This simple plugin will ensure that all requests to ‘wp-login.php’ and ‘wp-admin/*’ are redirected over HTTPS. By using HTTPS you mitigate the risk of attackers capturing sensitive information such as usernames and passwords, which when accessed over HTTP provide no level of security.

Please ensure that your site supports HTTPS before enabling this plugin. This can [...]

BlogSec received an email yesterday with a rumour that an SQL Injection issue has been found in the Wordress 2.5 admin login screen.

There is currently no evidence to backup this claim, and we have received no further information. As time permits, we will investigate this issue further.

WP-Download 1.2 is vulnerable to a SQL-Injection Vulnerability. The dl_id parameter in "wp-download.php" is not correctly sanistised.

An attacker could use this vulnerability to retrieve usernames and passwords and potentially compromise your blog!

This bug has been reported in version 1.2, but it is likely that older versions are affected.

Please upgrade to version 1.2.1 which addresses [...]

WordPress 2.5 has been released.

From a security perspective, the new WP 2.5 promises secure cookie management, salted passwords and prepared SQL querying functions.

I won’t be upgrading right away… I’ll let it run a while. This may be a good move forward for the WP team. Nice work guys!

Cyberinsecure recently posted details of an automated WordPress hacking tool that is doing the rounds. This malicious worm or program appears to create the directory, "wp-content/1/" as well as spam comments:

The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all [...]