NEWS
A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software, according to a post by Matt Mullenweg, founding developer of WordPress.
Read this
A-Z of security
- A is for Antivirus
- B is for Botnets
- C is for CMA
- D is for DDoS
- E is for Extradition
- F is for Federated identity
- G is for Google
- H is for Hackers
- I is for IM
- J is for Jaschan(Sven)
- K is for Kids
- L is for Love Bug
- M is for Mircosoft
- N is for Neologisms
- O is for Orange
- P is for Passwords
- Q is for Questions
- R is for Rootkits
- S is for Spyware
- T is for Two-factor authentication
- U is for USB sticks/devices
- V is for Virus variants
- W is for wi-fi
- X is for OS X
- Y is for You
- Z is for Zero-day
The worm can be tough to catch, as Mullenweg explains: "It registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at user's page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."
The vulnerability allowing the attack was discovered on 11 August, at which point WordPress encouraged users to upgrade to version 2.8.4. However, many people have yet to upgrade, and reports online indicate the worm is making dubious progress by the hour.
The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected.
WordPress has also posted an FAQ for people who think their blog has been hacked.
