Article by Jerry Low
Geek dad, SEO data junkie, investor, and founder of Web Hosting Secret Revealed. Jerry has been building Internet assets and making money online since 2004. He loves mindless doodling and trying new food.
Recently, it seems there has been an attempt to distribute a “trojaned” version of WordPress (the so-call WordPress 2.6.4) via some form of phishing scam.
Old version of WordPress are targeted where the users of these old version WordPress are pointed to an updates of 2.6.4 (which does not exist) from a phishing site ‘WordPresz.org’ (note the different?)
The topic went hot when one of the victims posted this on WordPress forum:
I think that my WordPress has been hacked. I’m not a technical guy so looking at the PHP etc is not an option.In my dashboard the second box down on the left – the one that tell me all the recent news changed it tells me to Update WordPress 2.6.4 immediately! Then points me to a site called wordpresz dot org where a suspicious download of WordPress 2.6.4 is waiting for me. Is my site compromised? What can I do? What other damage should I expect?
A check with the officials confirmed that this is a phishing attack on the outdated WordPress where Peter Westwood, one of WordPress lead developers responded saying:
“It looks like sites which have not upgraded to 2.6.3 are being exploited in an interesting way whereby a hacker, probably using an automated script, is hacking into sites with the vulnerability and changing the settings of one of the dashboard modules to point to a different feed thereby encouraging people to go to a different site which is offering a dodgy upgrade.
“We recommend that people upgrade as soon as possible when we release a security release so as to ensure they are not vulnerable to issues which will likely have exploits in the wild.”
Fortunately, the website (WordPresz.org) has now been shutdown thus it is no longer possible to get hold of this “trojaned” version. However, for those who do not upgrade their web apps regularly – mark this as an important lesson – it’s highly important to upgrade your WordPress (or any other web apps) when a security release is made.
On the other hand, WordPress seems to be working on the issue and is trying their best to prevent this in future. According to WestWood, there will be a built-in upgrade mechanism within the next verion of WordPress where upgrades are done automatically.