While I was away over the weekend, it appears that a large number of bloggers who use WordPress have been hacked and a lot of damage has been done.  It seems this problem has shown up for a large number of people, including some very high profile bloggers.  Among them was Robert Scoble, whose blog was among those websites which were hacked.   Damages on Scoble’s site included porn information being placed in old posts, 2 entire months of content being deleted, and more.  Of course the porn then led to his blog being completely banned from Google!   Scoble is not the only one having these problems, however, and even lesser known bloggers have been attacked.  You can read more in this WordPress support forum thread.

If you are wondering what the one thing all of these WordPress sites have in common, the problem is they were all using old versions of WordPress.   As someone that owns and operates well over 100 WordPress installations, I certainly understand the pain it can be to upgrade to the latest version of WordPress every time a new release happens, but I hope this goes to show why it is so important to take the time to upgrade all of your WordPress installations be using the most recent version of WordPress.

After the success we’ve had with new branch releases of the past few WordPress branches (2.6 and 2.7 both come to mind), it is a little surprising to see that we already have yet another security patch, this time being WordPress 2.8.3.  Because this is a security update, it is highly recommended that everyone take a moment to upgrade their WordPress installation.

Here is what the WordPress team had to say about the WordPress 2.8.3 security update:

Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1.  Luckily, the entire WordPress community has our backs.  Several folks in the community dug deeper and discovered areas that were overlooked.  With their help, the remaining issues are fixed in 2.8.3.  Since this is a security release, upgrading is highly recommended.  Download 2.8.3, or upgrade automatically from your admin.

The ribbon reminder in your dashboard just showed up, so you can now do your automatic upgrade, or manually download WordPress 2.8.3 from here.

Despite the upcoming release of WordPress 2.7 (hopefully next month), the WordPress team still takes their commitment to keeping the WordPress 2.6 branch safe.   Today they released WordPress 2.6.3.  In this update, a vulnerability is fixed in the Snoopy library, which is used for the dashboard feeds.

According to the WordPress team, this is a minor vulnerability and the only change in this update, so in order to upgrade all you need to do is upgrade the following two files:

1. wp-includes/class-snoopy.php
2. wp-includes/version.php

You can also doing a normal upgrade to 2.3 as well.

Whether you are in the market for a new custom WordPress theme, premium WordPress theme, or a free WordPress theme, their is one often forgotten factor that you should be considering when shopping for a new WordPress theme.  That factor is the reputation of the theme author.

Why is author reputation so important?   In addition to things like quality, theme support, etc., you’ve also got to worry about potential problems such as unknown links (these are usually hidden and could get your blog banned from search engines if discovered) and things like malicious code being run via your WordPress theme.

Recently Viper007Bond wrote about a theme that was discovered with hidden links (not the same thing as sponsored links):

What I found inside the theme’s footer.php file though was tons of malicious code. The entire contents of the file was heavily encoded (it was encoded with gzinflate(), str_rot13(), and base64_decode() around 150 times) and a ton of eval()’s. Since I was curious what it was doing, I wrote some PHP to decode it without using the nasty (and unsafe) eval()’s and I finally ended up with the HTML for the footer file (I assume to stop people from removing the code) and some more crazy eval() PHP code to display links to websites.

Luckily the code was just there to insert links (although using such a theme is a good way to get banned from Google), the PHP could just as easily have stolen passwords and other things. Remember, themes are exactly like plugins — they can execute code. You wouldn’t download a random program off and Internet and run it on your PC, so why would you do it with a plugin or theme?

So please, only download themes and plugins from reputable sites such as WordPress.org. If in doubt, don’t use it.

The author cites QualityWordPress.com as the source of this theme, so I would recommend avoiding this site if you are looking for a new theme.

Conclusion

There is a good chance that no matter which theme you end up going with (free, premium, or custom) you are going to be fine, but author reputation is just one more thing that should factor into your decision.   Find a theme made by an author you can trust.  I’ve seen many situations over the past couple years where people unknowingly get banned from Google or run into other problems because they made a bad choice when picking their theme.

Do you factor an authors reputation (word of mouth) and theme support into your decision before downloading/buying a WordPress theme?   I know I do and I also try to keep that in mind whenever I support a theme by adding it to our WordPress theme galleries.

We hear almost every day about bloggers getting their login information comprimised.  Are you one of the many people that are growing increasingly concerned about their blogs security?

If you are looking up ways to beef up the security of your WordPress blog, Make Tech Easier has posted a great article about 11 ways to secure your WordPress blog.  The post includes a few security tips we’ve already covered in past posts, plus a bunch of other great tips.

Here is what information the post covers:

• Encrypt your Login
• Stop Brute Force Attack
• Use a Strong Password
• Protect your WP-Admin Folder
• Remove WordPress Version Information
• Hide your Plugins Folder
• Change your Login Name
• Upgrade to the Latest Version of WordPress and Plugins
• Do a Regular Security Scan
• Backup your WordPress Database
• Define user Privilege

Click over to get descriptions, plugin information and more!

Got any tips to add?  Let us know in the comments below!