Today’s announcement of an insecurity in WordPress 2.3.2 may have spooked a few people:
WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. … If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php.
I have already applied the patch the blog, to ease my mind. To apply the patch, I’d recommend the following five steps:
- Step 1: Download the patch directly from WordPress.org.
- Step 2: FTP to your account and login.
- Step 3: Find the xmlrpc.php file in the /yourblog.com folder and rename it as xmlrpc.old.
- Step 4: Upload the new file to the same folder.
- Step 5: Once everything’s working, move the file to the root of your FTP User account out of harm’s way.
- (If things go wrong: rename the new file you just uploaded as xmlrpc.new. Then rename the xmlrpc.old as xmlrpc.php until you can fix the problem. Of course, this is a good technique but the patch is a SECURITY patch, so you really OUGHT to upgrade the xmlrpc.php to the latest one.
If you’re ever upgrading plugins or even themes, renaming a current file or directory as *.old is a good way to give you a Plan B, just in case things go wrong when you install the new theme or plugin or file. You can simply revert to the old versions, provided you haven’t updated the database. CAUTION in upgrading is ALWAYS advised.
And, just in case you think hacking can’t happen to you, read several postings on MattCutts blog about his true but less severe hacking. There’s also a post on John Cow’s blog that got me thinking about this issue.
If you know any other great posts about blog security, do add them in the comments!