WordPress release manipulated via server hack
Users who have downloaded and installed the WordPress 2.1.1. package since the end of February should update their installation to version 2.1.2., sharpish. As described by the WordPress developers on their homepage, attackers hacked a project server and replaced the 2.1.1. download package with a version loaded with backdoors for infiltrating PHP code.
The developers do not give details of the vulnerability used by the attackers to penetrate the server. The analysis carried out by the WordPress team, for which the WordPress server was taken offline, has apparently revealed that only the WordPress 2.1.1. package was affected. No manipulation to the SVN revision control system or other code took place.
The WordPress development team has now labelled version 2.1.1. as insecure and recommend that all WordPress users update to the new version 2.1.2. According to WordPress, the update also fixes a number of bugs, of which no further details are given. Providers who offer their users WordPress as a service and are not yet able to update the software should block access to the theme.php and feed.php files and filter out queries containing the strings ix= or iz=.
- Wordpress 2.1.1 dangerous, upgrade to 2.1.2, security bulletin from the WordPress developers
- Download the latest version of WordPress