Old WordPress Versions Under Attack

Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!!

Update your WordPress blog before you continue reading this post. That’s how critical this issue is.

Things You Need to Know Now

Here is what you need to know right now, constantly updated with news as we get it.

1. UPDATE NOW! Reports are that this attack impacts ALL versions of WordPress up to 2.8.3 and 2.8.4, the most recent release.
2. Report from WordPress on Attack: How to Keep WordPress Secure. Information on the most recent update of WordPress that prevented this attack on updated WordPress sites: WordPress 2.8.4: Security Release.
3. Which Version of WordPress is Secure? I’ve just talked to Matt Mullenweg and have a better understanding of the version confusion. When this worm first hit the web, WordPress released 2.8.3 to deal with it. Since then, WordPress 2.8.4 was released, unrelated to the worm. Once the worm has infected your site, surface fixes do not remove the “back door” the worm injects into your database and system, as happened with Robert Scoble. Once infected, upgrading does not fix the issue, so those reporting they were now infected after upgrading, were infected before upgrading. Versions after WordPress 2.8.3 are safe, but upgrade to 2.8.4 anyway as it included other fixes.
4. What Version Am I Using? If you are using a WordPress version after 2.7, the nag screen on the WordPress Administration Panels will alert you to upgrade. If you are using an older version, upgrade now. Don’t know what version you are using? Without a nag screen to tell you to update, you’re using an old version. Checking the Administration Panels footer will help, but don’t waste time looking. Just update now!
5. Use a WordPress Plugin for Protection: Do not rely upon a WordPress Plugin to protect you. There are many reports of Plugins that will “help” in the comments. While they might help in other ways, please upgrade now. That is the only solution if your site has not been impacted.
6. How Does This Worm Work? We’re awaiting details from security experts on how this worm works. Personally, I’m waiting for the name of this thing since that does make searching for details on this worm easier. Anyone got a name for it yet? Since it isn’t exclusive to WordPress, calling it the WordPress Worm would not be appropriate.
7. WordPress is Not Secure: WordPress is incredibly secure and monitored constantly by experts in web security. This attack was well anticipated and so far, WordPress 2.8.4 is holding. If necessary, WordPress will immediately release a update with further security improvements. WordPress is used by governments, huge corporations, and me, around the world. Millions of bloggers are using WordPress.com. Have faith they are working overtime to monitor this situation and protect your blog.
8. Fear of Upgrading: This attack is serious enough to overcome all your fears of updating. If older WordPress Plugins are holding you back, update them to the latest version or replace them with new. If your Theme might break, contact the Theme author and update or replace it. There are thousands of free Themes to choose from, probably some better than what you are using. If you are using a recent version of WordPress, updating is as easy as clicking a couple buttons. If you are using an older version, download the most recent version and upgrade now.
9. Other Issues? Whatever your issue is that keeps you from updating WordPress, get over it and update now to protect your site.

When we have updated news, we’ll add them to this post and/or post a new article.

How Do I Know If My Site Has Already Been Attacked?

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

WordPress.com blogs are not impacted as they are up-to-date. Only versions prior to WordPress 2.8.4 are impacted.

To Prevent Your WordPress Blog from Attack

To prevent this form of attack, update your WordPress site IMMEDIATELY to the latest version. Change ALL passwords to a strong password immediately, including WordPress blog access for all users, database, FTP, control panels, everything.

See the articles below for more helpful information on how to harden and protect your WordPress blog.

If Your WordPress Blog Has Been Attacked

If your site has already been attacked, it appears that the hack attacks the database, going deep. You can find help in the WordPress Codex article on how to deal with a hacked WordPress site.

We’re looking for specific solutions, but the easiest appears to be to export all your content with the built-in XML WordPress export (pre 2.1 versions, try the WordPress-to-WordPress Import WordPress Plugin) and literally remove your WordPress installation totally (save images and general files). DO NOT EXPORT YOUR DATABASE! Install the latest version of WordPress and add the “clean” backup of your WordPress Theme, then import the XML export. The export will contain your posts, Pages, and comments, and hopefully no other hacked code.

“How To Completely Clean Your Hacked WordPress Installation” by Smackdown is a good article on how to reinstall WordPress after being hacked, but take care to keep your export limited to the post content and comments (and Pages), not the entire database as the hack goes into the database.

How to Respond to a WordPress Attack

WordPress has been requesting users update as soon as an update is released for several years. They also now have a excellent team to track down this issue and quickly protect WordPress with any necessary updates.

Please blog and Twitter about the attacks. It’s important that we spread the information throughout the WordPress Community as fast as possible, encouraging everyone to update WordPress. Take care not to promote rumors, just the facts, until we know more.

If you have pertinent information that will help the WordPress team track down and stop this attack, please report it to security@wordpress.org.

Check the WordPress Support Forums for more information and support. Also check for news and announcements on security issues and updates on the WordPress Development Blog and in your WordPress blog Dashboard Panel.

Please, keep your WordPress site constantly updated. You are now informed of updates directly through the Administration Panels. Act upon it.

Here are some other articles and information that may prove useful.

• WordPress Codex – FAQ – My Site Was Hacked
• Journey Etc – WordPress Permalink RSS Problems
• SmackDown – How to Completely Clean Your Hacked WordPress Installation
• Protect Your Blog With a Solid Password
• WordPress Codex – Hardening WordPress (security protection)
• Fear, Uncertainty and Disinformation About The WordPress Exploits and Spam
• BlogSecurity – WordPress Security Predictions in 2009
• WordPress Security Prevention, Reactions, and Scares
• Mark Jaquith – WordPress Security
• Matt Mullenweg – On WordPress Security
• Technorati: Vulnerable WordPress Blogs Not Being Indexed
• Weblog Tools Collection – Maximum WordPress Security
• The Correct Way To Report A Security Issue With WordPress
• WordCamp Toronto 2008 – WordPress Security with Mark Jaquith (video)
• Matt Cutts: Alerting Webmasters to Webserver Vulnerabilities
• WordPress Security Whitepaper
• Blog Security – Interview of a WordPress Hacker
• Guvnr – 10 Tips to Make WordPress Hack Proof
• Web Hacks, Worms, Infections, and Viruses: Is Your Blog Prepared
• Firewalling and Hack Proofing Your WordPress Blog
• Daily Blog Tips – Make Sure Your WordPress is Not Hacked
• Noupe – WordPress Security Tips and Hacks
• Vladimir Prelovac – Improving security in WordPress Plugins using Nonces
• Smashing Magazine – 10 Steps To Protect The Admin Area In WordPress

Subscribe Via Feedburner Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

Posted in WordPress News

Popularity: 2% [?]

Summer Blog-b-que for Bloggers

It’s time to celebrate blogging and summer in the Portland, Oregon, area. If you are a blogger, come join the summer Blog-b-que!

We’re hosting the first ever Blog-b-que at the home of Lorelle and Brent VanFossen in North Plains, Oregon, on Sunday, August 30, 2009, and you are welcome to join us.

We’re inviting WordPress, WordPress.com, and all bloggers (and web and social media fans) to a picnic party on Sunday, August 30, starting about noon! The theme of the party is “Summer Food” and you are invited to bring food that reminds you of summer.

In addition to summer food and drinks, bring something to sit on, sunscreen, sunglasses, and binoculars as this will be the final day of the famous Oregon International Airshow in Hillsboro. We have a view of the skies and areas west in the valley the planes will be flying through. We have a hot tub, so bring suits (and we have some to borrow).

We are limited to 75 attendees. Sign up on the Upcoming Announcement where you will find directions and more information. You can also contact us with questions via the comments below, @lorelleonwp or via our Contact page. We live about 35 minutes from downtown Portland off Highway 26. Coming back from the beach that weekend? Stop in and rest before heading back to the city!

We will help you arrange carpools from downtown Portland, and will do one or two pickups at the Hillsboro Trimet Blue Line (Hillsboro · City Center · Gresham), the last stop on the Blue Line. If you are interested in taking the train out, let us know so we can arrange pickup times.

