Unpatched WordPress installations rife with malware

WordPress logoYesterday the WordPress team gifted writers with the release of version 3.2 of the open source blogging platform. While their focus was rightly on all of the cool new features and enhancements their community will enjoy, I naturally wanted to focus on the changes that may have an impact on security.

The biggest announcement was the new minimum version requirement for PHP and MySQL: WordPress 3.2 will only run on web servers using version 5.2.4 or greater of PHP and version 5.0.15 or greater of MySQL.

This is no doubt good news from a security perspective. PHP 4 hasn’t received security updates since 2007 and MySQL 4 hasn’t been updated since 2008. If your host doesn’t meet WordPress’s new requirements, it is time to ask some serious questions about their security procedures to ensure your site remains secure.

As big a step forward as this is, however, it doesn’t bring web hosts nearly close enough to versions of PHP and MySQL that could be considered safe to use. And clearly, this doesn’t change anything for those users and hosts who aren’t in the habit of updating their WordPress to begin with.

I was curious to see if WordPress users whose blogs have been hacked to distribute malware show a consistent pattern of mistakes.

SophosLabsI sampled about the last thirty URLs that SophosLabs detected as hosting infections through compromised WordPress blogs. I then surveyed which versions of PHP and WordPress these users had installed.

Of those, I narrowed down ten sites for which I was able to extract both pieces of data.

For anonymity’s sake, I have simply numbered the sites. The first value is the site’s PHP version and the second is its version of WordPress:
PHP 5.2.17 not supported

  1. PHP 5.2.16/WordPress 3.1.1
  2. PHP 5.2.11/WordPress 3.0
  3. PHP 5.1.6 /WordPress 2.8.6
  4. PHP 5.2.17/WordPress 2.3
  5. PHP 5.1.6 /WordPress 3.1
  6. PHP 5.2.17/WordPress 3.1.2
  7. PHP 5.2.17/WordPress 2.8.4
  8. PHP 5.2.14/WordPress 3.0.1
  9. PHP 4.4.3 /WordPress 2.9.2
  10. PHP 5.2.9 /WordPress 3.0

Not a single one of these web servers or WordPress installations, nor any I sampled, is up to date. PHP 5.2.17 is the most recent release (January 2011) in the 5.2 series, but this is no longer supported. The current version, including security fixes, is 5.3.6.

Not only are the WordPress versions old, some are VERY old, with dozens of known vulnerabilities. The only current patched version, aside from the new 3.2, is 3.1.4. There have been over two dozen security improvements since the release of 3.1.2, the most recent version in my test.

Not patching our computers, servers and devices leaves the barn door wide open for criminal squatters.

Run your own WordPress installation? Be sure to update your web server, PHP and WordPress installations. I recommend signing up for security notifications from each vendor so you are aware of new versions that plug security holes.

Outsource your blog hosting? Review the policies of your service provider to understand whose responsibility it is to patch the underlying software and WordPress itself.

If all of that is too much hassle, just consider using WordPress.com and let others worry about these pesky version numbers.