You didn't hear? Upgrade now!

On the off chance that you haven’t heard the news yet. You should upgrade your WordPress install straight away. Don’t hesitate, do it now. Don’t pause to grab a cup of coffee. If you’re just waking up then rub the sleep from your eyes and jump to the download page and grab WordPress 2.1.2.

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Users running from svn code aren’t affected, but then you probably already knew that already didn’t you? You should be subscribed to Hackers and Testers lists.

Don’t worry if you’re running a WordPress MU site. That isn’t affected, although you should upgrade to the latest 1.1.1 release as that fixes a number of problems with 1.0 as well as merging in some security fixes from WordPress core. users have nothing to worry about.

By Donncha

Donncha Ó Caoimh is a software developer at Automattic and WordPress plugin developer. He posts photos at In Photos and can also be found on Twitter.

20 replies on “You didn't hear? Upgrade now!” Cracked, Exploit in 2.1.1 Release…

As pointed out on the WordPress development blog, a cracker gained access to the servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!
It ma…

InsiderOuter – Because of Microsoft management. Microsoft is in a completely different field and dealing with way more people than WordPress, and management thinks as long as majority of the people are satisfied, it is ok to take things slow to be on the safe side. 🙂

Hi Donnacha, maybe a stupid question but I’ll ask anyway, I upgraded to 2.1, but have not gone up to 2.1.1 yet am I still in the shit? I haven’t got access to broadband or a decent connection for another 2 weeks, downside of being on a ship, what could happen?
Cheers Tim (a worried sailor blogger)

Michael – sometimes bad things happen in the world. It would be infinitely worse if we sat on it, released a new version and didn’t make a huge fuss about it. Aren’t disclosure and open source great?

Tim – the malicious code inserted into the hacked version of the zip file won’t be on your system but there were other bug fixes that made 2.1.1 a necessary upgrade.
If you can find the time, upgrade your host just in case. Can you ssh? or will you be ftping files up from your slow location? If you can ssh into your host you can wget the file from there, so it won’t matter how slow your connection is!

I had updated a while ago, so wasn’t affected, but it was a good excuse to update anyway 😉

I wonder who HASN’T heard so far…although I’ve seen some very old WP installs out there, I’m talking v1.xx

Important: Upgrade to WordPress 2.1.2…

Оф.сайт ВордПресса очень советует обновится до версии 2.1.2
Для тех кто юзает линейку версий 2.0.Ñ… обновление не обьязательно, обьязательно л…

升級 WordPress 2.1…


mysql 4.1.21 升級 5.0.27
php 4.4.4 升級 5.2.0
apache 2.0.59 升級 2.2.4
activeperl 5.8.7 升級 5.8.8 (這不是WordPress必要的)

WordPress ç”± 1.5.2 升級…

This only concerns the users who downloaded 2.1.1 from the website in the past few days. The code was inserted about 4-5 days ago so if you downloaded it before that you should not be affected. Anyhow better safe than sorry so you should download and install asap.

Leave a Reply