Webloggers be warned: Wordpress v2.1.1 is compromised!

05 March 2007

A recent emergency bulletin from Matt of the Wordpress weblogging software project is highly distressing to say the least: someone cracked one of the project's servers and inserted a pair of backdoors into v2.1.1, which make it possible for a malicious user to remotely execute aribitrary code on the server hosting a Wordpress blog.

What I want to know is this: Why wasn't the Wordpress project at the very least posting hashes of the distribution archives, or PGP/GPG signing the archives and posting detached signatures for the files? Looking at the Wordpress download page shows a pair of buttons for downloading .zip and .tar.gz archives of WP v2.1.2, but nothing that will verify the authenticity and/or integrity of the archives.