So, OK, I’ve updated the blog (after lots of procrastination and hesitation, after checking it would work on a local copy of the latest WordPress – thanks, MySQL+Apache+PHP on the Powerbook).
Why? Because there are rip-roaring security holes in older versions of WordPress. And because the spam (and other) hackers are getting really busy.
For instance, after updating, I came across a posting by Matt Mullenweg, linked from the WordPress dashboard (which is a panel on your blog which shows you what’s going on in your blog, and has select bits of news from blogs relevant to WP).
Basically, he’d noticed people’s blogs had been invisibly hacked, so that the text wouldn’t show up when you looked at the site, but through the magic of CSS, would to Google. And of course to your newsreader: the hacked invisibly spam-laden text would, to your web server, be “updated”, and so would refresh in your newsreader. When that happens, it’s a good sign that the blog you’re looking at has been hacked.
And that’s not the end of it. As my web admin pointed out, there are people out there who’d like to get control of the whole shebang. So they attack the comments section using SQL injection, trying to post stuff like .. some stuff I’ve just deleted so I can post this.
Here’s what the code exploit would have done. First it turns off or deletes the server’s history file (so the exploit won’t show); moves to the temp directory; makes a directory in it; moves to that newly-created directory; then tries to download PhPMyAdmin, which lets you control databases remotely; then makes that executable by the web server.
In other words, via a comment posting, take over your web server, and install and change anything that they want. (The attempt came from 188.8.131.52, which is operated by some bunch of jokers called Serverbeach in Texas – though presumably it’s a bot there.) Happily, my webhost’s security was more than equal to the task of spotting it, but having holes of any sort is something you don’t really want.
Which is why I risked breaking the blog. Have you?