Over the US Labor Day weekend, older (pre 2.8.4) versions of WordPress were reportedly attacked by a worm which inserts hidden spam and malware into your old posts.
Here’s what the New Tricks Team recommends:
- From the WordPress dashboard, select ‘Tools; Backup’. If you don’t already have the WP Database Backup plugin, then install it from ‘Plugins; Add New’.
- Backup a copy of your WordPress site. You can download the backup to your local machine, send the backup to your email address or store it on your server.
- For double protection, go ahead and create an xml export of your content (‘Tools; Export’).
- Disable your plugins (from the WordPress Dashboard, select ‘Plugins’. Then, select all of your Plugins by checking the box at the top. Choose, ‘ Deactivate’ from the Bulk Actions Dropdown then ‘Apply’).
- Upgrade to WordPress 2.8.4 (Either follow the prompt at the top of your Dashboard or select ‘Tools;Upgrade’).
- Reactivate your plugins. We recommend reactivating them one by one in case one doesn’t work with the latest WordPress release.
Here is some additional info on the attack:
- How to Keep WordPress Secure by Matt at Automattic
- Old WordPress Versions Under Attack – by Lorelle – More info about the attack and how to backup and protect
Please note that the threat is just for WordPress.org users – if you have a WordPress.com blog, then there is no need to lose sleep.