Category Archives: Security

Beware Upgrading to a Fake WordPress 2.6.4

The Register mentions an attack on WordPress blogs that tells users to upgrade to a bogus 2.6.4 version of WordPress. This attack seems to be taking advantage of the security vulnerability that necessitated WordPress 2.6.3, whereby if an attacker could get control of an RSS feed that you publish on your blog (for example using […]

TechCrunch: Do as We Say, Not as We Do with WordPress Upgrades

A recent TechCrunch post makes it sound as if WordPress security releases are desperately following close on the heels of widespread attacks. The author, Nik Cubrilovic, then seems to suggest that open source applications are particularly at risk: Hackers are taking advantage of the open-source nature of the software to analyze the source code and […]

Zero-Day WordPress Exploit? Probably Not

The blogosphere has been all a-Twitter about a WordPress security vulnerability. Known as the “” hack, it redirects blog hits with Google as the referrer to one of several spam sites. According to Donncha O Caoimh of Automattic, this exploit took advantage of a vulnerability that has been fixed in the latest stable version of […]

Backporting WordPress Security Fixes

Alex Schleber so dislikes WordPress 2.5 that he’s worked out how to patch version 2.3.3 with 2.5’s security patches instead of upgrading. It’s an approach I would recommend against. For one thing, there’s a good chance that one won’t recognize all of the patches via changelogs, if for no other reason than that sometimes new […]

WordPress Attacks Mapped

Franklin Veaux has diagrammed a network of compromised sites–including the Boston Public Library’s blog–that are geared towards installing viruses. He notes that there has been a surge of attacks recently against compromised WordPress sites, so the lesson is to be sure that you keep your WordPress version up-to-date. Veaux does link to some of these […]

CSRF Attack on WordPress

Someone named Ferruh has a proof-of-concept cross-site request forgery (CSRF) attack against WordPress (HT: DK at BlogSecurity). I’ve tried it out successfully on my own version of WordPress 2.3.3. The scenario is like this: you go to leave a comment on someone’s site, and surreptitiously that (evil) site tricks you into changing your WordPress admin […]

Protecting WordPress from SQL Injection Attacks

David Kierznowski at BlogSecurity suggests that WordPress is “insecure by design.” What he means is that in general WordPress does not sanitize MySQL queries. He recommends that WordPress provide “a proper set of SQL safe functions (i.e. $wpdb->escape_int and $wpdb->escape_str” and “use mysql_real_escape_string(), and have clearly defined coding standards and security policies” like Drupal does. […]