Malware, Patch/Configuration Management, Vulnerability Management

WordPress attacks hit unpatched blog platforms

Blogs built on older WordPress software platforms are being targeted by hackers.

During the weekend, the attacks were fomented by an extremely stealthy worm, according to a post on the WordPress blog. The latest version of the popular blogging portal (2.8.4), however, is not affected.

“Right now there is a worm making its way around old, unpatched versions of WordPress,” Matt Mullenweg, WordPress founder, explained in the post Saturday.

He described how an attack works: “This particular worm, like many before it, is clever. It registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at (the) user's page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.”

Blogs hosted on are not vulnerable. The only blogs affected are those on third-party or self-hosted sites.

“To prevent this form of attack, update your WordPress site immediately to the latest version,” said Lorelle VanFossen, author of the book "Blogging Tips," in a post on her blog. “Change all passwords to a strong password immediately, including WordPress blog access for all users, database, FTP, control panels, everything.”

The malware attacks typically leave comment spam and links to malware-contaminated sites.

“The tactics are new, but the strategy is not,” Mullenweg wrote. “Where this particular worm messes up is in the ‘clean up' phase: It doesn't hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage.”

He added: “Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it."

The advice to update is well-founded. In 2007, David Kierznowski, an information security consultant based in the U.K., did a survey of 1,000 blogs that found 49 out of 50 WordPress blogs ran exploitable versions of the software.

Attempts to reach WordPress for comment Tuesday were unsuccessful.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.