[Security] Outdated WordPress installs to be disabled


Thursday, September 18th, 2008 - Security

We still have about 82 percent of the WordPress installs that were written a couple of weeks ago that have not been updated to 2.6.1 or later. I am going to have to begin disabling these installs because these older versions do not need to stay active indefinitely.

I will only be disabling WordPress installs that are older than 2.5.1. If you are using WordPress 2.5.1 or later, then you won’t have your install disabled. You really still need to upgrade to WordPress 2.6.2, but at this time I am not going to make any changes as long as you are running WordPress 2.5.1 or later.

If you insist on continuing to run a WordPress install that is older than 2.5.1, then I implore you to please contact the WordPress developers or visit their support community at:

http://wordpress.org/support

Running anything less than 2.5.1 (really anything less than 2.6.2) is unsafe. You can discuss your options with the community at this address.

I will likely begin disabling these scripts early next week. So if you have not yet updated, now is the time to be doing so.

Scott


[Security] WordPress 2.6.2 Released


Tuesday, September 9th, 2008 - Security

Hot off the heels of a new exploit found in WordPress 2.6.1, the WordPress developers have released an update to WordPress, version 2.6.2. This release fixes an annoying security issue where a new user can register and have the password of an existing WordPress user changed to a random password.

From the WordPress release:

Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.

I would recommend that all users, even those that are using WordPress 2.6.1 to update to WordPress 2.6.2 as soon as possible.

Scott


[Security] WordPress Update Compliance


Tuesday, September 9th, 2008 - Security

I have checked on the servers and I am seeing about 15 percent compliance with the WordPress update. This means that 15 percent of the WordPress installs that were outdated last week have either been updated or removed.

Our WordPress updater program is still available to those that want to try it to upgrade their WordPress installs. We have updated a couple of WordPress 2.5.1 installs to WordPress 2.6.1 and did not encounter any problems. I am not sure if the updater will work on anything less than WordPress 2.5.1.

We have also received a few complaints and concerns from users who do not believe that they have to update their blogs. Please understand that we do not make the rules on the Internet. It is just a fact that if you run outdated software on an account then you are more likely to be hacked into. If your account is hacked into, then this can have adverse affects throughout the entire server. This is why we are pushing to these installs updated. We are trying to raise awareness that you have to keep these installs up-to-date.

If you have concerns about the new WordPress interface or something about the new version of WordPress then you need to contact WordPress about this. You can reach the WordPress forums at:

http://wordpress.org/support

I know some users have written in saying that they are using WordPress 2.5.1 and that WordPress 2.6.1 does not contain any new security fixes. It is true that 2.6.1 does not fix any major security flaws in WordPress. While I still believe that you should upgrade WordPress 2.5.1 installs to the latest version, I am less concerned with those installs that are version 2.5.1. The main issue is with the installs that are from the 2.3 release tree. WordPress 2.3 had a lot of security issues and these issues also affected versions prior to 2.3. These installs need to be updated. If you won’t take my word for it, then ask around on the WordPress forum and see if anyone still believes you should be running WordPress 2.3.

We are just trying to be proactive in regards to this. In order to make sure the servers stay secure we have to insure that the servers are secure. Any server administrator that knows that there are accounts on their servers that are running and old and outdated version of a script or application and they do nothing about it, then they are not doing a very good job administrating the server. We are just trying to keep you informed and trying to keep your data safe.

Scott


[Security] Outdated WordPress Notice


Tuesday, September 2nd, 2008 - Security

We have sent out notices to all of the accounts that we show as having outdated WordPress installs. You should have received one of these notices if you have an outdated WordPress script on your hosting account and if your contact information is up-to-date in our billing database. If you did not receive a notice and you think you might have an outdated install you can always submit a support request and have our technicians take a look at your account.

We have posted instructions for upgrading WordPress installs. You can follow these instructions if you want to upgrade your WordPress install to the latest version. The latest version at the time of this posting is 2.6.1. If you installed WordPress through Fantastico then you need to log into your control panel and use the Fantastico link and interface to update your WordPress to the latest version. If you installed WordPress through Fantastico and you try to update it through some other means then this could have potentially adverse affects on your hosting account and WordPress install.

I have also developed an experimental WordPress updater that I can run on your account to upgrade a given WordPress install. At this time the software is just experimental, but I am willing to try the software on your account if you want me to and if you are aware of the risks. The updater may cause your WordPress install to stop working, but I need to run the updater on some installs to figure out if there are any bugs or any ways to improve the system. If you want me to run the updater on your WordPress install just submit a support request ticket with your valid username and password information and a note containing what WordPress install to update and a note that you understand the risks involved. I will have to have the correct username and password of your account in order to validate that you are the true owner of the account before I can run the update. I also may have to turn away update requests through the WordPress updater if problems are encountered.

If you are not using the WordPress installs that are listed and you want them removed, you can submit a support ticket instructing us to remove the script. Again we need to know specifically what WordPress install to remove and the valid username and password for the account. Please Note, if you tell us to remove a WordPress script from your account then that script will be deleted and cannot be brought back. So if you tell us to remove a WordPress script from your account, you need to be sure that this is really the action you want to take.

Some of you may be running reasonably up-to-date WordPress scripts on your account and you may be safe from any major security exploit. However I still recommend that you upgrade to the latest version of WordPress, version 2.6.1. You just never know when a minor flaw may escalate to a major threat. One thing is for certain, if you are always running the most up-to-date version of any actively developed script then you know that you have done the most that you can do to keep your script and website secure.

Scott


[Security] Outdated WordPress Installs


Saturday, August 30th, 2008 - Security

This past week I conducted a preliminary check on all of the servers for outdated WordPress installations. I found quite a few that were old and outdated. Keeping any script on your account that is outdated is a security risk. Most of the time developers release a new version of a script or application to address a known security risk. This is not always the case and in most cases the security issue is very minor, but a minor security issue is still a security issue and should be dealt with. If you are not keeping your scripts up-to-date, then you could be open to some type of vulnerability which can lead to problems such as website defacement or information compromise where someone steals information you have stored on your website.

I think one thing that is forgotten when users install a script or application on their website is that the management of that script or application is just starting. On the Internet software has to be maintained and kept up-to-date because it is continually accessible by the outside world. If you have Microsoft Office installed on your home computer and a new exploit for Microsoft Office is discovered, you can always just turn off your home computer and it will be impossible for that exploit to do damage on your home computer. On the Internet, its not easy to turn off a server. If the web server is turned off, then your website won’t work at all. This is why the only real option on the Internet is to continually check and make sure that all of your scripts and applications are up-to-date.

I have singled out WordPress in this particular security check. It will be impossible for me to check each and every account for up-to-date script software. This is because every piece of software is different and finding out what version is installed on each account can be difficult. There could also be thousands of different scripts and applications installed on all of our hosting servers. Each script and application would require their own system-wide version checker. WordPress is just a very popular blogging script and with it being so popular it is important to keep it up-to-date.

I am working on getting a full list of the accounts that have outdated WordPress installs. I am hoping to send out a notice to those accounts that have outdated WordPress installs sometime next week. However if you know that you have WordPress installed on your account and you have not updated it, you should consider updating the install. To download the latest version of WordPress you can visit their website. The latest version of WordPress is version 2.6.1. In the mean time you should make sure that your contact information is up-to-date with us. You can update your contact information by visiting our Account Management page and clicking the Update your Contact Information link.

I am also working on an update guide for updating WordPress. I will need to complete this before I will send out notices about the outdated installations. I am also working on an experimental WordPress updater which I can run on the server to update your WordPress installation.

So if you have a WordPress installation and you have not updated and you feel comfortable updating the installation on your own, you should consider doing this as soon as possible. Otherwise, you can wait for our official notice concerning outdated WordPress installs and our guide for upgrading.

Scott