I don’t normally like doing “timely” posts, but there seems to be some confusion regarding the reason behind the release of WordPress 2.8.6 among some in the online business arena, so I thought I’d take a few moments to explain.
According to Dawid Golunski, the basic problem is that anybody with the right to upload files when creating a blog post can simply tack an extra extension onto a PHP script, i.e. file.php.jpg. If I understand this correctly (and Dawid’s post is a bit technical), WordPress will see the .jpg extension and allow the upload. Apache (and apparently only Apache) will see that it’s actually a PHP file and will happily execute the script if it is accessed via a web browser.
Ouch.
Keep in mind that many criminals are quite adept at getting WordPress passwords (there are many ways to do it, which I won’t go into here), so just because you only have one account in your WordPress admin area and you’ve never given anybody the password doesn’t mean that nobody has it. This kind of thinking is called “sticking your head in the sand” (i.e. ignoring a threat) and does nothing to protect your business.
I recommend that you upgrade now to the latest version of WordPress. In fact, if you read this post 10 years from now and the latest version of WordPress is 374.1.56, I STILL recommend that you upgrade to the latest version.
As a reminder, have you also installed the wp-db-backup plugin and configured it to automatically email you a backup every day? If not, just log in to your WordPress admin area (AFTER you upgrade to the latest version), click on the “Plugins” link, and search for the plugin name. It takes two minutes to configure it, and if you email your backups to a Gmail account, you’ll be able to store lots of backups before running out of space (and you can always set up a filter to send the backups to Trash, where they will be automatically deleted after 30 days, if you don’t want to have to worry about deleting a bunch of ancient backups. Just type “in:trash” in the Gmail web interface to access your Gmail trash folder if you don’t see the link).
Stay as safe as you can. Please. Stay on top of those patches and upgrades.
A special thanks to Dawid Golunski (a moze “dziekuje”?) for discovering and reporting this, and my apologies if I twisted something in the explanation. Even if I messed something up, you still need to upgrade! 
Comments on this entry are closed.