98% of WordPress Blogs Vulnerable

Tell your friends!

Did that headline get your attention? It should because it’s true. It may or may not actually be 98% but it is high! Do me a favor and if you use WordPress, go check what version you are running. You can find it at the bottom of your WordPress admin screen. Now that you’ve done that, answer these two questions:

  1. Is it WordPress 2.2?
  2. Is it WordPress 2.0.10?

If you answered no to both of these questions, you’re vulnerable. Go upgrade now, please. I’ll wait.

BlogSecurity surveyed 50 WordPress blogs and found that in 49 out of 50 cases, the WordPress blog is not one of the currently maintained branches of the software – WordPress 2.0.10, the latest in the 2.0 branch which will be maintained until 2010, or WordPress 2.2.

Feeling violated?

I didn’t believe the number so I did an informal survey myself. Guess what? Nine of the ten blogs I looked at also were not up to date.

The reality is that most people don’t want to take the time to keep their blog up to date or worse yet, they wait for their host to do it for them. At my last job, we had a saying: Cover your ass because no one else will cover it for you. If you are not able to handle this, hire someone (like me) to take care of it for you for a fee. The investment is worth it if you value your blog.

For the record, WordPress 2.1 and all it’s subsequent releases in that branch are security hazards. WordPress 1.5? Please don’t get me started.

BlogSecurity’s survey results, for whatever they are worth are as follows:

WordPress Ver Blogs
1.2 2
1.2-beta 2
1.2.1 3
1.2.2 4
1.5 7
1.5-gamma 1 1 1
1.5.2 1
2.0 4
2.0.1 3
2.0.2 1
2.0.3 1
2.0.4 6
2.0.5 3
2.0.6 2
2.1 2
2.1.2 2
2.1.3 3
2.2 1
Total 50

Crazy, eh? Who’s running WordPress 1.5-gamma?

  • http://www.homelandstupidity.us/ Michael Hampton

    Odd, that. Nine out of 10 of my blogs are up to date. The tenth is getting upgraded in a few minutes.

  • http://andybeard.eu/ Andy Beard

    Running 2.2 on primary blogs, I have been slacking on a few niche ones and “marketing platforms”

    At least I beat your statistics, but most don’t

  • http://docwhat.gerf.org/ docwhat

    2.2 only came out 10 days ago. People running 2.1.3 are reasonably with-it.

    It would be interesting if you check the same sites in a couple weeks to see how they change.


  • http://archgfx.net/ adam

    this might be something that should be broadcast from the dashboard. i doubt that any of the people whose blogs are insecure are reading slashdot, or your blog, or the hackers list.

    it’s the people who spend more time actually blogging, than reading about blogging. and it’s the reason that it’s so important that “easy upgrading” gets finished before any more versions of wordpress ship.

  • http://www.technosailor.com/the-technosailor/ Aaron Brazell

    So you’re saying you’d like me to demonstrate on your blog how 2.1.3 is vulnerable? Trust me when I say that I can gain admin access to your blog in 5 minutes.

  • http://www.technosailor.com/the-technosailor/ Aaron Brazell

    adam: It’s on Digg now – and yes you can feel free to Digg it. On the other hand, Digg’s got a big bullhorn so thats another way to make lots of people hear about it.

    YTour point about ongoing notifications though is well recieved.

  • http://archgfx.net/ adam

    just for clarity-
    if 2.1.3 is that eminently hackable, why is there no 2.0.11? was the vulnerability only in the 2.1 branch?

  • http://www.emomsathome.com/blog/ Wendy Piersall

    Aaron, you can take partial credit for the fact that I am running 2.2 thanks to your post a couple of weeks ago. :)

  • http://www.zatznotfunny.com Dave Zatz

    Adam is on target…

    If WordPress x.x.x has a vulnerability WordPress the organization should be more active in communicating that to folks running the software. The only reason I knew 2.1.13 had a problem is because I read it here. My Dashboard says 2.2 is available, but it doesn’t say I should upgrade ASAP because there’s a security flaw. Security through obscurity?

    Also upgrading can be stressful and a PITA for the less tech savvy. Again without learning abut upgrade scripts here, I’d still be putting it off.

  • http://technosailor.com Aaron Brazell

    Well all the devs blogs have it. In addition, you should subscribe to this or setup a google alert.

  • http://martinbreton.com brem

    The thing is, you never know if the new version will work with all the plug-ins. And to backup the DB and files before every update is kind of a pain…

    I update… but I tend to be one version behind…:)

  • http://wank.wordpress.com that girl again

    Why does the wordpress default theme include the version number in the header and order us to ‘leave this for stats’? I know security by obscurity is no substitute for keeping up to date, but, realistically, not everyone is going to upgrade on a monthly basis and broadcasting your vulnerability in metatags doesn’t seem the smartest move. Theme designers really need to start thinking about the code they’re using and quit blindly copy-pasting from Kubrick.

  • http://thesocalledme.net Jenny

    I’m waiting for FANTASTICO to let me upgrade. I fear the possibility of screwing up my site. At least this way, it’s backed up from head to toe and I can easily reinstall it.

  • Carol

    I know, I know…I should upgrade both blogs. Honestly when I read the instructions my eyes go all googly and I get a piercing pain in my head.

    Sigh. I’m a bad, bad blogger.

  • http://www.technospot.net/blogs/ Ashish Mohta

    Lol that was funny, 1.5 o boy. But your right. people are so happy with what is running so smooth they never want to take a chance. In the era where taking backup is so easy and to get back to previous state is easier than that…I wonder why ppl don’t upgrade.

  • http://docwhat.gerf.org/ docwhat

    So how did you detect the version of the blog in your survey? The header in the template? Oooh… or the css href on wp-admin works, too…

    I’m not very happy that the software and version is broadcast in wordpress. It’s not so much security by obscurity than hiding from the fricking spammers. When I took out the header, my comment spam decreased over the next 3-4 weeks.


  • http://germworks.net Jermayn Parker

    yeah I must upgrade, thanks the timely reminder..

    Only surveying 50 is not much though

  • http://www.zatznotfunny.com Dave Zatz

    2.2 broke my Respond to Comments plugin. Wonder if B5’s new talent knows anything about that. ;)

  • http://www.zatznotfunny.com Dave Zatz

    Er make that “Subscribe” to Comments. I need my coffee.

  • http://spamcatch.net Ness

    It crashed when I tried to update from an earlier version to latest one. Didn’t work.