[wp-hackers] Security

Hal Burgiss hal at burgiss.net
Sun Sep 6 14:19:10 UTC 2009


This probably is not the right list for this question, but its the best place
I can find to ask it at the moment.

I see on slashdot today an announcement of a new worm effecting most previous
versions of Wordpress. I maintain many Wordpress sites, most of which will be
potentially impacted. Most of these will not be easy upgrade candidates for a
variety of reasons. I am left to attempt to secure them without an easy
upgrade path. 

Now I just spent maybe 45 minutes trying to find out the technical details of
how this worm worms its way into WP so I can find an alternative solution
(hopefully). Well, I still don't know how it does what it does. I haven't a
clue. The only thing I find on wordress.org describes the situation in a
general way, and the only provided solution is to upgrade. 

Most of the sites I manage have strict .htaccess rules protecting wp-login and
wp-admin. Am I safe in these situations, I wonder? Maybe. Maybe not.

So I look to the wp.org security blog in hopes of details. I find 9 total
posts over a 4 year period. Not particularly inspiring. Obviously, the level
of detail I am looking for does not exist on wordpress.org. Or does it? Is
there a better place, a mailing list somewhere? RSS feed? Another blog? 

I love a lot of things about Wordpress, but an easy/fast way to get detailed
security information, at least more than "upgrade now", seems overly
difficult. Thx.


More information about the wp-hackers mailing list