WordPress 2.1.1 dangerous, Upgrade to 2.1.2

Posted March 2, 2007 by Matt Mullenweg. Filed under Releases.

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we’ll know immediately if something goes wrong for any reason.

Finally, we reset passwords for a number of users with SVN and other access, so you may need to reset your password on the forums before you can login again.

What You Can Do to Help

If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. Check out your friends blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade.

If you are a web host or network administrator, block access to “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it. If you’re a customer at a web host, you may want to send them a note to let them know about this release and the above information.

Thanks to Ryan, Barry, Donncha, Mark, Michael, and Dougal for working through the night to figure out and address this problem, and thanks to Ivan Fratric for reporting it in the first place.

Questions and Answers

Because of the highly unusual nature of this event and release, we’ve set up an email address 21securityfaq@wordpress.org that you can email questions to, and we’ll be updating this entry with more information throughout the day.

Is version 2.0 affected?

No downloads were altered except 2.1.1, so if you’ve downloaded any version of 2.0 you should be fine.

What if we update from SVN?

Nothing in the Subversion repository was touched, so if you upgrade and maintain your blog via SVN there is no chance you downloaded the corrupted release file.

837 Pings

RSS feed for comments on this post.

  1. […] WordPress 2.1.1 dangerous, Upgrade to 2.1.2. WordPress.org (2 March 2007). Retrieved on […]

    Pingback from WordPress » Blog Archive » what is WordPress on April 19, 2008

  2. […] secure, it seems that WordPress has been having more than its fair share of issues. There was the “highly exploitable code” in May 2007. Then there was the December 2007 update to version 2.3.2, “an urgent security […]

    Pingback from Time to Leave WordPress? | Mind Muse on April 26, 2008

  3. […] It’s wise not to upgrade to 2.1.1 so hurry. V2.1.1 was hacked by a “cracker”. […]

    Pingback from Lukewarm » Blog Archive » Upgrade to 2.1.2 on April 26, 2008

  4. […] WordPress Announced Exploited 2.1.1 […]

    Pingback from WordPress 2.1.1 Vulnerabilities, Masih banyak Korban | DJAROT STUDIO'S on April 30, 2008

  5. […] WordPress 2.1.1 Dangerous, Upgrade […]

    Pingback from WordPress 2.1.1 有安全漏洞 | 大砲開講 on May 4, 2008

  6. […] After nearly three weeks of downtime, the site is back up. The move from my own little blogging tool to WordPress has been relatively painless… There was a small performance issue with 2.1 (which was rather drastic on my 64 meg VM), but the latest patch to 2.1.2 seems to have addressed this, as well as a security exploit. […]

    Pingback from gregs » Blog Archive » Back!! on May 12, 2008

  7. […] menggunakan versi 2.1.1 wordpress, eh tadi pagi saya lihat di news feednya wordpress sudah keluar versi 2.1.2. Berita tersebut mengharuskan setiap pengguna versi 2.1.1 untuk update keversi teranyar tersebut. […]

    Pingback from Sudah Harus Update Lagi | MicoKelana Daily Share on May 15, 2008

  8. […] a déjà connu une archive officielle piratée […]

    Pingback from WordPress Mu pour gérer son réseau de blogs on May 19, 2008

  9. […] an update to the systems issue we had last month, we have taken dozens of additional precautions with the servers and systems that run WordPress.org […]

    Pingback from zlotkus.lt » Blog Archive » Security releases: WordPress 2.1.3 and 2.0.10 on May 26, 2008

  10. gran roulette casino…

    The main thing about free music nextel real ringtones interest free payday loan vincere alla roulette online casino online gratis regeln zu poker…

    Trackback from completely instant loan online payday on May 26, 2008

  11. […] release.  Apparently, there was a security concern about WordPress2.1.1 that I thought was solid, until further investigation. This is nothing against WordPress. I’m the webmaster of my site, and I should know to keep […]

    Pingback from The Creative Component Re-Design » Blog Archive » is there life after google? on June 6, 2008

  12. […] tras haber pasado menos de dos meses desde la salida de WordPress 2.1, se vieron obligados a sacar la versión 2.1.2 ya que un cracker introdución código malicioso en el SVN de desarrollo. Por otro lado la rama de WordPress 2.0 seguía adelante con la versión […]

    Pingback from La historia de WordPress hasta el día de hoy | aNieto2K on July 14, 2008

  13. […] If you’re running Word Press version 2.1.1, you need to upgrade right away! Word Press has declared the entire version dangerous. […]

    Pingback from The Big Word Press Upgrade » Daily Twaddle on July 21, 2008

  14. […] Si è verificato un accesso non autorizzato in uno dei server di WordPress.org e sono stati compromessi i file di installazione di WordPress. Per non incorrere in inutili rischi […]

    Pingback from rbnet.it » Archivio blog » Aggiornate subito a WordPress 2.1.2! on August 9, 2008

  15. […] exactly when the code was modified so you could be at risk!If your curious read the announcement here” from the Official WordPress Development […]

    Pingback from Habari Testbed :: WordPress 2.1.2 on August 13, 2008

  16. […] lisää syitä vaihtaa mogblotoriin? Lisää aiheesta -> wordpress.org […]

    Pingback from WP 2.1.1 hakkeroitiin at Kill the Radio on August 22, 2008

  17. […] If you use WordPress and have upgraded to version 2.1.1 in the last week or so, you really should read this. […]

    Pingback from Political Penguin » Something for all WordPress users on September 1, 2008

