As we read on Mashable:

The warning comes from Lorelle on WordPress after it was discovered that a nasty attack is exploiting security holes in previous versions of the blogging software, creating a new “hidden” Administrator account and getting right down to the database level. These attacks are said to be “growing by the hour”. Lorelle writes:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

We are strongly encouraging our clients to upgrade their version of WordPress to make sure you are using the latest version of 2.8.4.  If you don’t know what version you are currently using, login to your WordPress dashboard and if you are running an older version of WordPress, you’ll see a notice at the top that looks like this:

Click the “Please update now” link to begin the upgrade process.

For any of you that are using really old versions of WordPress (versions 2.5 and lower) a manual upgrade will need to be done.  Instructions on manually upgrading your WordPress site using FTP can be found in the WordPress Codex here: WordPress Upgrade Extended.  If you need assistance with your manual upgrade – you can contact us for help/support by submitting a ticket in our Help Center.

For anyone who may have already experienced the attack – it’s going to be long Labor Day weekend for you, too!  You will need to export your all your content with the built-in WordPress export, uninstall and reinstall WordPress and re-import the content. It’s a nasty attack that goes all the way into the database, so exporting the database will result in exporting the hacked code too.

In short:  for those who have not yet been affected: upgrade to 2.8.4.  For those who have been, follow the instructions above to fix your site (you can contact us if you are a hosting client of ours)

For those who are already running 2.8.4 – Horray! Enjoy your Labor Day weekend!

[UPDATE] - Check out a great post by the WordPress.Org team on how to keep your WordPress secure – - a stick in time, saves nine (A/K/A/ – always upgrade your WordPress installation with the latest version)

Related Posts:

• PINKI Server – Critical Hardware Update **Resolved**
• New Billing and Support System
• WordPress 2.6.5 Security Upgrade
• Has Your WordPress Blog Been Hacked?
• Have a look at the new WordPress 2.7 Dashboard
• WordPress SuperCache
• WordPress 2.1 Release
• Wordpress for Dummies
• Akismet bug fixed
• New Hosting Packages Rollout!

Yesterday, 8/23/09, we experienced a sudden (without warning) hard drive failure on the Pinki server. Usually, we get notifications that the hardware is having some sort of issue that we need to look into, which gives us time to diagnose and troubleshoot. This time, however, there were no warnings – it just happened without notice…one minute the drive was functioning, the next minute not. Machines are not infallible – - and web servers are machines, after all. It’s frustrating and scary all at the same time!

We discovered this problem late yesterday afternoon and immediately went to work with our DataCenter (and hardware providers) at ServerBeach and commissioned a new server. The great news is that we do full adn complete backups of all client accounts on a nightly basis and store them on a separate drive for safekeeping. Once the new server was up and running with a new copy of the Operating System – we began the account restore and things are about 99.9% back to normal right now.

We do continue to work on the new server configurations, however your sites are in working order at this time. Some people have reported a few items that are off – - a couple missing posts, template tweaks that are not there anymore, etc. We are currently working on those issues on an individual basis.

Because our own web site was down during this time, as well – - we’ve been providing updates on our Twitter account as much as we possibly could during this outage. If you do not follow us on Twitter – it’s probably a good idea to do so at times like these: http://twitter.com/BlogsAbout

We want to thank everyone for their patience, and for those of you who write and Twittered words of support and encouragement – we are grateful. We realize that times like these are frustrating for everyone – including ourselves. So, thank you for your patience and understanding during this time. PLease know that we continue to work on smaller issues on a case by case basis and are getting through them as quickly as we can.

One thing that we have noticed, for WordPress users – when you go to update a plugin, or update your WordPress installation – WordPress is asking you for your FTP login information. It has never done this before and this is a function of our server configuration that we are working to resolve. In the meantime, you can just input the information as requested – or, there is a work around for individual sites that you can read about in the WordPress Support forums here: http://wordpress.org/support/topic/242686#post-1180641 (RESOLVED)

* – If you do not know what server your account is currently on – you can locate the IP number of your server in the left menu of your CPanel. Compare your IP number with the three I’ve listed above to find out which server your account is currently hosted on. Or, leave a comment on this post and I’ll do my best to help you determine your server assignment. Thanks!

