Wednesday April 09, 2008

WordPress Pandemic Chronicles - 2008-04-09

I've been acting on the assumption that WordPress 2.3.3 was a "safe" release. I certainly hadn't spotted any hacked blogs using 2.3.3 but poking around, I find these reports of compromised 2.3.3 blogs:

• New Wordpress 2.3.3 Exploit/Vulnerability - Adds Spam Directory /wp-content/1/
• Hacked 2.3.3

WTF? I'm going to continue assuming that 2.3.3 is secure and there was something else going on in those cases -- I'm expecting the WordPress developers to weigh in with a definitive statement on this (hello, anybody home?). Now, according to Blog Herald, the safe versions are 2.5, 2.3.3, 2.1.3, and 2.0.11 -- if that's the case, I'll incorporate that into another update to Technorati's crawler (though to date, 2.1.3 and 2.0.11 have so far been statistically insignificant).

Folks need to keep getting the word out: friends don't let friends run vulnerable installations of WordPress. In the meantime, here's latest snapshot of the trailing 90 days of WordPress updates handled by Technorati:

Version	Count (in thousands)	Change
2.3.3	238	-2
2.3.1	152	-1
2.3.2	144	+2
2.5	93	+7
2.2.2	76	+1
2.2.3	70	+3
2.0.1	59	0
2.1.2	36	-1
2.2.1	35	0
2.2	30	-2

It's encouraging to see the numbers for 2.5 going up strongly: 7000 more WordPress 2.5 blogs updated since yesterday's trailing 90 days. Seems like the small flaps for the other versions are a wash.

wordpress   blogging   security   technorati   spam  

( Apr 09 2008, 11:40:45 PM PDT ) Permalink