I normally don’t post about about WordPress upgrades, but this one is extremely important for anyone running version 2.1.1 that was just released a few days ago. Apparently a hacker got access to the WordPress.org server and inserted some malicious code into the download:
It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.
This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files.
It’s unfortunate that this happened several days ago because a large number of people have already downloaded it, but I guess we should just be grateful that it was caught now and not weeks from now. I wonder how many people this ended up affecting?