After doing a bit of research on WordPress blog security I stumbled upon a wordpress . This ticket describes an issue where every registered user that has logged into our blog can spy on the metadata of all other users by typing in a simple URL (This is after they sign up and activating an account). One comment said “I believe this affects 2.0.4 and 2.1″, This basically means versions before ver 2.0.5.
So what does this really mean for your wordpress blogs?
Your blog meta data includes all of the e-mail address of every registered user & also ever person who has commented on your blog (if public registration is enabled). This has a potential to cause huge privacy concerns relating to email addresses. A Smart email spammer could latch onto this exploit and spider your blog and all of your users email accounts.
After doing a bit of Google magic I found over 819 Irish blogs and over 292,000 other blogs with the potential to be affected by this problem. Out of the 5 high-profile Irish blogs that I tested, all of them seemed to be vulnerable.
So how do I fix this problem?
There are some blogs that don’t seem to be included in this group. All of them have public registration disabled. So a quick fix would be to disable registration and jump over to and get the patch ASAP.
Oh dear – I’ve just found out about this via Damien Mulley’s blog. We get a fair few of spammy comments on our blog, so this could be an issue for us.
I’m a complete non-techy person, however – is there a way to explain the fix for this in layman’s terms for a computer-illiterate like myself?
Many thanks!
Is this when you realized how easy it was to hack wordpress blogs?
I just found a bug while doing research on security. It had been fixed by the time I made the post.
“Your blog meta data includes all of the e-mail address of every user & also ever person who has commented on your blog.”
This sentence is incorrect. I’m not registering on your blog to make this comment, therefore I don’t have a user ID. If you had registration open on your blog, an option which is off by default, and if I registered on your blog with a legitimate email address and went through the activation process, and if you were running a version older than 2.0.5, which was released about 3 months ago.
I totally agree that people on older versions should upgrade, or at the very least turn off the “anyone can register” option.
Hi Matt, Thanks for popping by. This comment was based on my adventures inside my own blogs, so as you said it may not be the case for everyone.
However, while looking at this issue on other blogs I noted that I could view 900 odd users.. These users closely related to comments posted. As far as I was aware, there was no real reason for the sites to have this enabled in the first place. The other strange thing is that there was no link for the users to register without manually entering a url. So how did these guys get accounts?
I will test it again on another blog of mine with a standard 2.0.5 pre-patched install.
I made some revisions to the post to clear up what I was trying to say. I agree with matt, there was a bit more to this than some of the newer exploits. People on older versions should always upgrade (in an ideal world).
Thanks for the advice and well done on making the discovery
Guys if you want your blogs to be secure and if you do not want to spend a lot of money…visit my website… wppadlock.com it is only 12.00$ but i am willing to cut the price down even more…any questions email me at wppadlockpro [at] gmail.com
- MarketBoy