Wordpress Security Advisory

[JPC-Katrina]

We are currently seeing a high number of Wordpress installations being hacked due to out of date scripts, plugins, and themes. The folks at Wordpress are very good about releasing fixes whenever they hear about a new exploit. Please take some time to check your installations and update everything noted in your WP admin panel under Updates including anything installed such as a theme or plugin that is not currently being used. Consider removing unused items for better security.

Wordpress 3.3 was just released as well as updates for their 2 default themes.

Now is also a good time to harden the security of your blogs. There are lots of things you can do to protect your blogs from hacking. WPsecure has tips and info on recent exploits. See also Hardening WordPress « WordPress Codex . Many more tips are available by using search engines to search for "securing wordpress". A little time spent now on this can prevent huge headaches and downtime in the future.

There are numerous security plugins you can install such as Login Lockdown, WP Security Scan, and Mute Screamer. I highly recommend them.

Before making any changes, be sure to make a full backup of your account in your control panel under Backups. Wordpress users should also be doing routine database backups either with a cron job or a plugin named WordPress Database Backup. The database is the heart and soul of any blog. Scripts can easily be reinstalled but not lost data without current backups.

[JPC-Katrina]

The latest hacking of Wordpress is being done through the TwentyTen theme which is installed by default in new Wordpress installations. We are seeing a huge amount of sites being hacked because of it. If you are not using the default themes for your blogs or any of your other installed themes, please remove them and only keep the theme(s) you are using. Please be sure to update any remaining themes as the updates become available. There is a recent update to the TwentyTen theme available via your Admin Dashboard under Updates.

[JPC-Sabrina]

Many Wordpress users may also find considerable value in some of the information recently posted by Jason, a long time member here on the JaguarPC forums. Jason outlines some excellent additional measures you can take to tighten up your wordpress security. Minimize your vulnerabilities in Wordpress and potentially save yourself from the headaches of unexpected hack attacks.