WordPresz

wordpress,

It seems there has been an attempt recently to distribute a trojaned version of WordPress via some form of phishing scam.  It seems this attack relied on exploiting an old version of WordPress which had not been upgraded and changing it to point at a different site for one of the dashboard feeds.  The site was then offering a trojaned install of a version of WordPress 2.6.4 which does not exist.  The site has now been shutdown so it is nolonger possible to get hold of this Trojaned version but it does highlight the importance of upgrading when a security release is made.

As I have said in my response in the article on The Register

We recommend that people upgrade as soon as possible when we release a security release so as to ensure they are not vulnerable to issues which will likely have exploits in the wild. Also in the upcoming 2.7 release of WordPress we are including a built-in upgrade mechanism within WordPress which will allow people to upgrade automatically with ease.

I would however stress the need with any piece of software to check that an upgrade is real by visiting the website of the software provider manually rather than relying on a link that you have been provided. Otherwise, as with bank phishing scams there is the potential for someone to trick you into doing something you didn’t want to do.

47 thoughts on “WordPresz

  1. Pingback: Warning: Fake WordPress Malicious Site « Lorelle on WordPress

  2. Thanks for the heads up Peter.

    I’m worried that there could be a day when any site has to have Extended Validation on it for laymen to trust it. The scammers, phishers and black hats are potentially doing more harm to the internets than those who want to dump net-neutrality.

    It’s a war, really 😦

  4. Pingback: WordPress 2.6.5 in detail « westi on wordpress
  5. Pingback: Wordpress 2.6.5 actualización de seguridad | Jorge Oyhenard
  6. Pingback: WordPress 2.6.5 Released | geek ramblings
  7. Pingback: WordPress 2.6.5: nuova release per la serie 2.6
  8. Pingback: WordPress 2.6.5 released | Blog Mum
  9. Pingback: BlogMaster - Aggiornamento di sicurezza WordPress 2.6.5
  10. Pingback: WordPress 2.6.5 has been released! | hieudt's blog
  11. Pingback: Wordpress 2.6.5 is not fake atleast … « Hobby Press
  12. Pingback: WordPress 2.6.5
  13. Pingback: WordPress 2.6.5 Available & Security Alerts « Tech Idea
  14. Pingback: Wordpress 2.6.5, actualizacion de seguridad | Tecnolink Informatica
  15. Pingback: Web de León » Actualización a WordPress 2.6.5

  16. But why could something like this not happen with the automatic upgrade?

    I Prefer to get it manually from the wordpress.org site.

  17. @behe: Yes this kind of attack could take advantage of the core upgrade stuff that is coming in 2.7.

    That is why I would always recommend that you check on WordPress.org for the existence of the update before you clicked update in your admin panel.

  18. Pingback: WordPress; 2.6.5 released
  19. Pingback: ¿Estás seguro? » Innova Desarrollos informáticos
  20. Pingback: Falsk WordPress : Digital Hverdag
  21. Pingback: BlogSecurity » Blog Archive » WordPress Security Predictions in 2009
  22. Pingback: Wordpress 2.6.5, actualizacion de seguridad | aNieto2K

Comments are closed.