Related Posts:

• New Billing and Support System
• [UPDATED] Early versions of WordPress under attack – upgrade to 2.8.4 today!
• WordPress 2.6.5 Security Upgrade
• Has Your WordPress Blog Been Hacked?
• Server Alert: Jingles RAM Replacement [Updated x2]
• Have a look at the new WordPress 2.7 Dashboard
• WordPress SuperCache
• WordPress 2.1 Release
• Wordpress for Dummies
• Mail Server Update

The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.

2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.

Get the WordPress 2.6.5 files from the official WordPress site.

Related Posts:

• Has Your WordPress Blog Been Hacked?
• WordPress 2.1 Release
• [UPDATED] Early versions of WordPress under attack – upgrade to 2.8.4 today!
• PINKI Server – Critical Hardware Update **Resolved**
• New Billing and Support System
• Have a look at the new WordPress 2.7 Dashboard
• WordPress SuperCache
• Wordpress for Dummies
• Akismet bug fixed
• New Hosting Packages Rollout!

This is also a perfect time for me to emphasize how important it is to keep your WordPress software upgraded to the most recent version. Old versions of WordPress are vulnerable for exploitation, simply due to the fact that the older versions have an old code base that is no longer being developed. This means that bugs and/or vulnerabilities that existed in old versions were fixed in the new versions – - so, if you’re using old versions… you’re also using the bugs and vulnerabilities, too!

Take control of your WordPress blog and don’t let his happen to you by upgrading as soon you can after you hear about a new WordPress version release. For those of you keeping up – WordPress 2.6.3 is the most recent version available right now. WordPress 2.7 is due for release on 11/10/08.

I use this handy plugin that allows me to easily, and quickly, upgrade my WordPress blogs from within my WordPress administration panel – - no uploading, no configuring, no messing with the file structure at all: WordPress Automatic Upgrade. Give it a shot – it will make your WordPress experience much more pleasant!

Related Posts:

• WordPress 2.6.5 Security Upgrade
• WordPress 2.1 Release
• [UPDATED] Early versions of WordPress under attack – upgrade to 2.8.4 today!
• PINKI Server – Critical Hardware Update **Resolved**
• New Billing and Support System
• Have a look at the new WordPress 2.7 Dashboard
• WordPress SuperCache
• Wordpress for Dummies
• Akismet bug fixed
• New Hosting Packages Rollout!

For those of us who *just* got used to the new dashboard that came with version 2.5 – prepare yourselves for yet another dashboard change for 2.7. It’s refined. It’s friendly. It’s really beautiful, I have to say!

Here’s a screenshot so you can see what I mean:

For those of you following my book, WordPress For Dummies – We are releasing the 2nd edition of the book that will shortly follow the release of WordPress 2.7. We (Wiley Publishing, my publishing company) are making every single attempt at closely following the actual WordPress development schedule as much as possible. It’s more than a job. . . it’s an adventure!

Related Posts:

• [UPDATED] Early versions of WordPress under attack – upgrade to 2.8.4 today!
• PINKI Server – Critical Hardware Update **Resolved**
• New Billing and Support System
• WordPress 2.6.5 Security Upgrade
• Has Your WordPress Blog Been Hacked?
• WordPress SuperCache
• WordPress 2.1 Release
• Wordpress for Dummies
• Akismet bug fixed
• New Hosting Packages Rollout!

What is it?
From the plugin description on the developers site:

This plugin generates static html files from your dynamic WordPress blog. After a html file is generated your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.

As many of you (our clients) know – yesterday (October 16) we had a pretty rough server load day. There was one particular site on our server that was getting a blazing amount of traffic to a post they made on the elections (Political season is just HUGE for us!) – - this site got linked by the media and by large blogs like Instapundit.

Everyone likes that kind of attention to their blog, don’t they? We do! What really isn’t so great is when the HUGE traffic spike caused a very slow loading time on the site; and then on the overall server.

Here’s what we did, once we localized the problem to one site in particular – - it was a very quick and easy solution and it solved the problem immediately! We installed WP Super Cache on that account and while his traffic spike stayed pretty much the same – - the server load went down to ‘uneventful’ – WP Super Cache was handling it all.

So, moral of this story? If you cannot afford a dedicated server (it’s pretty costly) — and you’re running WordPress to power your blog and you tend to get a LOT of traffic spikes… install the WP Super Cache plugin and you will find that those traffic spikes are not as scary as they used to be. They call WP Super Cache “Digg proof” for a reason – - because it handles those traffic spikes (like when you get Dugg) with ease and grace!

If you would like to install the plugin, but feel like you need help – - drop a ticket in our Help Center..we will be MORE than happy to assist you!

Related Posts:

• New Hosting Packages Rollout!
• WordPress 2.1 Release
• Akismet bug fixed
• [UPDATED] Early versions of WordPress under attack – upgrade to 2.8.4 today!
• PINKI Server – Critical Hardware Update **Resolved**
• New Billing and Support System
• WordPress 2.6.5 Security Upgrade
• Has Your WordPress Blog Been Hacked?
• Have a look at the new WordPress 2.7 Dashboard
• Site Uptime Monitoring Added

Also, here is a listing of WP Plugins that are compatible with this newest version – also listed there are plugins that are NOT compatible with WordPress version 2.1 – - make sure you read that information as it applies to plugins you may have installed on your WordPress blog.

We strongly recommend that you follow the threads in the WordPress Support Forums regarding major issues that users are having after upgrading to version 2.1 – - read through these issues before deciding to proceed with the upgrade. Typically, after such a major release – - they will release another version shortly that addresses any major bugs found only after several thousand users have upgraded and reported back with the issues. Please keep that in mind before jumping on the upgrade bandwagon.

As always – - back up your data before you proceed with an upgrade! We cannot stress this strongly enough. Yes, we do keep backups of your account – however, please read our Terms of Service as it pertains to the restoration of your back ups. We will restore the first back up for no charge – - after that, if you continue to experience issues due to failing to back up your own data, there will be a charge for each instance of back up restoration to compensate for time involved and the server resources it utilizes with each occurrance. You are able to create a full back up of your account via your CPanel – login and find the ‘BackUp” icon – - click that and follow the instructions on the creation of a back up file. This way, if the installation goes wrong, you have a full and complete back up that you can restore via your CPanel, as well.

Related Posts:

• WordPress 2.6.5 Security Upgrade
• Has Your WordPress Blog Been Hacked?
• WordPress SuperCache
• Akismet bug fixed
• New Hosting Packages Rollout!
• [UPDATED] Early versions of WordPress under attack – upgrade to 2.8.4 today!
• PINKI Server – Critical Hardware Update **Resolved**
• New Billing and Support System
• Have a look at the new WordPress 2.7 Dashboard
• New design launch and some great new features!

Congratulations, Lisa!!

Related Posts:

• [UPDATED] Early versions of WordPress under attack – upgrade to 2.8.4 today!
• PINKI Server – Critical Hardware Update **Resolved**
• New Billing and Support System
• WordPress 2.6.5 Security Upgrade
• Has Your WordPress Blog Been Hacked?
• Have a look at the new WordPress 2.7 Dashboard
• WordPress SuperCache
• WordPress 2.1 Release
• Akismet bug fixed
• New Hosting Packages Rollout!

(update 10/21/08 – sorry for any Twitter followers who got this post in a Twitter broadcast!  This is an old post that we edited today, and it got broadcast to twitter as *new* through the Twitter Tools plugin we are currently using.  No worries on Akismet — there are no current bugs in the system — this is old info!  Sorry to you, and to the Akismet folks!

Over the past 24 hours, Wordpress users who utilize the Akismet plugin experienced a mass influx of spam (this blog included). We’ve received just a ton of help tickets in our Support Center about the amount of spam they’ve received.

This was an Akismet issue and they’ve posted about it on their blog, including a statement that the problem has been resolved: Akismet blog: Downtime

Comment/trackback spam is very frustrating – however, when Akismet experiences a ‘burp’ such as this – there’s not much to be done except ride out the storm. And what a storm it was!

Akismet is an excellent service – especially considering that it doesn’t cost a thing. Keep up the great work Akismet folks!

Related Posts:

• New Hosting Packages Rollout!
• WordPress SuperCache
• WordPress 2.1 Release
• Mail Server Update
• [UPDATED] Early versions of WordPress under attack – upgrade to 2.8.4 today!
• PINKI Server – Critical Hardware Update **Resolved**
• New Billing and Support System
• WordPress 2.6.5 Security Upgrade
• Has Your WordPress Blog Been Hacked?
• Have a look at the new WordPress 2.7 Dashboard