The Oregon International Air Show will feature some great airplanes and air performances on Sunday including the U.S. Air Force Thunderbirds, U.S. Army Golden Knights Parachute Jump Team, high performance aerobatic airplanes, The Robosauraus car-crushing, fire-breathing, metal giant of a dinosaur plane, comedy air performances, vertigo air shows, hammerhead aerobatics, antique airplanes, experimental aircraft, and plenty more.

We will feature music, laughter, stories, and a ton of food! Whose bringing the keg?

Come meet fellow WordPress and other blogging fans and join the summer fun.

We have trails through the woods and down to the creek at the bottom of the property, plenty for kids (adult kids, too) to run around and explore. Elk, deer, rabbits, frogs, coyotes, and birds are around much of the year. We have a few indoor and outdoor games, but bring your own.

This is a no smoking event!

Note: Thank you to everyone who has been so helpful and supportive during my long health recovery. I will be back in action very soon and look forward to seeing everyone at this fun Blog-b-que!

Subscribe Via Feedburner Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

Posted in Blog Babble, WordPress Events, WordPress News

Popularity: 2% [?]

How to Report Abuse to WordPress.com

My name is Jonathan Bailey and I usually blog at Plagiarism Today, where I write about content theft, plagiarism and copyright issues on the Web. Lorelle has asked me to fill in while she’s away with a few posts to keep things a little bit more active. So please pardon the change in voice and fret not as Lorelle will return soon.

The good news is that WordPress.com is a relatively spam and garbage-free site. The bad news is that, even on the best blogging sites, with the most vigilant admins, sometimes spammers, scrapers and other bad guys do manage to set up shop.

It’s easy to see why spammers would want to get on WordPress.com, with a PageRank of 9, great SEO and a built-in community, it could be haven for junk content. Many do try but the admins have been surprisingly effective, for the most part, at keeping them at bay.

This isn’t to say that they are perfect. They can’t pre-screen everything that is posted to the site and some do get through. The site depends on users to report spam, copyright infringements and other forms of unwanted content so it can be cleaned up.

However, there is a correct way to file such complaints. As great as Lorelle is, she is not an official representative of Automattic, the maintainers of WordPress.com, and Matt Mullenweg, though the founder and CEO, is not the person directly responsible.

If you want a quick resolution to a WordPress.com abuse complaint, all you have to do is follow the instructions on this page. However, if you want more details or advice, read below.

Copyright Complaints

As someone who has filed hundreds of copyright complaints over the years, I can say without a doubt that Automattic has been very responsive to copyright complaints. However, there is a very strict protocol that one needs to follow in order to have their complaint acted upon.

Automattic is a U.S.-based company and its servers are located with in the country. As such, it is bound by U.S. law, most notable the Digital Millennium Copyright Act (DMCA). This law provides a safe harbor to Web hosts, such as Automattic, to prevent them from being held liable for copyright infringement perpetrated by their users without their knowledge.

The caveat is that hosts are required to “expeditiously” remove or disable access to infringing content once they receive proper notification. The law itself lays down strict requirements for what constitutes a proper DMCA notice.

As such, though Automattic does comply with the DMCA and remove content very quickly when properly notified, it is filing the proper notification that is tricky.

If you find that a blog on WordPress.com is infringing YOUR copyright. You can file a DMCA takedown notice by using the email address at this page and using the stock DMCA notice to host available on my site.

If you properly fill out and send in a DMCA notice, most likely the content will be removed in 1-2 business days.

Spam, Spam, Spam

If you find a spam blog operating on WordPress.com but it isn’t infringing on your copyright, either posting excerpts, using gibberish or someone else’s content, you can still be able to report them to Automattic and get the blog removed if it is a violation of their terms of service.

The Spam blog reporting tool is extremely simple to use. All you have to provide is the URL of the blog, ensuring that it is a WordPress.com blog, and stating the reason that you think it is a spam blog.

If it’s scraping content from another site, link to the original site. If it is posting junk content, say so. Provide any evidence you can that the site is a spam blog and try to make it easy for the person processing the complaint to understand what the issue is. A few sentences of clarification can help speed up the process greatly.

Other Content

WordPress.com has a strict policy about protecting user freedom of speech. Though Automattic may remove defamatory content, Section 230 of the Communications Decency Act does not require them to do so.

