There is a security exploit going around, and it could affect anyone not using the most up-to-date version of WordPress at the moment, which is WordPress 2.8.4. Lorelle has a good writeup on how old WordPress versions are under attack. To summarize, here’s what to look out for if you think your WordPress site may have been compromised.

• Unusual additions to your WordPress permalink structure. If you see anything like “eval” and/or “base64_decode” in your URLs, you’ve already been hit.
• This is a real kicker: a hidden admin account. That’s right, the exploit can let the attacker set up a hidden admin account that may not even be displayed in your user list.

This post offers some solutions if you have already been hacked. Remove the extra permalink code in Settings → Permalinks, remove the extra admin account, and (obviously) upgrade to the latest version of WordPress.

Has anyone been affected by this exploit? I’m happy to say out of all of my WordPress sites, I haven’t been hit, although I have still upgraded all of my WordPress installations to the latest version, including Theme Lab, and I highly recommend you do the same (as long as you backup first). Just another reason to keep your WordPress version up-to-date.

As predicted, WordPress 2.8.4 has been released. No surprise here, after news about the admin password reset “exploit” issue surfaced yesterday. Yeah, there’s some arguments over whether it’s a security issue or not, but it can be pretty annoying if you get hit by it.

It’s highly recommended you upgrade immediately. This is a pretty minor upgrade as it’s supposed to only fix the one bug. Anyone know the record of most point releases on a single branch?

By the way, if you ever come across an undiscovered WordPress security issue, make sure you know the correct way to report it. Blabbing about how you used it on sites you don’t own/administer under the guise of “proof-of-concept” is not the correct way,.

WordPress 2.8.3 was just released, just a couple weeks after the last one. This is a security update, so it’s highly recommended you upgrade immediately.

What exactly is fixed? According to Ryan Boren, some things that were supposed to be fixed in 2.8.2, as he “missed some places when fixing the privilege escalation issues.”

No worries Ryan, we’re all human. This is open source at its best, as several community members saw these overlooked areas and contributed to the fix. As always, make a WordPress backup before upgrading.

P.S. I left a message on Twitter a few hours ago about the winning Slick Red theme from last week’s theme battle. Make sure to check this page periodcally to check the Slick Red coding in progress.