Read about WordPress 2.5.1 and download the new version here. It includes a security fix, so you’re going to want to upgrade. It’s well-known that older versions of WordPress get attacked by malicious bad guys, so I absolutely recommend upgrading as soon as you can to be safe.
By the way, if you subscribed to the WordPress development blog like I suggested, you’d already know about this security update. 
{ 22 comments… read them below or add one }
I’ve noticed a considerable amount of posts regarding blogs (not necessarily WordPress) being hacked which resulted in hundreds of bad neighborhood links being injected into blog pages.
From what I’ve been reading it appears the hacked blogs lost their positions in Google. I was wondering if there was any damage assessment a blog owner should be performing *after* they’ve discovered their blog has been hacked.
Should they just repair, upgrade, and go about business as usual or are there other additional steps to be addressed?
Matt,
Do you think WordPress 2.5.1 would allow you to reply to an unanswered question back in March
whats the difference between “reshuffling” and “tweaking” that might happen at the data centers?
Michael D, if we see a site that has been hacked, we’ll often drop you a message in our Message Center. Just register your site at google.com/webmasters/ and you can see these messages. If you’ve fixed the hacked page, then I’d do a reconsideration request (also in the webmaster portal) and Google can check it out.
Harith, there is a difference between e.g. data pushes vs. algorithm updates, but really there’s not a difference between shuffling vs. tweaking. To me, shuffling would imply more the normal fluctuation of automated processes, while tweaking implies a little more direct intervention.
Forgive what might have an obvious answer, but who gets penalized with these hacked blogs that links get embedded in? The blog or the site it links to? Is it an offensive attack by a competitor to try and discredit you with a bunch of spammy links from blogs, or is it the blog that gets penalized for having these links “associated” with it?
The reason I ask is, a few weeks ago, I was checking out my backlinks in the webmaster central, and I saw a backlink from a site very much in our sector, however, when I went to their page, now link was visible. It wasn’t until I went digging through the source code did I see that the link and text was there, but for whatever reason visible: hidden was in the div around the link. If this is something that’s going to affect our site, then that would be good to know, as emails to them have gone unanswered as to why they were doing that.
Anyway, just curious,
Thanks,
Chip-
that should be “NO link was visible”, not “NOW link was visible”.
Thanks for the reply, Matt. Highly appreciated.
I think WP 2.3.3 is the best stable update till now. We can get another fix like 2.5.2 in next 2 months from Word Press. So we should also see how many times we are Ok with updating our entire data base.
@Siddharth, I’ve been updating each new release lately and haven’t run into problems with the database. As always backup your data before proceeding. The Zeldafication of the admin section is kinda fun looking.
Chip, you ONLY have to worry who YOU link TO. SEs know Webmasters cannot control who links TO them and as such you have nothing to worry about.
The big problem is as soon as a brand become popular, the never ending cycle between security and hackers starts. Go for a little know brand and prepare for the worse and only hope for the best.
@Siddharth – there were security holes in 2.3.3 as well, WP just decided to release 2.5 instead of a fix for it. They announced that 2.5 had security fixes in them when it was released… I just never saw what they specifically were (probably somewhere in the release notes I never read). As far as I can tell, there has never been a WordPress release that did not have security issues.
My issue is that regardless of whether I completely replace all of the files or if I use Automatic Upgrade, it’s still insisting that I am using v2.5, and that I need to upgrade to 2.5.1. Very frustrating.
oh gawd another one
just did a plan for updateing some 30 plus wp blogs
Tell me about it, I seem to spend half my life updating sofware! So glad that wordpress have addressed the situation, It’s good to know your upto date and as safe as you can be when using such a popular peice of software. Should be safe for at least a week or two
Thanks for the info. Wasn’t it mainly just one version of WP that was mainly vulnerable to hacking?
Siddharth, I would definitely not use an older version of WordPress because there are security issues. I would update to the most recent version.
Just how difficult is the upgrade for those who may be tech challenged?
Are there any database scheme changes? Or just the .php files?
How good that i waited. It was clear that there are several security vulnerabilities after so many changes. THE WP developers can’t do it other way.
The newer version of WordPress (2.5+) is much easier to keep updated. The plugins can be updated from within the console, as opposed to having to download the install, upload via FTP and reactivate. Within the plugin console is a link to automatically upgrade the plugin (if necessary), and you can choose to upgrade over SSL.
Additionally, the Automatic WordPress Upgrade plugin makes upgrading a snap, with basically one click functionality. You can choose an automated version, or step through it step by step. It also creates backups of your databases you download prior to updating.
You can find the plugin here:
http://wordpress.org/extend/plugins/wordpress-automatic-upgrade/
Man, it still gives me errors when i am using the media box to upload images or videos! What was this tiny upgrade for then???
@ IT Certification Training
I’m worried about installing that automatic WordPress update plugin. If WordPress can be hacked with apparent ease, how secure would a plugin that has that kind of power be?
Hey Matt, if you know of any Blog Beginners that don’t realize how to make a wordpress blog post, I just created a video for them.
http://www.youtube.com/watch?v=NsrGvRoFrI4