WordPress is urging anyone who has a self-hosted WordPress blog to update as soon as possible. (Your blog is self-hosted if you have it installed on your own domain. If your blog url is something like yourblog.wordpress.com.)

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

For more information, see the WordPress blog.

[tags]Wordpress, blogging[/tags]

JOIN MY NEWSLETTER
I agree to have my personal information transfered to ConvertKit ( more information )


Get my newsletter for social media & live video tips to help you build your business.
I hate spam! Your email address will not be sold or shared with anyone.