WordPress Combats Hack Attack With Blog Software Update

The fix comes after a hacker gained access to one of the WordPress servers and installed a Trojan horse in the code for a security update to the blog publishing software.
WordPress has released a new version of its blog publishing software to combat a hacker attack that resulted in users downloading a Trojan horse onto their systems with a security upgrade that was released a few days ago.

Whomever broke into the WordPress network gained user-level access to one of the servers that powers, according to a blog by WordPress Founder Matt Mullenweg. The intruder then used that access to modify the download file, according to an advisory on the WordPress Web site. The hacker added malicious code to the source code for the 2.1.1 update, adding a Trojan that would allow for remote PHP execution. PHP is embedded scripting language that creates dynamic content on Web pages.

WordPress did not disclose how many users downloaded the infected version.

"This is the kind of thing you pray never happens, but it did and now we're dealing with it as best we can," says Mullenweg in his blog. "Although not all downloads of 2.1.1 were affected, we're declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can't happen again, not the least of which is minutely external verification of the download package so we'll know immediately if something goes wrong for any reason."

The new software release can be found at the WordPress download site. The company has also set up this e-mail address to field related questions: [email protected]

The U.S.-CERT is advising people to upgrade immediately.

Masaki Suenaga, a security response engineer at Symantec, wrote in a blog that while a Web server may be running the hacked version of the software, a user who visits a Web page on a server containing the hacked WordPress software is not at risk, so long as the server has not been compromised by other malicious threats downloaded by the back door.

Editor's Choice
John Edwards, Technology Journalist & Author
Carrie Pallardy, Contributing Reporter
Alan Brill, Senior Managing Director, Cyber Risk, Kroll
John Bennett, Global Head of Government Affairs, Cyber Risk, Kroll
Sponsored by Lookout, Sundaram Lakshmanan, Chief Technology Officer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Richard Pallardy, Freelance Writer
Sponsored by Lookout, Sundaram Lakshmanan, Chief Technology Officer
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing