Upgrade to WordPress 2.2 or have your Admin PW stolen
OK It’s been a couple days now and this news is only spreading. If you haven’t heard already, there is an attack out there that allows the Admin PW to be compromised for any WordPress 2.1 and 2.0 blog. Only 2.2 and the yet unreleased version of 2.0 are safe and it will stay that way. The 2.1 is not a maintained version. So far, I’ve heard nothing about the plans to release a new 2.1. So at this point, for most people running 2.1, your only choice is to upgrade to 2.2.
I’ve stolen the admin PW of several 2.1 sites under my control and tested the sites of some of my friends to make sure they were safe even though they hadn’t upgraded.
There are two things that may make your 2.1 DB safe:
1. Your user named Admin is NOT user number 1.
2. Your database prefix is NOT wp_
If you want to upgrade safely and quickly, try my script. The latest post about it is always at: http://www.thecodecave.com/EasyWPUpdate
If you want to see how we handled this at b5media, read here:
Guide to Disaster: How The Tech Team Handled WordPress Security Flaw
[...] 本家サイトではまだアナウンスが無いんだけど、 Upgrade to WordPress 2.2 or have your Admin PW stolen(WordPress 2.2 [...]
Pingback by WordPress で管理者パスワードが盗まれる恐れ — May 25, 2007 @ 1:02 am
[...] if the two posts by Aaaron Brazell, and Brian Layman are to be believed, stating that attacks are underway to compromise the admin passwords of [...]
Pingback by rodtempleton.net » Upgrading to WordPress 2.2 should be mandatory — May 25, 2007 @ 11:21 am
Justified text is considered harmful
Comment by Lloyd Budd — May 25, 2007 @ 11:40 pm
Any quick fix tutorials for changing your database prefix and admin user numbers?
Comment by William Lehman — May 26, 2007 @ 2:48 pm
[...] But upgrade scripts exist that will allow you to perform this upgrade while backing up your site.read more | digg story No TagsPopularity: unranked [?] Share and Enjoy: These icons link to social [...]
Pingback by One Reason To Upgrade To Wordpress 2.2 at Sonnie’s Porch — May 27, 2007 @ 5:08 am
Along with the bug fixes, WordPress 2.2 brings new bugs to the table: wp_mail removes the Content-Type, you can’t remove widgets in Firefox and all widgets are used by default… etc. You can check the bug list at trac.wordpress.org
The official install guide is quite hard to understand so i decided to write a tutorial with pictures about how to upgrade to wordpress 2.2 and i allso describe the compatibility issues on widgets.
I haven’t tried your script but sounds really good. Keep up the good work!
Comment by Pufone — May 28, 2007 @ 2:30 am
[...] ドキドキしながら作業したわりにあっさりバージョンアップできてしまった。あとで知ったけど、Wordpress2.0、2.1に関して管理者パスワードが盗まれる可能性があるということらしいので、バージョンアップしてよかった。大してアクセスもないからそんなにびびることもないけど、パスワードを盗まれるってのはやっぱり気持ち悪いよね。とくに2.1.xはメンテもされないらしいので、ellaを使用している人はお早めに。 [...]
Pingback by Wordpress2.2にバージョンアップ — June 10, 2007 @ 8:04 am