  18. […] A fellow blogger’s wordpress site was recently hacked. Please take note of how to secure your wordpress blogs. It involves a bit of technical know-how, so some of you might need to ask help from an IT expert. I have a strong suspicion that Tess’ website was hit by the latest security vulnerability. […]

    Pingback from How To Secure Your WordPress Blog | *Jozzua on September 20, 2008

  19. […] Backdoored Version (more) […]

    Pingback from WordPress BlogWatch : Secure FreeBSD | Home on September 20, 2008

  20. […] Read more at the WordPress site. If you’re running anything older than v2 you might want to consider upgrading too.     Read More    […]

    Pingback from Paul Henman - find me at henman.ca » Blog Archive » WordPress 2.1.1 dangerous, Upgrade to 2.1.2 on September 28, 2008

  21. […] tespit edildi. Bu durum üzerine WordPress.org gerekli düzenlemeleri yapıp 2.1.2 sürümünü yayınladı. Eğer son 3-4 gün içinde WordPress.org’dan İngilizce son sürümü indirip kurduysanız […]

    Pingback from TamBlog.Gen.Tr » WordPress 2.1.2 TR on October 18, 2008

  22. […] have know vulnerabilities. Right now the checks are limited to WordPress 2.1.1, which has some serious security issues, but if this is a success the service will be expanded to include checks for other software. You […]

    Pingback from Google notifying webmasters of security vulnerabilities - Security and the Net on October 23, 2008

  23. […] take the time out to look at it, and yet it may contain an XSS or DOM injection, or it may contain malware if the download is corrupted, or a fake version comes […]

    Pingback from Decoding wp-admin/js/revisions-js.php easter egg at cat slave diary on November 26, 2008

  24. […] out of date WordPress installs. Due to the large number of WordPress installs on my server, and a reluctance to run bleeding edge software, I’d been a little remission updating WordPress. While none of my installs were more than a […]

    Pingback from Hummingbird Mentality : WordPress Hack Attack on January 11, 2009

  25. […] 官方說法: WordPress 2.1.1 dangerous, Upgrade to 2.1.2 […]

    Pingback from WordPress 2.1.2 Release « roid in TW on February 3, 2009

  26. […] has been a security breach and you need to upgrade again immediately. All of the details are at WordPress.org but here’s a quick snippet:Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 […]

    Pingback from WordPress Security Breach - Clueless Wonder on February 28, 2009

  27. […] कर रहे हैं। वर्डप्रेस के द्वारा जारी नई खबर के अनुसार वर्डप्रेस का अब तक का […]

    Pingback from वर्डप्रेस 2.1.1 “खतरनाक” है at इधर उधर की on March 20, 2009

  28. […] WordPress 2.1.1 exploit – The curious case of hacking a Web application to hack another Web app! […]

    Pingback from Web application security guidelines and checklist - Jayson Online - Articles & Projects on March 26, 2009

  29. […] netop er så udbredt. Ikke et ondt ord om wordpress, selvom de har været uheldige til tider med falske opdateringer og den […]

    Pingback from CMSKonsultent.dk » WordPress hacking er mere udbredt end du tror… on March 27, 2009

  30. […] Ve sonrasında başlangıç sayfasındaki son haberlere göz atayım dedim. En güncel haber olarak WordPress 2.1.1 dangerous, Upgrade to 2.1.2 karşıma çıktı. Açıkcası daha yeni yayınlanmış, ve haberin üstünden 2 saat geçmişti. […]

    Pingback from Demo page » Blog arşivi » WordPress 2.1.2 Çıktı on April 21, 2009

  31. […] lokalisierte deutschsprachige Variante, zu beziehen hier, ist nicht betroffen – es traf die Originalversion des Downloads auf einem wordpress.org-Server. Trotzdem wurde die Version 2.1.1 als gefährlich und […]

    Pingback from Auch das ist OpenSource — Amys Welt on August 5, 2009

  32. […] was not surprising to see items such as WordPress 2.1.1 Dangerous, Upgrade beginning to appear early in 2007. Nor was it difficult to believe that Matt Cutts WordPress Blog […]

    Pingback from WordPress Blog Hacked | BPWrap on August 20, 2009

  33. […] this hack news from June 2008 or March 2007 But this news .. news .. news .. news […]

    Pingback from VeryTAS | Reality Is » Hackage, Snackage, Package on September 6, 2009

  34. […] has been a security breach and you need to upgrade again immediately. All of the details are at WordPress.org but here’s a quick snippet: Long story short: If you downloaded WordPress 2.1.1 within the […]

    Pingback from Clueless Wonder » Blog Archive » WordPress Security Breach on September 20, 2009

  35. […] WordPress […]

    Pingback from WordPress 2.1.1 Hacked, Upgrade Immediately « Geekmass on September 26, 2009

  36. […] "WordPress 2.1.1 dangerous, Upgrade to 2.1.2". WordPress.org. 2 March […]

    Pingback from Vulnerabilităţi WodPress | Sit web on October 7, 2009

  37. […] An unknown intruder has compromised a WordPress server and added a remote control tool to downloadable versions of the widely used blogging software. The breach happened last week and was discovered on Friday, WordPress creator Matt Mullenweg wrote on the WordPress Web site. […]

    Pingback from ReleaseTest » Intruder adds back door to WordPress blog software! on October 12, 2009

See Also:

For more WordPress news, check out the WordPress Planet.

There’s also a development P2 blog.

To see how active the project is check out our Trac timeline, it often has 20–30 updates per day.


%d bloggers like this: