I know, I know! I sound like a broken record or a tecno mantra, but it needs to be said, again, that if you are running an installation of WordPress, you really do need to keep it up to date. If you don’t, the question really isn’t whether or not your site will be exploited, but rather when it will be exploited (and how much damage will be done).
It’s been about 6 months since I last wrote about this on these forums, and there have been numerous releases of WordPress during that time - and huge numbers of sites that have not been upgraded, and have been subsequently exploited,
I’m writing about it again now, because of a newish rash of exploits seen recently that have surfaced on sites running WP versions as recent as 2.6.3.
I won’t go into all of the details of the exploit here (It is all over the web, and Google is the friend of inquiring minds), but if you have an “remv.php” file in your “wp-content/themes” directory, “Congratulations, you have been had.”
One excellent resource describing this in the wild, and detailing how to rid yourself of this digital vermin, is Jason Cosper’s article titled, “WordPress, remv.php and You”. This is a good read, and is highly recommended.
There have been no confirmed reports as of yet of the WP 2.6.5 version being compromised, but there really is no reason at all not to just upgrade to the absolutely beautiful 2.7 version that has just been released.
This version has a wonderful new admin interface, and it is worth upgrading your blog for that feature alone. Oh yeah, and the fact that you really shouldn’t let your blog become a zombie you can’t control by not upgrading … just saying.
Upgrade. Please. Do it now. Seriously.
–DreamHost Tech Support