Don't Panic! WordPress Is Secure

Posted November 8, 2005 by Dougal Campbell. Filed under Security.

There is news of a worm which uses a vulnerability in the PHPXMLRPC libraries to spread a computer virus. Some articles are pointing to out-of-date information claiming that WordPress 1.5 is vulnerable. That is incorrect. WordPress 1.5 or higher is safe. Since the release of version 1.5, WordPress has used a completely different XML-RPC library, called IXR.

Older WP versions (1.2.x and earlier) are vulnerable, however. If for some reason you are still running a pre-1.5 version of WordPress, you should upgrade immediately to the latest version, WordPress 1.5.2 “Strayhorn”. If upgrading poses a problem for some reason, and if you don’t need pingbacks or blog client API functionality, simply delete the class-xmlrpc.php and class-xmlrpcs.php files from your installation’s wp-includes directory (but you really should upgrade).

Also if you ever come across something you feel might be a security problem in WordPress, please send a note to the special address we’ve set up for security purposes and we will address it as quickly as possible.

No Pings

RSS feed for comments on this post.

  1. […] I have read some articles and news that a new worm spreads viruses which uses “PHPXMLRPC” . Previous versions of wordpress uses “PHPXMLRPC” but the latest versions 1.5.x are safe and secure since they are not using “PHPXMLRPC” anymore. Current versions are using a different XML-RPC library, called IXR. WordPress is advicing old version users to upgrade immediately to 1.5.2. […]

    Pingback from In and Around SEO Industry :)»Blog Archive » Word Press 1.5 and above is Secure on November 11, 2005

  2. WordPress is secure from recent “blog worm” attacks

    “Dougal”, a WordPress developper, in a post named “Don’t Panic! WordPress Is Secure” reports that WordPress 1.5 is safe from the recent blog worms.
    I have seen this worm trying to attack me in my Apache logs, if you have a …

    Trackback from Jonathan's Blog on November 11, 2005

  3. […] I use Dr. Dave’s wp-keitai-mail script for my moblog postings which works great; however, it depends on some older XMLRPC files from WordPress 1.2 which unfortunately are vulnerable to remote code execution that has recently been exploited by a worm making its way around the Internet. It looks like Dr. Dave has lost interest in updating it and trying to rewrite it to use the new WP 1.5 XMLRPC libraries is non-trivial. […]

    Pingback from JonCellini.com » Blog Archive » wp-keitai-mail and the PHPXMLRPC vulnerability on November 12, 2005

  4. […] This blog is ok (for now… maybe )/   […]

    Pingback from Rodney Fletcher’s Blog » Hacked on November 15, 2005

  5. […] This was prompted not only because of the pretty new interface (isn’t it nice!) but most importantly by a security vulnerability. […]

    Pingback from <strike>Scott’s</strike> JO’S!!! Blog » Blog Archive » Slow news day. on November 18, 2005

  6. Blog Strangeness…

    I went to jimthompson.org this afternoon to follow a link I had stored there, and instead of the usual WordPress page, I got the following error:
    Warning: main(./wp-blog-header.php): failed to open stream:
    Permission denied in /…/wp/index.php o…

    Trackback from jimthompson.org on November 27, 2005

  7. […] Recently an exploit was announced affecting PHP’s xmlrpc interface. WordPress (the makers of this site’s CMS system) announced their users were not affected […]

    Pingback from Develop-Mental on November 28, 2005

  8. […] My Dashboard tells me Don?t Panic! WordPress Is Secure (24 Days ago). This is talking about BugTraq 14088 29-Jun-2005 which only affected version 1.5.1 and earlier. There have of course been others and will be in the future (no software is immune) but there was a new one a few days ago that is a false alarm. The problem arises because of the confusion of names (a familiar story). The alert is BugTraq 15582 which refers to phpWordPress. This is a commercial publishing management system and they clearly state at the bottom of their home page that they are not affiliated with the open-source program WordPress in any way. Perhaps wordpress.org needs a similar disclaimer. […]

    Pingback from Order of the Bath » Blog Archive » WordPress is secure? on December 2, 2005

  9. […] با این کارش نشون داد وردپرس حداقل از لحاظ امنیت چیه! لینک یادداشت | دسته: وردپرس | نویسنده: مرتضیالوانی […]

    Pingback from Alvanweb » یاهو Ùˆ وردپرس on December 4, 2005

  10. […] blog software is secure from this attack Read the McAfee report here. More coverage is here and […]

    Pingback from Linux worm targets PHP based application on December 2, 2007

  11. […] utilizzate WordPress il team di sviluppo assicura che il virus non affligge i possessori di tale piattaforma. E le altre? Al momento non ci sono […]

    Pingback from XML-RPC Worm - Simone Carletti’s Blog on January 11, 2009

See Also:

For more WordPress news, check out the WordPress Planet.

There’s also a development P2 blog.

To see how active the project is check out our Trac timeline, it often has 20–30 updates per day.


%d bloggers like this: