A few days ago I was recommending to people not to upgrade to version 2.5 of WordPress, because at the time I believed WP 2.3.3 to be as stable and safe as the new 2.5 series. Besides, I liked (and still like) the old, ‘classic’, 2.3.x admin interface much more…

OK, I must take my words back and confirm that WordPress 2.3.3, the last stable release before the new WordPress 2.5 branch was released, is not safe anymore, and you can become a victim of the link injection hack (vulnerability).

What happened?

In one of the blogs, which I support (luckily, not my personal blog, which I have upgraded to 2.5/2.5.1 long ago), I have found ‘hidden’ links (code: <u style="display: none">[ bunch of spam links inserted here ]</u>) in one of the regular posts there.

I checked the whole blog after that, all of the archives, and the hidden links were found only in two blog posts — but this doesn’t mean that at a later point, the hacker won’t try to insert some 50 or even 500 more of these…

Now I am performing an upgrade to WP 2.5.1, the latest stable available for download.

After that, I’ll ask all of the authors in this blog to change their passwords, and after that, we’ll see…

Actually, I am sure that after that we’ll have to upgrade to 2.5.2, then to 2.6, etc., etc., but I guess, there’s nothing else to be done.

Last, but not least, I recommend to all WordPress users to upgrade carefully, and often. The danger of discovering one day, that your blog became a victim of some stupid spammer, trying to ‘sell’ his black hat SEO links, using your hacked WP, is quite real, and the only measure against this is: upgrade! :-)

//Sideline: I still do not like the new WP 2.5 admin interface (and not only I;-), and I just hope, that in 2.6 things will look better (and more usable) — or at least, the Write section will be improved…