I had been rocking along with an older version of WordPress for about 2 months now – 2.7.1 to be exact. I was hesitant to upgrade to the latest release which as of this time is 2.8.3. I knew that several plugins would be broken if I attempted to upgrade so I had been busy contacting the plugin authors inquiring about new releases that were compatible. Boy, did I learn my lesson.

I came to my site last Thursday morning to find the URLs were completely screwed up. I went into the permalinks tool and noticed my configuration had been modified to include a bunch of javascript garbage in the URL. Some ass clown had undoubtedly changed this setting in order to gain further access to my site or the server it’s hosted on.

After investigating, I found no further damage, but I was left wondering how in the world someone could have gained access to that admin tool within WordPress. I soon found the answer here. The article by Core Security Technologies identifies and describes how someone can gain unfettered access to some core admin screens as well as configuration panels for plugins by simply modifying the URL.  Specifically – inserting an additional slash before the php file name causes WordPress to bypass the privilege system checks. Not good and so simple it’s really quite horrifying.

After fixing my site, I was still loathe to upgrade WordPress without testing everything first. The phrase “bull in a china shop” comes to mind. So instead, I put in a bit of Apache mod_rewrite magic:

# Remove double (or more) slashes from the URL.
RewriteCond %{REQUEST_URI} ^(.*)//(.*)$
RewriteRule . %1/%2 [R=301,L]

So I had Apache protect me while I went about the process of (sanely) upgrading and testing my WordPress installation and plugins. As of today, I’m all happy on version 2.8.3, but I definitely will be paying more attention to security notices from now on.