Over the weekend, reports surfaced of a seemingly widespread attack targeting older versions of the popular blogging software WordPress. The attack leaves WordPress installations severely compromised and appears to be part of a campaign to spread spam and malicious code.

Numerous bloggers found themselves victims. One of those bloggers was popular tech personality Robert Scoble. He claims that two months of his blog's content was lost and that his site was booted from Google's index because of malicious code that had been inserted (ouch).

Although Scoble has since cleaned up and taken action to defend against future attacks, he writes:

...the damage is done and I feel the same way when our childhood home was broken into. I don’t feel safe here, which might explain why I’ve been posting more over on a new Posterous blog I’ve setup.

It's easy to sympathize. But let's be clear: compromised WordPress blogs weren't exactly broken into. If these blogs are to be considered houses, their doors were left wide open for all to see. Scoble's blog, for instance, was compromised because he was running a 2.7.x version of WordPress for which there are known security vulnerabilities.

Scoble had refused to upgrade WordPress despite the fact that the latest WordPress release (2.8.4) was advertised as an important security release. Making matter's worse, Scoble didn't have any homeowner's insurance. That's right: he didn't have any backups.

Unfortunately, Scoble's blog was hardly the only one with the doors unlocked. A post on TechCrunch, for instance, repeated the warning that WordPress users should upgrade to the latest version. Yet as I write this, TechCrunch appears to be using an out-of-date version of WordPress MU. I'm not the first, of course, to point out the irony in popular tech blogs that are running on outdated software with known security vulnerabilities writing about outdated software with known security vulnerabilities.

Yet that hasn't stopped some, including Scoble, from insinuating that WordPress is partly to blame. WordPress head honcho Matt Mullenweg responded to the situation:

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

He noted that the latest two versions of WordPress were not vulnerable to this attack. He concluded by imploring WordPress users to upgrade:

We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.

Before I go any further, I'll make my bias clear: I think WordPress is a great product and have a good dozen-plus websites running on it.

That said, no software is free from bugs and vulnerabilities. For all of its flaws and limitations, however, of which there are more than a few, WordPress is extremely popular because it does well what it was designed to do, is intuitive to use, is easy to extend, has a great developer community and doesn't cost a cent to license.

When it comes to security, unfortunately, the ease with which WordPress can be successfully installed, managed and used is a double-edged sword. It makes WordPress accessible to users who don't have the level of tech savvy (or competence) that one might reasonably suggest someone who is self hosting third party software have. And it can deceive users into believing that they can operate on cruise control. After all, WordPress works so well and is so pretty that it's hard to believe that serious vulnerabilities could be lurking under the surface.

The end result of this is a hacker's dream: widely-installed software often used by individuals who are either incapable of properly managing it or who never think anything bad could happen.

So what's anyone to do? If you're going to run third party software you had better:

Give up on the idea that inherently 'secure' software exists. While I'm sure there are interesting discussions to be had about WordPress and security, the bottom line is that nine times out of ten, hackers and scammers are much smarter and more dedicated than you. No matter what piece of software you're running, someone sufficiently motivated to hack it is probably going to.

Choose software wisely. It's easier to deal with security issues when you've thoroughly evaluated a piece of software and know what you're getting into. Does it have a history of security issues? What is the release cycle like? How complicated is the upgrade process?

Pay attention to new releases. When a new release becomes available, be sure to read the changelog to see if an upgrade is necessary or warranted. While it's generally a good idea not to fall too far behind, it's often okay to skip minor releases. When releases are prominently advertised as security releases, however, skip them at your own peril.

Look at security holistically. It's important to note that security doesn't start and end at the application level. In fact, some of the reports about the WordPress attack seem to hint that servers may have been compromised. Bottom line: no matter what software you're running, you should disable services/modules you're not using, double check file system permissions, use SFTP instead of FTP, employ a software-based firewall (at a minimum) and consider using non-standard port numbers for common services, amongst other things.

Back up. Doing everything right is no guarantee that won't be hacked. After all, zero-day exploits are increasingly common. So back up data regularly in case the worst happens.

Have a reliable techie on your side. Even if you're capable of installing and/or managing a software product on a day-to-day basis, you should have access to somebody who can help if you run into bigger technical challenges. In Scoble's case, for instance, he cited a fear of his WordPress plugins breaking as the reason he wasn't upgrading on a regular basis. But with some competent development support, resolving any plugin-related upgrade issues would certainly have been far less demanding than getting someone to clean up a hacked installation.

Today's internet isn't a safe place and you can't be naive or lazy when it comes to protecting yourself. Those who don't heed security best practices will eventually learn this the hard way regardless of which software they're using.

Patricio Robles

Published 7 September, 2009 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2642 more posts from this author

You might be interested in

Comments (6)

Save or Cancel

Richard Arblaster

I always keep my wordpress up to date, mainly to the fact that I find it extremely difficult to ignore those messages telling me to update.

Which is of course the whole point of those messages. If you do have a self hosted wordpress blog, the auto update feature is brilliant, depending on the speed of your internet connection, it can take a matter of minutes to update the core files. No messing around with downloading files and then uploading them to your server.

Touch wood, the auto update feature hasn't failed on me yet.

almost 9 years ago



I like you was also surprised and dismayed at both Scoble´s and TechCrunch´s "response" to the security vulnerabilities. WordPress 2.8.4 has been out there for weeks now and the "holes" were well documented at the time of the security release. If it were anyone else besides those two high-profilers I would scream "Linkbait" but it is surely not necessary for them to write such articles.

Shame on "tech" bloggers not updating and not taking minimal precautions.

almost 9 years ago



Each of your points is excellent, thank you for injecting some rationality into the discussion.

almost 9 years ago


Dave Doyle

I get that the Wordpress crew likes you to upgrade ASAP.


I just spent the last 4 months skinning, tweaking, writing plugins for and modifying Wordpress for a corporate blog.  When I started, 2.8 hadn't come out.  When I deploy, it has to go through two other teams before it hits the live webserver. It's tested, prodded, punched, poked by at least a dozen people.  I simply can't "upgrade" on a whim.  It has to go into our version control.  It has to go thorugh all these people. Wordpress 2.8 came out early June.  But from July 9 to Aug 12, FOUR minor point releases came out. FOUR.  I can't push those through at all in that timespan.

I recognize that that's a pain in the butt.  I recognize that it's stupid to have to do thigns this way.  I don't want to. However, it is a corporate reality for a lot of us.

Why is there no maintenance at all for previous releases?  I can't expect it, I get that.  But to drop support for a version of the software so quickly... seems crazy to me.

There are some changes from 2.7 to 2.8.  None so huge that it won't require but a little work.  It looks like there are bigger changes that will affect me from 2.8 to 2.9.  I can't just roll out as soon as they come out.

I would beg the Wordpress team and Matt to consider backporting some of the security fixes.  Because the release schedule that has been set since the 2.0 release means a new major point version every 3 to 4 months and having old releases completely unsupported, I can't help but think I'll fight harder to not use Wordpress in future at work.

almost 9 years ago


Robert Nelson

Feel that Web Hosts at least in some cases could and should do more to provide Firewall like security to Bloggers. I had a up to date stable version of WordPress and was still hacked.

I am no longer with that web host. WordPress should take this opportuinity to harden security

almost 9 years ago



over 8 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.