WordPress Exploits and Patches

Fire escapes

I’m a big fan of WordPress, except for tonight when I’ve finally decided to conquer the random blog spam that has been happening to some blogs I administer. “WordPress Cookie Authentication Vulernability.” It’s an invisible kind of CSS appended to the bottom of a post, as a form no less. The realization is that the security in WordPress is not too hot. Something about a stored double MD5 hash, and hackers compromising the cookie of the stored passwords, and not even having to resolve the MD5 hash but simply repost it as a cookie on their system and re-access the administrative site, where they can manage a lot of things.

Anyways, the patch I want to apply is not for the version we have installed- do I go with an unstable beta version (2.4b) or do I stick with 2.3.1 and manually change files line by line instead of applying the patch, or, do I wait until 2.4 is officially released? Oh the conundrums of open source.


  1. Comment by Matt

    Posted on December 15, 2007 at 7:28 pm

    If there is spammy HTML in the footer.php of a theme, it’s unlikely that it has anything to do with the cookie thing, it’s more likely file permissions and/or an old XML-RPC problem. The cookie thing only applies to you if they’ve already read your database directly, which is not possible if you’re on a secure version, and changing your password protects you if they have. I wouldn’t attempt to apply the phpass patch by hand.

  2. Comment by banane

    Posted on December 15, 2007 at 10:04 pm

    Oh- thanks Matt! It’s not in the footer, but at the end of a post, the individual post content, which users can’t see, you can only see if you “view code” in the interface. I will change the db password, seems like the best idea.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>