Worm attacking WordPress is an example of why patching is important

Worm attacking WordPress. (IMG: WordPress.org)

If you followed the news over the Labor Day weekend, you likely know that there is a Worm targeting WordPress installations. On Saturday, Matt Mullenweg wrote a great blog post on WordPress security. Considering WordPress is arguably the most popular blogging software on the planet, the subject is worth discussing.

Mullenweg’s post started by warning everyone that the news and rumor about a WordPress Worm circulating online was legit. There is a Worm, and it moves silently taking advantage of one critical flaw on WordPress driven sites. The critical flaw is not the WordPress code itself. The flaw is the site operator who has either abandoned the domain and left the blog dormant, or the site operator who never updates the installation.

The Worm is an automated attack that hunts down outdated WordPress installations and targets various aspects of the software. For the RSS side of the installation, the attacker will hit WordPress’ XMLRPC script, the Permalink and trackback functions, and other items. If the attack is successful, then you can expect to see a newly created admin user account that is hidden, as well as a slew of Spam on older posts. This new admin account and Spam are just the start, as the Worm will also use your older posts to serve Malware to anyone who visits your site.

The Worm is a little lax when it comes to covering its tracks, which is how it was discovered in the first place. Site administrators who noticed the attacks all had a common clue, EVAL code discovered in the permalinks and RSS feeds (“eval(base64_decode”). A decent overview of the attack is here if you want the gory details.

“The tactics are new, but the strategy is not,” Mullenweg wrote. “Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having Spam and Malware on it.”

A story like this can easily spin itself out of control. All the elements of headline grabbing news are there. It would not be surprising to see of news items warning that a Worm attacking WordPress means millions of potential victims and the Internet is sure to crumble. Sometimes the news can be easily sensationalized. At the same time, some interesting information springs to mind when we consider the impact and resolution to the WordPress Worm issue.


Earlier this year, The New York Times reported on a 2008 survey by Technorati ( a blog search engine and index), which said that only 7.4 million of the 133 million blogs online that Technorati tracks showed activity within a 120-day timeframe. The Times added that those figures amount to about 95-percent of blogs simply sitting dormant online.

Richard Jalichandra, the chief executive of Technorati told the Times that while 7 to 10 million blogs are active on the Internet, only 500,000 of them generate the most page views.

This is an interesting line of thought, because if the media knows those numbers, then the criminals do to. Assume for a moment that not only are the criminals aware of abandoned blogs, they count on them. If the blog is online, left dormant, and uses outdated code, then the criminals can use it to jump ahead in search rankings and serve Malware. Exactly what they are doing now, so the idea of a WordPress Worm hits a little closer to home.

Is it a lack of information or too much information?

Most bloggers are expressive people. They share whatever it is they feel like talking about at the present, and many of them have no reservations about the subject matter. However, most of them are not technical, nor do they have a desire to be technical and understand how things online operate.

When attacks like the WordPress Worm appear, some bloggers instantly dole out advice that for the most part is useless. Hiding the WordPress version for example is one tidbit of advice given, Mullenweg called this “snake-oil” advice and he is correct. Considering the scope of the Worm itself attacking WordPress installations, version number alterations are a moot point.

However, at the same time there is bound to be solid press coverage on the WordPress Worm, so the only advice that matters is that the installations need to be patched. If you use version 2.8.2 or lower, and your site is targeted, it will fall victim to the Worm attacks. The newest WordPress version is 2.8.4, and can be installed with a single click inside the admin dashboard.

“If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine,” Mullenweg wrote.

Don't be a statistic

In the most recent Security Statistics Report from WhiteHat security, 82-percent have had a critical security problem in the past, and 63-percent currently have a critical security issue. The WhiteHat report, released for the Spring of 2009, says that the average number of problems per website is 17.

The WordPress issue is a single vulnerability that can target millions of blogs. Yet, like the issues discovered by WhiteHat, the WordPress problem can be fixed with some code auditing and updates. The team who develops WordPress has done all of the auditing, but it will be up to the webmasters who use WordPress to see that the last step is completed.

“WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys… Please upgrade, it’s the only way we can help each other,” Mullenweg concluded.

The update process is painless, as mentioned it is a single click. Login into your WordPress administration area, and if there is a highlighted notice, follow the instructions to update.

If your blog has been attacked, this WordPress FAQ has some tips to resolve the issue.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. The Aventador LP 700–4  has a 6.5 liter V12 that will go 0–60 mph in  2.9 seconds and take you all the way to 220mph and maybe beyond.Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]