Don't Panic! WordPress Is Secure


There is news of a worm which uses a vulnerability in the PHPXMLRPC libraries to spread a computer virus. Some articles are pointing to out-of-date information claiming that WordPress 1.5 is vulnerable. That is incorrect. WordPress 1.5 or higher is safe. Since the release of version 1.5, WordPress has used a completely different XML-RPC library, called IXR.

Older WP versions (1.2.x and earlier) are vulnerable, however. If for some reason you are still running a pre-1.5 version of WordPress, you should upgrade immediately to the latest version, WordPress 1.5.2 “Strayhorn”. If upgrading poses a problem for some reason, and if you don’t need pingbacks or blog client API functionality, simply delete the class-xmlrpc.php and class-xmlrpcs.php files from your installation’s wp-includes directory (but you really should upgrade).

Also if you ever come across something you feel might be a security problem in WordPress, please send a note to the special address we’ve set up for security purposes and we will address it as quickly as possible.


Get the Latest Updates

WP Briefing — The WordPress Podcast

Join Josepha Haden and Matt Mullenweg to learn about where WordPress is going and how you can get involved.