98% of WordPress Blogs Vulnerable

Did that headline get your attention? It should because it’s true. It may or may not actually be 98% but it is high! Do me a favor and if you use WordPress, go check what version you are running. You can find it at the bottom of your WordPress admin screen. Now that you’ve done that, answer these two questions:

  1. Is it WordPress 2.2?
  2. Is it WordPress 2.0.10?

If you answered no to both of these questions, you’re vulnerable. Go upgrade now, please. I’ll wait.

BlogSecurity surveyed 50 WordPress blogs and found that in 49 out of 50 cases, the WordPress blog is not one of the currently maintained branches of the software – WordPress 2.0.10, the latest in the 2.0 branch which will be maintained until 2010, or WordPress 2.2.

Feeling violated?

I didn’t believe the number so I did an informal survey myself. Guess what? Nine of the ten blogs I looked at also were not up to date.

The reality is that most people don’t want to take the time to keep their blog up to date or worse yet, they wait for their host to do it for them. At my last job, we had a saying: Cover your ass because no one else will cover it for you. If you are not able to handle this, hire someone (like me) to take care of it for you for a fee. The investment is worth it if you value your blog.

For the record, WordPress 2.1 and all it’s subsequent releases in that branch are security hazards. WordPress 1.5? Please don’t get me started.

BlogSecurity’s survey results, for whatever they are worth are as follows:

WordPress Ver Blogs
1.2 2
1.2-beta 2
1.2.1 3
1.2.2 4
1.5 7
1.5-gamma 1
1.5.1.1 1
1.5.1.2 1
1.5.2 1
2.0 4
2.0.1 3
2.0.2 1
2.0.3 1
2.0.4 6
2.0.5 3
2.0.6 2
2.1 2
2.1.2 2
2.1.3 3
2.2 1
Total 50

Crazy, eh? Who’s running WordPress 1.5-gamma?

Published by

Aaron Brazell

Aaron Brazell is a Baltimore, MD-based WordPress developer, a co-founder at WP Engine, WordPress core contributor and author. He wrote the book WordPress Bible and has been publishing on the web since 2000. You can follow him on Twitter, on his personal blog and view his photography at The Aperture Filter.

20 thoughts on “98% of WordPress Blogs Vulnerable”

  1. Running 2.2 on primary blogs, I have been slacking on a few niche ones and “marketing platforms”

    At least I beat your statistics, but most don’t

  2. 2.2 only came out 10 days ago. People running 2.1.3 are reasonably with-it.

    It would be interesting if you check the same sites in a couple weeks to see how they change.

    Ciao!

  3. this might be something that should be broadcast from the dashboard. i doubt that any of the people whose blogs are insecure are reading slashdot, or your blog, or the hackers list.

    it’s the people who spend more time actually blogging, than reading about blogging. and it’s the reason that it’s so important that “easy upgrading” gets finished before any more versions of wordpress ship.

  4. So you’re saying you’d like me to demonstrate on your blog how 2.1.3 is vulnerable? Trust me when I say that I can gain admin access to your blog in 5 minutes.

  5. just for clarity-
    if 2.1.3 is that eminently hackable, why is there no 2.0.11? was the vulnerability only in the 2.1 branch?

  6. Adam is on target…

    If WordPress x.x.x has a vulnerability WordPress the organization should be more active in communicating that to folks running the software. The only reason I knew 2.1.13 had a problem is because I read it here. My Dashboard says 2.2 is available, but it doesn’t say I should upgrade ASAP because there’s a security flaw. Security through obscurity?

    Also upgrading can be stressful and a PITA for the less tech savvy. Again without learning abut upgrade scripts here, I’d still be putting it off.

  7. The thing is, you never know if the new version will work with all the plug-ins. And to backup the DB and files before every update is kind of a pain…

    I update… but I tend to be one version behind…:)

  8. Why does the wordpress default theme include the version number in the header and order us to ‘leave this for stats’? I know security by obscurity is no substitute for keeping up to date, but, realistically, not everyone is going to upgrade on a monthly basis and broadcasting your vulnerability in metatags doesn’t seem the smartest move. Theme designers really need to start thinking about the code they’re using and quit blindly copy-pasting from Kubrick.

  9. I’m waiting for FANTASTICO to let me upgrade. I fear the possibility of screwing up my site. At least this way, it’s backed up from head to toe and I can easily reinstall it.

  10. I know, I know…I should upgrade both blogs. Honestly when I read the instructions my eyes go all googly and I get a piercing pain in my head.

    Sigh. I’m a bad, bad blogger.

  11. Lol that was funny, 1.5 o boy. But your right. people are so happy with what is running so smooth they never want to take a chance. In the era where taking backup is so easy and to get back to previous state is easier than that…I wonder why ppl don’t upgrade.

  12. So how did you detect the version of the blog in your survey? The header in the template? Oooh… or the css href on wp-admin works, too…

    I’m not very happy that the software and version is broadcast in wordpress. It’s not so much security by obscurity than hiding from the fricking spammers. When I took out the header, my comment spam decreased over the next 3-4 weeks.

    Ciao!

Comments are closed.