Just a clarification on today’s WordPress security breach – I’m getting quite a few emails asking me what it’s all about and still yet, I’m reading lots of inaccurate recaps from bloggers (such as this one) around the net. Let me be clear – this is not a security flaw. This is a security breach. The difference is that a security flaw is an error of mistake. It’s code mistakes and overlooked holes. Security breaches are much more malicious and not a result of inadvertent mistakes in coding. This security breach was the result of a malicious hack on the server that modified already released code. Automattic’s liability in this was not having an MD5 hash of the package for comparison – it was not an inherent weakness in WordPress 2.1.
Just so we’re clear, the problem was not in WordPress 2.0.x, or 2.1 – it was in some releases of 2.1.1. Folks who downloaded 2.1.1 before it was breached may be okay but since there is no way to really know who got the bad stuff and who got the good, the safer bet is to just get WP 2.1.2.