WordPress.com also allows mature content on the site, so long as it is properly flagged and removed from public searches.

In short, unless the content is illegal or threatening, Automattic will be very hesitant to take any action. Still, if you wish to report something that you feel is a violation of the site’s terms of service, you can file your report by emailing the support@ address.

Caveat

It is important to remember that this only applies to sites that are hosted on the WordPress.com servers. Just because a site users WordPress as the blogging platform does not mean that they are on the WordPress.com servers.

Millions of blogs use WordPress as the platform but are hosted on other servers and are beyond Automattic’s control. In those cases, they merely produce the software that used to make the blog work, they do not run the blog or the servers it is on. It would be like blaming Microsoft for unwanted content generated using Word.

Before filing a complaint with Automattic, make sure that WordPress.com is in the URL of the site. You can also double check the host of the site by using Who Is Hosting This?.

Though the confusions is understandable, it is important to make sure that it is a WordPress.com site, not a WordPress.org (meaning self-hosted) before reporting to Automattic.

Bottom Line

When it comes to matters of copyright and spam, Automattic does a great job in removing the garbage when properly notified.

The difference in the time it takes to file a complaint the right way and simply shouting to the first person who will listen is negligible. However, it can be the difference between getting a swift response or no answer at all.

Any time you report abuse to a site, you should take a moment to familiarize yourself with that site’s policies and act accordingly. A few minutes of preparation and planning can literally save days in response time.

Posted in Blogging Tips, WordPress News, WordPress Tips, WordPressdotcom

Popularity: 2% [?]

WordCamp Videos Published from WordCamps Dallas and San Francisco

John Pozadzides of One Man’s Blog has been putting together the final videos from WordCamp San Francisco 2009 and WordCamp Dallas. So far he’s released:

• WordCamp Dallas 2009: Cali Lewis – Building A Vibrant Community
• WordCamp Dallas 2009: The WordCamp Panel Discussion
• WordCamp San Francisco 2009: Chris Pirillo – Community WebVisions
• WordCamp San Francisco 2009: John Lilly – Lessons From Mozilla

There were a lot of tremendous speakers at these two events, with more videos anticipated over the next couple weeks.

If you haven’t caught them, check out the many speaker videos from WordPress.tv in the WordCamp category, such as these recent videos from WordCamps around the world:

• Gil Asakawa: Media and Publishing – WordCamp Denver 2009
• Matt Mullenweg: State of the Word – WordCamp Denver 2009
• Panel Discussion: Web Design and WordPress – WordCamp Denver 2009
• Hailin Wu: Secrets of Blogging – WordCamp Hong Kong 2009
• Matt Mullenweg: State of the Word – WordCamp Hong Kong 2009
• WordCamp Egypt 2009: Write Your First WordPress Plugin Session
• WordCamp Tokyo 2009: Hideo Kashioka – Advantages of WordPress for Web Dev Businesses
• WordCamp Tokyo 2009: Matt Mullenweg Keynote
• WordCamp Tokyo 2009: Michael Pick – Introducing WordPress.tv
• WordCamp Tokyo 2009: Takayuki Miyoshi – Introducing WordPress Regional Community
• WordCamp Tokyo 2009: Tenpura – 3 things you need for using WordPress in Japanese
• WordCamp Tokyo 2009: Yuriko – Ktai Style Plugin for Japanese Mobile Phones
• WordCamp Tokyo 2009: Mizuno – Examples of Useful Shortcodes
• WordCamp Tokyo 2009: Higashi, Micho, Nao – Ligitning talks on WordPress themes
• Matt Mullenweg’s State of the Word: WordCamp San Francisco 2009
• Andy Peatling – Cooking With BuddyPress: WordCamp San Francisco 2009
• Timothy Ferriss: Blogging Without Killing Yourself – WordCamp San Francisco 2009
• Ben Huh: I Can Has WordPress – WordCamp Denver 2009
• Jane Wells: Open Source Community – WordCamp Denver 2009
• Jon Fox on Commenting: WordCamp Denver 2009
• Micah Baldwin: Measuring Online Influence – WordCamp Denver 2009

Subscribe Via Feedburner Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

Posted in Blogging Tips

Popularity: 2% [?]