I'll admit, this got me to do a quick sweep of my dozen or so WP blogs and make sure they were all updated. That said, I think its likely we're seeing TechCrunch Journalism (TM) in action.
Wordpress security is a pain in the keister, though. You can reduce your risk by:
1) Making regular backups (I like automysqlbackup.sh.) Comprehensive compromise of a Wordpress installation is only really recoverable by wiping and starting over, unless you want to find that your forgotten posts from 3 years ago are linking to viagra pharmacies.
2) Putting every Wordpress installation in its own DB with its own DB user. Don't use root. I have a script which installs WP for me and creates the new DB, creates the new user, and gives the user an insanely difficult password because it will never actually be typed by a human.
3) Making sure the Wordpress directories can't get written to by the server. I go as far as blocking the uploads, which means I have to do some chmod magic when uploading things.
4) If you can put up with the nuisance, protect the wp-admin directory at the web server level, for example by denying all IPs but your own, or by putting it under HTTP Basic authentication. That will cut down drastically on the number of automated probes that hit you. You don't have to run faster than the tiger, you just have to run faster than the other guy the tiger is chasing...
do a quick sweep of my dozen or so WP blogs and make sure they were all updated
If you install and set up Wordpress Mu [1], you can run all those blogs off of a single installation, and then not only do you have a contralized install to manage plugins and themes, but it's far easier to keep a single install up to date compared to twelve or more...
I apologize to TechCrunch -- a member of a private forum I'm on, who I consider trustworthy, has reported that he discovered that his blog was hacked in exactly the manner specified.
I've swapped out my Wordpress installation in favor of a static HTML site generated by a couple of Python scripts. Wordpress is great if you need all that power, but it isn't maintenance-free. Making things static reminded me how nice it can be to have a site that is essentially immune to attack and blazing fast, all without the overhead of dynamic page generation. It's cool that Movable Type does static generation too.
They're running Wordpress Mu which sometimes "lags" behind the normal Wordpress. For long time after 2.8. came Mu was still 2.7.1, and just recently they have cached up to 2.8.4a.
The only thing you're preventing is people reminding you that you have an old version. Worms, spiders and exploits doesn't check your version and someone checking will just see that you have removed it and try anyway.
WordPress is probably the most heavily attacked web apps ever designed. If your serious about security then don't use Wordpress or always keep up with releases.
Their no better or worse than any other, their just heavily attacked since it's so wide spread use.
It's preferable write a exploit of find a flaw in something so widespread and carpet bomb them all instead of doing the same for a rarely used piece of software.
WordPress registers users for comments in the same table as administrators, making anonymous commenters into "administrators" with no privileges. It is constructed almost entirely out of concatenated SQL queries with no explicit parameter bindings. It's internationalized and relies on explicit input filtering. Its templates are executable code; templates can pop a shell. It has, in the actual web application, a "theme editor" that edits that executable code. Because it's built on ad-hoc PHP, it's had --- within the last two years --- remote file inclusion vulnerabilities, where people can load portions of other people's WordPress installs off their own MySpace pages. It supports hundreds of plugins, all of which have the exact same problems and the exact same exposure.
vBulletin and Mediawiki are also incredibly popular. But they have nothing resembling the rap sheet that WordPress has.
Part of the attack is via XSS using $_GET queries that are very long. Apache defaults to accepting URLS up to 4K long which is insane and allows such attacks to happen. 255 characters is a far better lockdown with very few if any false positives.
Wordpress security is a pain in the keister, though. You can reduce your risk by:
1) Making regular backups (I like automysqlbackup.sh.) Comprehensive compromise of a Wordpress installation is only really recoverable by wiping and starting over, unless you want to find that your forgotten posts from 3 years ago are linking to viagra pharmacies.
2) Putting every Wordpress installation in its own DB with its own DB user. Don't use root. I have a script which installs WP for me and creates the new DB, creates the new user, and gives the user an insanely difficult password because it will never actually be typed by a human.
3) Making sure the Wordpress directories can't get written to by the server. I go as far as blocking the uploads, which means I have to do some chmod magic when uploading things.
4) If you can put up with the nuisance, protect the wp-admin directory at the web server level, for example by denying all IPs but your own, or by putting it under HTTP Basic authentication. That will cut down drastically on the number of automated probes that hit you. You don't have to run faster than the tiger, you just have to run faster than the other guy the tiger is chasing...