WordPress Security Issue
Dr. Dave, the dude behind Spam Karma, has issued a warning to all WordPress users. A message popped up on my Spam Karma 2 dashboard warning of a potential security vulnerability in WordPress. Here’s part of the warning:
If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.
Now, the WordPress development team was apparently notified a “while back”. They supposedly haven’t done anything yet to rectify this problem. Dr. Dave has received a lot of questions due to his initial post. In turn, he’s made another post in which he addresses some of those questions.
Hopefully we’ll see WordPress 2.0.4 out within a few days.
UPDATE: WordPress 2.0.4 Beta is out. It should be safe to open user registrations under WordPress 2.0.4. I’d expect to see the final 2.0.4 release next week.
[via Ryan Boren]
You might like these posts too::
- WordPress Security Update
- WordPress 2.0.4 & 2.1 Bug Hunt
- WordPress Widget Plugin
- Jerome’s Keywords and WordPress 2.0
- Windows Kill Switch Coming?
User Registration Temporarily Disabled…
Due to a security exploit found in ALL versions of WordPress, open registration for new accounts has been temporarily suspended until WordPress can come out with a patch.
In addition, all users that had registered here but never left a comment have be…