The IT Kitchen was recently hacked, and because of that, Shelley has found a critical bug in both WP 1.2.x and 1.3a. She provides the full details on what is wrong and how to fix it. There is also a thread in the forums that details the bug and the fix for it.
This was actually an already known bug, but unfortunately the WordPress forums don’t really explain what to fix to prevent it from happening in that post, and there hasn’t been much of a public push to fix the code. Until now.
If you’re running WordPress, please visit Shelley’s site and fix the code to prevent this from happening to you.
I repeat … DANGER. DANGER. IF YOU ARE RUNNING WORDPRESS, FIX THE CRITICAL BUG NOW.
(Do you think that will get people’s attention?)
18 replies on “WP Security Bug…”
[…] I have so many blogs to update. Anyway, if you haven’t heard the buzz, check it out here and you can get the skinny.
RSS fee […]
[…] y Bug (posted to Site Stuff TrackBack Tech at 8:23 am – permalink) Thanks to Big Pink Cookie for pointing out a WP secutiry problem and Climb to the Stars f […]
[…] make a site inaccessible. And anyone criticising that position was “freaking out”. [BigPinkCookie], [ Shelley] Dana Blankenhorn just dared criticise the lack […]
What? I understand that I need to do something but code? You want me to touch code?
thankyou!!!!
Syd, it’s ok. You can do it. You can touch code.
Or you can hook me up with your login info and I’ll touch code for you. Whatever works for you. 🙂
THANK YOU!!!
Thank you for the 411 on this.
Thanks for scaring people with the CRITICAL BUG. A critical issue would be if someone could break in to the machine and take total control of it. This is an annoyance at best. If you scare people like that with this then they will stop listening soon enough and when there is a real critical fix blamo.
I’m behind on the WP updating… I’m still on 1.2. So I think I’m still safe… for now.
i’m behind on the WP updating as i’m thinking about changing CMS. for once i’m glad i’m only using 1.2 :).
Thanks for this. I think I’m okay for right now, but I will look into it. 🙂 Have a good Monday Christine!
Michael, while I appreciate your opinion that it shouldn’t be called a critical bug, I wonder what else you would call it? Someone being able to hack your site isn’t critical to you? Well, it is to me…
This is a bug but there’s several ways it can get worse. No one can change your posts, take control so you can’t get access, delete your website, impersonate you, get your personal financial information, steal passwords and countless other things I haven’t thought about. This is a bug that lets people break your website. There’s lots of other things that will break programs. That’s the normal state of affairs.
A CRITICAL BUG would be one that would allow someone to take control of your site in a way to impersonate you and prevent you from having the access to it to prevent or correct the situation.
Michael, a critical bug is bug that causes what people perceive to be a critical failure of the software. I think a hole in the software that allows a key piece of information to be changed just by typing a URL into a browser, a change which then renders the site unreadable, not to mention making it impossible to log into administration, to be a ‘critical’ bug; especially if you’re not a coder and have no idea what is going on. Heck, even if you’re a coder, and still have no idea what is going on.
As for delete a website — that’s not critical, our hosts can usually recover it. Change your posts? Ditto. Get your financial information? How the heck would that happen with WordPress?
Every software has ‘worst cases’ of bugs associated with the type of software, and making a weblog unreadable would be within the range of ‘worst case’ for a weblogging tool.
Breaking a site that badly is not the ‘normal’ state of affairs–not if you want your product to have any credibility.
I appreciate Christine spreading the word on this. I just wish that the WordPress developers would stop telling people this is a ‘minor’ problem, being reported by people ‘freaking out’. Well, they can continue — but all they’re doing is hurting the software.
I thought I was the only one. Thanks for the info!!
That did get my attention and I’m off to check it out. Thank you for linking all of this, it’s a very informative post!
Problem solved, I think
y.o was afflicted by the wordpress “disrupt your CSS and no comments please” code, thanks for the solution!…