As you might know, I have been fighting hackers all this weekend and last weekend, there seems to be many “loopholes” that the hackers are able to take advantage of, especially if you are even running version 2.8.1.
Well, looks like the WordPress Team has version 2.8.2 available for download, download WordPress 2.8.2 here.
WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site. Download 2.8.2 or automatically upgrade from the Tools->Upgrade page of your blog’s admin.
This is precisely the problem with older WordPress versions, hackers can easily exploit your admin area by inserting iframe injections. At least that’s what I’ve noticed.
Also, if you have been running WordPress 2.5 and below before and upgraded, make sure you update your wp-config.php with secret keys. These secret keys will basically protect you from hackers hijacking your admin cookies.
You need to add the following lines if you haven’t:
define('AUTH_KEY', ':dr+%/5V4sAUG-gg%aS*v;&xGhd%{YKC^Z7KKGh j>k[.Nf$y7iGKdJ3c*[Kr5Bg');
define('SECURE_AUTH_KEY', 'TufWOuA _.t>#+hA?^|3RfGTm>@*+S=8\"\'+\"}]<m#+}V)p:Qi?jXLq,<h\\`39m_(');
define('LOGGED_IN_KEY', 'S~AACm4h1;T^\"qW3_8Zv!Ji=y|)~5i63JI |Al[(<YS<2V^$T])=8Xh2a:b:}U_E');
define('NONCE_KEY', 'k1+EOc-&w?hG8j84>6L9v\"6C89NH?ui{*3\\(t09mumL/fFP_!K$JCEkLuy ={x{0');
These keys probably cause 99% of latest hackers exploits so update them as upgrading WordPress won’t update your wp-config.php automatically. (Read more about them here)
