Last night I survived my very first hack attempt. Someone, apparently from Europe if their IP address is to be believed, attempted to use a security vulnerability to gain admin access to my blog. Why me? No idea. I don't have any enemies, except possibly Ann Coulter, so I don't think I was specifically targeted. I was a target of opportunity.

But I was not an unprepared target. I stay on top of WordPress updates, especially those that come along with security warnings. The hole the ne'er-do-well tried to weasel through is an SQL injection vulnerability found in the trackback script included with all versions of WP 2.0.5 and older. Successful exploitation of this vulnerability will provide the hacker with the password for the admin account. With that, he/she can do all sorts of nasty things.

I am not using WP 2.0.5 or lower. My system stayed secure. The only ill-effect was that I had several very odd comments in my spambox this morning. I was protected because I stay current. How protected are you? To satisfy my own curiosity, I eyeballed most of the WordPress-powered blogs on my blogroll, in my bookmarks and in my feed reader.

I checked thirty-three blogs. Twenty-five of them are vulnerable to this very same attack and one is vulnerable to a different attack, leaving only seven out of thirty-three that are protected against all known problems. This particular hacking attempt would have been very different if the target had been you. Or you, or you, or you. (Pretend those are links… I'm not so rude that I'd dog people in public like that.)

And once again, you don't have to jump up to WordPress 2.1 to stay secure. The 2.0.x line is in feature lock, but it's still being updated for bug and security fixes. There's nothing wrong with staying in the 2.0.x branch a while longer if that's where you're comfortable. Just make sure you're running the newest release in your branch.