Some thoughts on WordPress security and the recent shared hosting attacks

After being a guest on the ExplicitWeb podcast, recorded this afternoon, I noticed that I had been asked on Twitter to talk about what my thoughts were on the current hacks on WordPress and other PHP sites. We didn’t dive into security, instead talking about WordPress 3.0, the development process, and how to contribute, but I wanted to address this very valid question, and in more than 140 characters.

As of this writing, there are no known exploits of WordPress 2.9.2. The viruses going around on various shared hosts appear to be indiscriminately targeting any and all PHP files, and there is no indication that the payload is being delivered through WordPress. Indeed, there are some accounts that are not running WordPress but their PHP files are still being infected.

WordPress is incredibly secure, and we also take security very seriously. E-mail if you believe you have discovered a vulnerability. All indications are that these are server and hosting configuration issues. Network Solutions admitted the hacks infecting their users were their fault, while GoDaddy is demonstrating arrogant cluelessness.

WordPress is incredibly popular and used by millions, and thus is an obvious and very public target. But I wish to emphasize that there is a huge difference between a hack exploiting WordPress, and a hack targeting WordPress. Many bloggers are grouping both types of attacks as “WordPress hacks,” even though none are exploiting WordPress directly, and that other PHP applications are being infected — WordPress just happens to be the most widely used.

The difference is significant. A hacker can infiltrate a server and target WordPress files or the database without exploiting WordPress itself. This is quite common because WordPress is so commonly used. A hacker exploiting WordPress means that they are using a bug or vulnerability in WordPress as the attack vector. This is quite rare, especially in more recent versions of WordPress. When a vulnerability is discovered, it is fixed quickly and an update is released. Keep up to date and always ensure you are using the latest and greatest version of WordPress, currently 2.9.2.