WordPress Under Attack! Upgrade Now or Forever Live in Fear“Upgrading is taking your vitamins; fixing a hack is open-heart surgery,” admonishes founding WordPress (news, site) developer, Matt Mullenweg, in a blog post concerning the platform’s recent security breach.

The particularly nasty worm has been quietly making its way into old versions of WordPress and wreaking tons of havoc. In fact, the bug is so bad that the only way to get rid of it is by exporting *all* of your content and totally removing your WordPress installation.

Users with versions older than 2.8.3 are susceptible, meaning today’s a good day to stop poking fun at WordPress’ frequent releases and actually take the time to update.

A Wormy Little Worm

Mullenweg explains that this particular worm starts out very stealthily. After registering a user, it uses an old bug to allow evaluated code to be executed through the permalink structure, makes itself an admin and uses JavaScript to hide.

Thankfully, it’s not totally incognito. It leaves a ton of broken links behind, like breadcrumbs to a disaster (the disaster being Google removing your site for being full of spam).

“A stitch in time saves nine”

Mullenweg makes use of this expression several times in his post, presumably partially because WordPress tends to catch a lot of flack for kicking out updates that are mere weeks apart. And, OK, we admit we’ve contributed to the jeering a time or two, but it’s always out of love. Honest.

The current version of WordPress, as well as the version just before it, is immune to this worm. If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be an awesome time to do so. After all, WordPress updates only require a handful of clicks to execute.

Open Heart Surgery

Check for a ton of broken links, strange additions to your permalinks (like "eval" or "base64_decode"), or an administrative account you don't recognize. If you've got one or any combination of these problems, it's likely that you've been bit by the bug already. Thankfully there are several detailed resources for you poor unfortunate souls.

Web writer Lorelle VanFossen posted an extremely detailed article on the worm complete with a list of helpful links for recovery and, of course, you can read Mullenweg's thoughts on the issue here.

If you're lucky enough to've avoided disaster, do the smart thing and upgrade.