Worm attacking WordPress. (IMG: WordPress.org)
If you followed the news over the Labor Day weekend, you likely know that there is a Worm targeting WordPress installations. On Saturday, Matt Mullenweg wrote a great blog post on WordPress security. Considering WordPress is arguably the most popular blogging software on the planet, the subject is worth discussing.
Mullenweg’s post started by warning everyone that the news and rumor about a WordPress Worm circulating online was legit. There is a Worm, and it moves silently taking advantage of one critical flaw on WordPress driven sites. The critical flaw is not the WordPress code itself. The flaw is the site operator who has either abandoned the domain and left the blog dormant, or the site operator who never updates the installation.
The Worm is an automated attack that hunts down outdated WordPress installations and targets various aspects of the software. For the RSS side of the installation, the attacker will hit WordPress’ XMLRPC script, the Permalink and trackback functions, and other items. If the attack is successful, then you can expect to see a newly created admin user account that is hidden, as well as a slew of Spam on older posts. This new admin account and Spam are just the start, as the Worm will also use your older posts to serve Malware to anyone who visits your site.
The Worm is a little lax when it comes to covering its tracks, which is how it was discovered in the first place. Site administrators who noticed the attacks all had a common clue, EVAL code discovered in the permalinks and RSS feeds (“eval(base64_decode”). A decent overview of the attack is here if you want the gory details.
“The tactics are new, but the strategy is not,” Mullenweg wrote. “Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having Spam and Malware on it.”
A story like this can easily spin itself out of control. All the elements of headline grabbing news are there. It would not be surprising to see of news items warning that a Worm attacking WordPress means millions of potential victims and the Internet is sure to crumble. Sometimes the news can be easily sensationalized. At the same time, some interesting information springs to mind when we consider the impact and resolution to the WordPress Worm issue.
Earlier this year, The New York Times reported on a 2008 survey by Technorati ( a blog search engine and index), which said that only 7.4 million of the 133 million blogs online that Technorati tracks showed activity within a 120-day timeframe. The Times added that those figures amount to about 95-percent of blogs simply sitting dormant online.
Richard Jalichandra, the chief executive of Technorati told the Times that while 7 to 10 million blogs are active on the Internet, only 500,000 of them generate the most page views.
This is an interesting line of thought, because if the media knows those numbers, then the criminals do to. Assume for a moment that not only are the criminals aware of abandoned blogs, they count on them. If the blog is online, left dormant, and uses outdated code, then the criminals can use it to jump ahead in search rankings and serve Malware. Exactly what they are doing now, so the idea of a WordPress Worm hits a little closer to home.
Is it a lack of information or too much information?
Most bloggers are expressive people. They share whatever it is they feel like talking about at the present, and many of them have no reservations about the subject matter. However, most of them are not technical, nor do they have a desire to be technical and understand how things online operate.
When attacks like the WordPress Worm appear, some bloggers instantly dole out advice that for the most part is useless. Hiding the WordPress version for example is one tidbit of advice given, Mullenweg called this “snake-oil” advice and he is correct. Considering the scope of the Worm itself attacking WordPress installations, version number alterations are a moot point.
However, at the same time there is bound to be solid press coverage on the WordPress Worm, so the only advice that matters is that the installations need to be patched. If you use version 2.8.2 or lower, and your site is targeted, it will fall victim to the Worm attacks. The newest WordPress version is 2.8.4, and can be installed with a single click inside the admin dashboard.
“If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine,” Mullenweg wrote.
Don't be a statistic
In the most recent Security Statistics Report from WhiteHat security, 82-percent have had a critical security problem in the past, and 63-percent currently have a critical security issue. The WhiteHat report, released for the Spring of 2009, says that the average number of problems per website is 17.
The WordPress issue is a single vulnerability that can target millions of blogs. Yet, like the issues discovered by WhiteHat, the WordPress problem can be fixed with some code auditing and updates. The team who develops WordPress has done all of the auditing, but it will be up to the webmasters who use WordPress to see that the last step is completed.
“WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys… Please upgrade, it’s the only way we can help each other,” Mullenweg concluded.
The update process is painless, as mentioned it is a single click. Login into your WordPress administration area, and if there is a highlighted notice, follow the instructions to update.
If your blog has been attacked, this WordPress FAQ has some tips to resolve the issue.