I just stumbled upon this post about an exploit which allows a hacker/spammer to inject links and HTML into your WordPress installation. If you see a /wp-content/1/ directory in your FTP, you have likely been affected. Over 9000 other WordPress blogs are in the same boat.

As you can see, ringtones, gambling, the usual spammy stuff. I’m not going to directly link to these results as some of these links have been reported to be malware-infested. Definitely not a good idea to visit them. Google will likely penalize you if these spam links on your exploited site are crawled, so you should delete this directory ASAP along with all files under it if you see it.

As of yet, no official word from WordPress developers on this vulnerability has been released. Until then, it’s best to use good security practices (which should apply to all websites, not just WordPress-powered ones). Password protect your directories, don’t publish the version of the script you’re using, disable indexes on WordPress core directories – to name a few. I’ll be posting some general WordPress security tips up on Theme Lab soon.

Note: More information available on this WordPress.org support topic, where the exploit was initially reported.

Yes, I know I’m a couple days on this story, like my last news story. Anyway, the release WordPress 2.5 has been hyped up for a while now. Being scheduled, postponed, rescheduled, and postponed some more. Matt from WordPress recently announced the release of WordPress 2.5 RC1 on the WordPress development blog. There have been a lot of layout changes to the admin panel, focusing more emphasis on common tasks (like writing) and less emphasis on menial tasks such as activating plugins. WordPress 2.3.3 is still the latest stable release. If you want to try it out for yourself I’d recommend it be installed locally or an otherwise “non production” blog.

In case you were wondering, RC stands for release candidate. This basically means it isn’t an officially “stable” release yet, although it will probably work okay. The purpose of releasing this version first is to work out any last few bugs that may be present before the final 2.5 release. This is why it’s probably a good idea to stick with 2.3.3 until then.