Stay updated
Keep current with the latest trends in technical communication by subscribing to the I'd Rather Be Writing newsletter. 5,800+ subscribers. (See email archive here.)

Search results

WordPress Tip: WordPress Worm Requires Upgrade to 2.8.4

by Tom Johnson on Sep 7, 2009 •
categories: technical-writingwordpress

I woke up from my long Sunday nap to see all kinds of commotion about upgrading WordPress to 2.8.4 due to a worm that is currently circulating. The WordPress blog reports:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

Upgrading to 2.8.4 is pretty easy and won't take more than 5 minutes. Here's the process I recommend:

  1. Back up your database. If you don't already have a WordPress backup plugin, go to Plugins > Add New and install WP-dbmanager. With some web hosts, this plugin doesn't seem to work. If that's the case, use WP-DB-Backup. When you back up your database using one of these plugins, you'll be prompted to download an sql file (which contains all the content from your posts, pages, comments, and settings).
  2. Go to Tools > Upgrade and click Upgrade Automatically. If you receive an error here, deactivate all your plugins and try it again.

That's it. If for some reason the above method for upgrading doesn't work, you can upgrade manually by deleting your wp-admin and wp-includes folders and all the files in your root except wp-config.php, .htaccess, and the wp-content folder. Then just download the latest version from and FTP the  files as replacements. It always freaks me out to hit the delete key in there and see dozens of files disappear , but just remember that your content is stored in a MySQL database, not in the WordPress files.

Here's one other security measure. If you've had your blog for a while (a year or more), download wp-confiig.php (this file is in your root and contains important database information) and make sure you have the latest security statements in there (compare with wp-config.php from the latest WP download). You can generate some random security strings here.

While you're upgrading, look at your list of plugins. Most likely a few of them have updates that you can apply by clicking Update Automatically next to each plugin.

If you need help upgrading your WordPress blog, let me know. If you're a personal friend, I may do it for free.

Buy me a coffeeBuy me a coffee
Stay current with the latest in tech comm
Keep current with the latest trends in technical communication by subscribing to the I'd Rather Be Writing newsletter. 5,800+ subscribers. (See email archive here.)

follow us in feedly

About Tom Johnson

Tom Johnson

I'm a technical writer / API doc specialist based in the Seattle area. In this blog, I write about topics related to technical writing and communication — such as software documentation, API documentation, visual communication, information architecture, writing techniques, plain language, tech comm careers, and more. Check out simplifying complexity and API documentation for some deep dives into these topics. If you're a technical writer and want to keep on top of the latest trends in the field, be sure to subscribe to email updates. You can also learn more about me or contact me.