Matt Mullenweg from the WordPress team has posted a message about the security of WordPress, which MarsEdit users who run WordPress should take a look at. It’s particularly timely because there are a number of attacks going around that impact older WordPress blogs that haven’t been updated to to the most recent version.
In my customer support for MarsEdit, I have been seeing these security problems pop up quite a bit lately. The so-called “spam injection” attacks often inject spam links at the oblivious expense of how these links might mess up the XMLRPC interface which blog clients such as MarsEdit use to interact with your blog. It’s gotten to the point where error messages from the blog such as “Parse error. Not well formed.” are almost certain to be symptoms of such a spam injection attack. Updating to the latest WordPress almost always fixes the problem immediately.
Matt’s advice is pretty basic: update to the latest WordPress, and check your posts for signs of tampering. But it’s nice to have advice “from the top,” so to speak. I will be glad to see this wave of blog-attacks pass us by as more and more users get updated to the latest release of WordPress.
I commented on the post, suggesting that what WordPress would really benefit from is some kind of automated updater, so that users can easily update without having to worry about whether they’re doing it right or whether they’ll mess up their blog. The great news is Matt replied saying that they are in fact working on such a feature for 2.6.
Looking forward to a built-in automatic updater for WordPress! But in the mean time, be sure to stay current so you avoid the nasty attacks that are going around.