There's never been a better time to upgrade WordPress

When is the best time to upgrade your blog software?

  1. After the latest release has been out for a few weeks?
  2. When a release is so new it’s burning a hole in the ftp servers?
  3. When there have been a couple of releases because idonthavethetimetoupdateeverysingletime?
  4. Now?

The best time is right now. Spammers are taking advantage of exploits in old versions of WordPress and inserting hidden spam links in posts and using WordPress powered blogs to distribute viruses and malicious software. They’re also using these exploits to run their own code on your server.

This morning I spotted an Irish blog in my feedreader that had hidden links added to it. I contacted the blog owner and she’s going to upgrade her blog soon.

The best way of stopping them is by downloading the latest version of WordPress which at the moment is 2.3.3 2.5 and if you use use WordPress MU you should download version 1.3.3 of that. Once you’ve upgraded change the passwords of all your users. On WordPress MU sites, it’s probably enough to ask any user with site_admin access to change their password. To make your life easier, try the WordPress Automatic Upgrade plugin. I haven’t used it yet but it works for a lot of people.

If you suspect that your blog has been compromised and you have already upgraded then please change your passwords and overwrite your current install with the files from a newly downloaded copy of WordPress. It’s worth checking that no extra php files have been added too.

Running your own blog is about more than just writing and contributing to the blogosphere conversation. You also have an important responsibility to be a good ‘net citizen by keeping your software up to date.

If you absolutely cannot upgrade straight away then adding a .htaccess file in your wp-admin/ directory and adding another username and password level of authentication might help. This page describes how to do that, but it is no substitute for upgrading to WordPress 2.3.3 2.5. You should delete you xmlrpc.php too, thus depriving yourself of pingbacks and desktop blog posting abilities.

Go on, upgrade. After you do it once it doesn’t seem so scary.

Update! To find any posts with hidden links search your posts for any of the following:

  1. display:none;
  2. height:0

You can use the Search box on the posts edit page, or phpMyAdmin.
Open up phpMyAdmin, go to wp_posts, click Search and in the box next to post_content type %string% where string is one of the two options above.
That may return posts that don’t have any hidden links but it’s better to be safe than sorry.

StumbleUpon's brief dalliance with CAPTCHAs

I was shocked to see a CAPTCHA this morning when I stumbled a post not yet in the SU database. StumbleUpon to me was and is the one social network where I hadn’t come across reams of spam or annoying behaviour. The overall experience there has been so smooth and enjoyable that I wondered just how they managed to keep the spammers at bay. Obviously they’re attracting the wrong attention now because this morning I was presented with a CAPTCHA twice when I discovered new content.

Illegible caption on StumbleUpon
Illegible StumbleUpon CAPTCHA

A slightly more readable StumbleUpon CAPTCHA

Those CAPTCHAs look like the one on Matt Haughey’s post. I guess StumbleUpon were using ReCAPTCHA too? Thankfully they stopped and the last post I stumbled (Matt’s post above) had a big empty space where the CAPTCHA had been. Please SU, don’t bring the CAPTCHA back!

Thanks Mark for the link to Matt’s post.