A new worm capable of posting malware and spam as well as altering or deleting posts on WordPress blogs has the company imploring users to update immediately to the latest version of its popular open source blogging software.
The attack serves as just the latest example of how hackers are targeting social networking and user-generated content sites as unwitting hosts for their malicious spamming and malware endeavors.
Matt Mullenweg, the founding developer of WordPress, said the vulnerability allowing the attack was first unearthed Aug. 11 and was resolved in the two latest versions of the blogging software released in the past month.
But in order for WordPress bloggers to avoid having porn sites and other spam links harbored on their blogs — and potentially having their site yanked from Google’s much-coveted index as a result — Mullenweg said users need to upgrade to WordPress version 2.8.4 immediately.
“Upgrading is a known quantity of work, and one that the WordPress community has tried its damnedest to make as easy as possible with one-click upgrades,” he wrote in a blog posting. “Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open-heart surgery.”
Users of the company’s hosted WordPress.com service are automatically updated to the latest version of the software and shouldn’t be vulnerable.
WordPress officials have yet to say just how many users’ blogs have been compromised by the worm. Founded in 2003, WordPress.org claims that more than 3.8 million users downloaded the blogging software in 2007, the most recent data provided on the company’s site.
Mullenweg said the worm infects a site by registering a user, and then uses a security bug exiting in earlier editions of the software to execute code through the blog’s permalink structure.
It then “makes itself an admin and uses JavaScript to hide itself when you look at [a] users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts,” he wrote.
“This particular worm, like many before it, is clever,” he added.
Robert Scoble, author of the popular Scobleizer technology blog, learned firsthand just how traumatizing this particular worm can be to WordPress users who have yet to update their software.
“A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released),” he wrote in a blog post on Saturday. “At first I thought they just left some porn sites in a couple of blog entries. So we upgraded WordPress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn’t.”
[cob:Special_Report]Scoble went on to say that someone managed to break into his blog again, deleting about two months worth of blog entries and planting some malicious code on his archive pages. He said Google soon thereafter sent an e-mail telling him that it had removed his site from its index.
“We’ve done some other things now to make it harder for them to break in (for instance, my admin account has been deleted and a new one doesn’t use the name “admin”), but the damage is done and I feel the same way when our childhood home was broken into,” he wrote. “I don’t feel safe here, which might explain why I’ve been posting more over on a new Posterous blog I’ve set up.”
WordPress users running outdated versions of the software and have yet to notice missing entries, parasitic links or erroneous posts on their blogs can go here for updating information.
“There is only one real solution,” Mullenweg writes. “The only thing that I can promise will keep your blog secure today and in the future is upgrading.”
