Vulnerable WordPress Blogs Not Being Indexed: Technorati has decided to not index vulnerable and exploited WordPress blogs. This comes after the recent spat of hacks that were discovered on various high profile blogs and websites. What was even more interesting was the fact that some of these hacks and exploitations might have come from covert and encrypted code hidden in various themes available for free over the web. The moral of this story is that you need to upgrade your WordPress blog now to WordPress 2.5.
Just so that everyone is aware, WordPress 2.5 is the latest stable version and this should be the version that everyone should upgrade to. Any older versions leaves you vulnerable. [EDIT] As mentioned on the legacy 2.0 page, WordPress 2.0.11 is the latest stable download with all the latest security fixes for the 2.0 branch. However, WordPress 2.5 is still the latest and the greatest and should be everyones upgrade target.
As for themes, if you feel that the theme you are using might be suspect of something strange, just disable it and get something else. I suggest you download themes from the original author’s website/blog and stay away from any theme that has an encrypted footer (though that would be hard to determine without looking at the code). At weblogtoolscollection.com we try our darnest to link directly to theme authors for the download.
Technorati is just the beginning. If your blog has spammy links, has covert hidden pages or links, is used for nefarious purposes, even without your knowledge, you are being penalized by the search engines. We are going to put together a post on how to figure out if your blog is hacked/exploited, clean up your blog if it is hacked, get your blog back to order, find spammy pages if they do exist and how to get your blog re-indexed. In the meantime, if you know of a good resource, please let us know and we will add it to the post.
Today is a good day to upgrade to WordPress 2.5
I always look at a theme closely for anything suspicious. If it’s an encrypted footer, I’ll take it and decompile it and remove anything that isn’t wanted. I’ve found a nice handful of themes online that had some very shifty pop-under scripts and such. Found a few that had a few SQL injections in it and a few that tried to download spyware/adware to the viewers computer whenever they log to the site.
All in all – if you don’t know to decrypt something, don’t use it and go with places you can trust, like this fine site.
Here’s one potentially useful plugin, named WP Anti-Wares. It supposedly checks themes for malicious code. I always download themes from the original designer, so I can’t attest to its functionality. Also, I’m not too sure if the plugin is still under active development.
Okay, now I’m confused. Is this page no longer correct and 2.0.11 is no longer considered secure?
Tim, I stand corrected. Fixed post.
As 2.5 is quite a big step I was hoping they would provide a legacy branch for 2.3 should any serious issues arise. Is this not the case?
Another handy one is WP Security Scan, which is compatible with 2.5. I think I first heard about it here on WLTC.
Oh Good! and how can I know if some blogs are vulnerable and exploited?
What happen if these blogs link to me?
Such news would cause a lot less trouble if it was actually easy to upgrade to newer versions of WP. And I don’t mean the actual upgrade procedure, but the total instability of APIs and database schemas (often advertised very late during the development process), which causes breakage in plugins.
WP should learn from other FOSS projects and try to manage breaking changes better.
Technorati is so b0rked as to be effectively insane. I get a different authority when I’m signed in than when I’m signed out. I dropped 13000 places yesterday and got them back twelve hours later. I’ve given up pandering to Technorati and I recommend everyone does the same. Google will end up owning everything anyway, so make nice with Google Blogsearch now; save time later when our Googelian Overlords make it official.
Luca: 2.5 does not introduce any breaking changes except for those plugins that use the admin interface. Even there the breakage should be in the management and not in the plugin itself.
may WP 2.5 is stable but it doesn’t work for so many user.
and to say: do an update an your are safe is false.–
It can help but most of the time it doesn’t, because so many users doesn’t know that the hacker is in his database and inits account — because the server is unsafe
WP 2.5 is no magic wand 😉
Monika
Mark: the change in password hashing broke some plugins that link to other applications (such as WPG, which one of my blogs uses). Others broke (temporarily, like Simple Tags) because there were some changes in the internals of WP.
Unlike the 2.2 > 2.3 transition, most of these problems are minor, but I still think that with a proper decision-making when the release cycle starts (e.g. “for version XXXX we’ll break the YYY and ZZZ APIs”) the effect can be lessened. Other, larger FOSS projects have employed this approach succesfully.
Big blogs like Techcrunch is still using 2.3.3.
The Technorati announcement got me moving on my upgrade, and it turned out to be painless. All my plugins, once upgraded to latest versions, worked without problems and no weirdness so far.
I have to admit I was all Technorati-fevered for a while. Then all of the sudden they went weird on me. Updating my site three times (sometimes listing the same post multiple times) or not updating my site for literally two weeks … then re-adding every post as if it was new.
I’ve given up trying to figure out Technorati. The only reason I cared originally was because of some Blog Judge website that gave me a crap review. Technorati is just another site that’s trying to force people to one standard … well, that’s what I think.
Though I’ve already updated my WordPress .. only plug that gives me issues is the All in One SEO which breaks my RSS for some reason.
Version 2.3.3 is not safe? I don’t like 2.5.
Roosh: 2.3.3 is safe for now but it will not receive any security updates. So when new vulnerabilities are discovered, fixes will only go into the 2.5 (and 2.0.11x) branch. So it is better to upgrade.
I very much look forward to this upcoming article from you all:
I like 2.5
http://www.labnol.org/internet.....s-changed/
When I went to open the tar.gz I got 3 error messages. Did anyone else experience this? I guess this is the weekend to upgrade. Now I wonder why I make so many different blogs. Thanks for all the interesting comments.
Oh, what a sad blog post! If WordPress is not indexed by Technorati anymore, we all will get less traffic, I guess.
I’d love to update, but I’m waiting for my host to update fantastico, cause I’m lame and don’t understand how to set up the database stuff.
@Syd you’re not lame! Loads of folks rely on Fantastico. You don’t have to do any database stuff-wp takes care of that for you automatically after the new files are uploaded(you have to login to the admin to have it happen but that’s it)
Thanks for the great info! Link posted on my blog in appreciation.
it’s not database stuff — you just
1. create a database
2. copy and paste database name, user and pass into WP config
3. run install script
done
I am using WordPress 2.5.1 so i don’t think vulnerability has anything to do with my blog not being indexable. I can’t claim it with technorati. I feel this is weird. Can someone help PLEASE? Thanks
I’m afraid I can’t agree with you. I don’t see any logic. If you upgrade your WordPress installation and keep on using that “bad theme”, it won’t solve your problems – because that “covert and encrypted” will still be present in the theme.
The solution here is to patch the theme in question (or don’t use it at all).
Hi,
I’m running WordPress 2.6.1 on two blogs, one of which is absolutely updated instantly on Technorati, and the other is not indexed at all. Additionally, my blogspot blog has stopped being indexed two days ago.
I have written about it here: http://nerdinprogress.blogspot.....-mess.html
I don’t think this is completely a wordpress thing.
Vidyut