Bloging software organisation WordPress has warned that hackers posted compromised versions of its open source software after breaking into one of the servers behind its website.
Backdoor code was planted in version 2.1.1 as a result of the attack, WordPress warned on Friday.
The organisation said it has recovered from the attack but is urging users to upgrade their software to version 2.1.2, which includes "minor updates and entirely verified files", as a precaution.
Website defacements are ten a penny but attacks where hackers succeed in compromising systems are rare and far more dangerous.
In a statement, WordPress explained what it did after receiving reports its software had become contaminated with exploit code.
"It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution," it said.
WordPress reckons no downloads were altered except the 2.1.1 version of its code, so users running version of 2.0 of the software ought to be unaffected. Although only downloads of 2.1.1 made last week are potentially affected, WordPress has declared the entire version potentially unsafe.
"If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately," WordPress advised.
WordPress also reset passwords for a number of users because of the security flap. As a result, some users may have to reset their passwords on WordPress's forum as explained here. ®