Cracker Modifies 2.1.1 Download Files on Wordpress Servers

If you downloaded Wordpress 2.1.1 in the last few days as part of your Wordpress upgrade, its time to upgrade again to Wordpress 2.1.2. A cracker gained user-level access to one of the servers that powers wordpress.org, and modifed the wordpress download files. Although not all downloads of 2.1.1 were affected, they declared the entire version dangerous and have released a new version 2.1.2 that includes minor updates too.

The official word from wordpress is

“If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. Check out your friends blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade.

If you are a web host or network administrator, block access to “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it. If you’re a customer at a web host, you may want to send them a note to let them know about this release and the above information.”

My first reaction was since the problem occured for last 3-4 days and I downloaded it on the day of launch, maybe I could skip the upgrade. Then I read Mark’s post which says it is a mandatory security upgrade for all users of 2.1 or 2.1.1.

“It doesn’t matter if you installed 2.1.1 on the first day it came out, well before the cracker modified the file on wordpress.org. It doesn’t matter if you upgraded to 2.1.1 using SVN. WordPress 2.1.2 has a security fix that 2.1.1 doesn’t have. And it has several fixes that 2.1 doesn’t have. So please, upgrade to 2.1.2 now.”

Since everyone knows your wordpress version, protect you blog and Download Wordpress 2.1.2 today.