In association with heise online

04 March 2007, 10:43

WordPress release manipulated via server hack

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Users who have downloaded and installed the WordPress 2.1.1. package since the end of February should update their installation to version 2.1.2., sharpish. As described by the WordPress developers on their homepage, attackers hacked a project server and replaced the 2.1.1. download package with a version loaded with backdoors for infiltrating PHP code.

The developers do not give details of the vulnerability used by the attackers to penetrate the server. The analysis carried out by the WordPress team, for which the WordPress server was taken offline, has apparently revealed that only the WordPress 2.1.1. package was affected. No manipulation to the SVN revision control system or other code took place.

The WordPress development team has now labelled version 2.1.1. as insecure and recommend that all WordPress users update to the new version 2.1.2. According to WordPress, the update also fixes a number of bugs, of which no further details are given. Providers who offer their users WordPress as a service and are not yet able to update the software should block access to the theme.php and feed.php files and filter out queries containing the strings ix= or iz=.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit