New WordPress worm
This is a bummer, man. WordPress is being targeted by a nasty worm, and it’s gaining momentum, apparently. Versions 2.8.3 and earlier are currently vulnerable. Matt Mullenweg, today, addressing the exploit:
Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
It should be noted that version 2.8.4—the latest stable and secure version—is only 24 days old, so if you haven’t upgraded recently your blog is vulnerable. Apparently it’s more difficult to recover from this one than previous WordPress attacks because the worm makes changes to the database. Immediately upgrading to version 2.8.4 and making sure you have a strong password is the recommended preventive medicine. And I would add: institute a good backup routine, if you haven’t already.† If you can get into the habit of upgrading within a week of a new release you should be able to stay ahead of these kinds of exploits.
† For example, I run a copy of my weblog on localhost using MAMP. When backing up I export the database from the remote host and import it to the local instance, check that it is displaying as it should, and confirm that I can login. I also synchronise the WordPress files using Transmit over SFTP. At least once a week—that’s my estimate of how much I could afford to lose and not start smashing things.