The site was
hacked defaced last night at around 4:45pm due to my laziness in not installing a simple one line fix to the WordPress software outlined on the WordPress Development Blog. After exploiting the SQL injection vulnerability that the fix closed, the person was able to log in to WordPress, create a new user, promote themselves to admin level and replace the index page. I found out about it this morning when I hit the site when I woke up.
This should be a lesson to you. Keep an eye on security updates for your software, and apply them as soon as they become available. The WordPress team posted this update 26 days ago (according to the blog entry, 40 minutes after hearing about the exploit) and I blew it off, thinking that this site was too insignificant to actually hit.
I was wrong. It’s insignificant, but apparently not so much so that someone won’t take the small amount of time it takes to use a Perl script to compromise a known hole when they found it by doing a Google search on the term “powered by WordPress 1.5”.
I’m usually pretty good about installing security updates … not sure what I was thinking when I blew this off.
For the record, the WordPress Team has performed a security audit of the code for similar vulnerabilities and found none. Thanks guys. I’ll pay more attention next time around.