Home » Critical! (Page 2)
Category Archives: Critical!
There is currently a large scale spam attack on WordPress sites that is ongoing and affects primarily WordPress versions 2.1.x and 2.2.x (it’s not clear if 2.3.x or 2.0.x are affected, but it seems likely they aren’t). The attack results in a large number of spam listings injected into either posts or theme files which are then set to be hidden through css. Your will typically find that you’ve been affected when Google contacts you to say you are being de-listed due to a high number of spam links on your site. It is also typical for the attackers to delete all of your pages from your site for some reason, so if you load your site and all of your pages are gone you may have been hacked.
It’s not entirely clear what method the hackers are using to get admin access to the affected sites, but from my observation it may be a privilege escalation attack using the comment system. In some cases a random user account was created right before the attack. It was also noted that the comments.php theme file was altered to add in a console access applet which allowed for low level server access. If you get hacked make sure you check every theme file to make sure no malicious code was added–or better yet, reload your theme files from a backed up or fresh copy, and delete out any suspect user registrations.
WordPress 2.5 is apparently not affected by this problem, so an upgrade should help. I have upgraded my sites to 2.5 and have managed to mostly get things working (though my archive page on this site is currently non-functional). It looks like this is the unfortunate little push that will force most people to upgrade, though I strongly suggest making sure first that there are updated plugins that work with 2.5.
I have just released new versions of the AWSOM Pixgallery(4.5.3), AWSOM News Announcement(1.4.2), and AWSOM Uninstaller (1.0.2) plugins for WordPress that have been made specifically compatible with the upcoming WordPress 2.5 release (the AWSOM Archive plugin was already fully 2.5 compatible with version 1.4.0). This means that they will install properly and work as they currently do. AWSOM plugin versions previous to these new releases will NOT install properly on WordPress 2.5 due to a major change in their plugin protocol (though I believe that already installed plugins will not stop working, I can’t guarantee that–especially if you deactivate/reactivate them during the WordPress upgrade process).
I will probably come out with another minor release of the plugins after WordPress 2.5 is officially released that does some cosmetic changes to my admin pages for the plugins, but this will have to wait until they finalize the CSS they are using for their admin pages (right now they all look fine, but don’t really match the new look of the admin area in 2.5). For the moment though everything will work properly, so you at least have one less worry if you plan on upgrading to WordPress 2.5 :)
AWSOM Pixgallery version 4.5.2 has been released. This version of the image gallery plugin for WordPress fixes a problematic bug related to the EXIF function, and finishes the Individual Comment system by displaying pre-existing comments on the main gallery level (as opposed to not showing them at all :) ). It also adds in a new debug mode for admins that will allow them to see extra information about their gallery set up to help fix display issues–it also displays the sort order number attached to an image or gallery in the thumbnail view to help in using the numerical sort option.
It is strongly suggested that all AWSOM Pixgallery users upgrade to this new version.
AWSOM Pixgallery version 4.5.1 has been released and is now available for download from the AWSOM.org website. This version was released a bit early due to the discovery of a serious bug with the image caption edit function which prevented updating of numerical sort data. As a bonus you now have the ability to display EXIF data for your images.
While it is always more convenient to place as many functions into one centralized site as possible, it is also generally more insecure and prone to problems. Case in point: Forum plugins for WordPress. While I know the desire to have one centralized administration area for a forum and your blog site might seem like a good idea, it is not always in your best interest to have this as your set up. Apparently there is a bug in the current version of the WP-Forum plugin that allows malicious users to access your database information. Whenever you have a situation where you allow users to add content to your site, you create a potentially vulnerable area for someone to exploit. In the case of a forum, this can be especially difficult to program in a manner that eliminates this risk. (note how often most forums have security updates, it’s a lot). So you end up with a case where you now have 2 different site concepts taken out by the most vulnerable element. I almost exclusively suggest that people simply run 2 different sites with 2 different databases and simply match them using a common looking theme. It’s simply more secure to do things that way.