynical Traveller, Mickipedia, Astroport Le chant du pain, The Next New Networks, Librarian Activist. Just to list a few. Hopefully the site owners will see these backlinks and be able to clean up their blogs.
- In order to not leave a trail to their own doorstep there appears to be no outbound links on the westmont.edu blog that goes to any web site where you can actually order the drugs. Instead there are links to google.ru with queries like “Purchase Prilosec”. Presumably the perpetrator of this attack is among the first search results for these queries. By using the indirect link through Google it makes it very hard to find and persecute the guilty party. Using Google to cover your tracks is getting increasingly popular.
All the compromised sites are blogs that use WordPress 1.5 – 2.0.6. If you are running these very old versions of WordPress be sure to upgrade to the latest secure release. And regardless which software you’re using for your web site you should regularly view the HTML source of your site to make sure that you’re not serving up spam links.