What is your experience with this? What kind of spam are you seeing on Twitter? Is there anything Defensio could do to make your life better on Twitter?

A worm that can post malware and spam to vulnerable Wordpress installations has recently been discovered in the wild and unless you’re running the very latest version of Wordpress, you are at risk. Seriously at risk.

The vulnerability allowing the attack was discovered August 11 and was immediately fixed by the Wordpress team in the 2.8.4 security release. If you are using version 2.8.4 or better of Wordpress, or host your blog on Wordpress.com, you are safe.

The newly discovered worm is pretty sneaky to say the least. In a nutshell, it crawls the web looking for vulnerable Wordpress installations, makes itself an administrator account, takes full control of the website and posts malware and spam to it. It’s also been reported that it will sometimes disable Defensio and other anti-spam plugins. It can be very hard to detect the new malicious administrator user since it hides itself from the users list using Javascript.

Bah… This stuff never happens to me!

If rock star blogger Robert Scoble can be hacked, you probably can as well. This vulnerability is serious, so please treat it as such.

Have I already been hacked?

As Lorelle VanFossen wrote on her blog:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER %5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

How do I prevent my site from being targeted?

It’s easy. Upgrade. If you are using a somewhat recent version of Wordpress (2.7+), upgrading is easy since the functionality is now built-in. But if you are not, you should take a look at the excellent InstantUpgrade plugin which makes upgrading Wordpress a single-click operation.

If you have already been hacked, you will need to delete the malicious admin user as well. Changing all your passwords is also strongly recommended.

You might also want to check out How to Keep Wordpress Secure and the My Site Was Hacked FAQ.

How can I keep my Wordpress blog safe in the future?

Wordpress is generally a safe platform. However, we recommend that you always use the latest and greatest version to make sure that all known security exploits are patched. You should also make sure that your passwords are not easily guessable, either by a human or a machine. A password of at least 8 characters which includes at least 1 uppercase, 1 lowercase and 1 digit is generally considered “strong”. Following @defensio, @websenselabs and @wordpress on Twitter is also a good way to stay up to date.

Download it here: Defensio Module for Drupal

At Defensio, we see all kinds of crazy and innovative spam each day. But recently, something we never thought we’d ever see showed up on our radar: a significant influx of VIDEO spam, most of it hosted on YouTube.com. I guess this just shows how far spammers are ready to go to sell their junk.

Here’s a screenshot…

What do you think will be the next trend in spam?

This is obviously a big day for us and we are very excited to be teaming up with one of the Internet’s leading security companies.

So what does this mean for you, our beloved users?  You can take comfort in knowing that that we currently have no plans to change the existing service — so just go ahead, keep using Defensio and keep spreading the good word.  It is definitely here to stay and will remain free for personal bloggers.

Websense has developed some revolutionary technology that we will be able to leverage in the very near future. This means more effective spam filtering for you and some headaches for the bad guys. We’d like send out a huge thanks to everyone (users, developers, bloggers) that has contributed to making Defensio what it is today. Without you, none of this would have been made possible.  THANK YOU!

If you have not started using our API yet, there has never been a better time to take the plunge. Now with Websense in our corner, the Defensio of tomorrow will be even better!

See the official announcement from Websense.

If you’re using the release candidate of WordPress 2.7, you can upgrade to Defensio for WordPress 2.0 through the “plugins” page of your WordPress installation, or simply by downloading the archive here.

Please note that WordPress 2.7 is not yet released and some things may change.  You can count on us to do our best at keeping up with our friends in San Francisco.

This release is the first public release for WP 2.7 and while it has been extensively tested, a few things may break with 2.7 or with “legacy” versions of WP. If you experience problems, please report them to us.  

Please note that we also deprecated support for versions of WordPress older than 2.3.  It may still work, but we don’t support it.  If you’re in this situation, it might be a good idea to upgrade your WordPress installation.

Hope you enjoy this new release!

This morning, hosted e-commerce solution Shopify enabled commenting on its users’ blogs.

After comparing the many spam filtering services available, the Ottawa-based firm decided to use Defensio as their first line of defense.

This is yet another great step for us since Shopify currently hosts ~40,000 blogs.

Shopify launched in mid-2006 and was greatly acclaimed.  Building an online store with Shopify couldn’t be easier and many believe they are a great contender to overtake eBay’s dominance in this market. Shopify recently announced they passed $10M in total sales.

It’s our pleasure to announce that our Canadian friends at Hop Studios built a Defensio module for the wonderful ExpressionEngine CMS.  They call it Defensio Combo.  You can get it from Hop’s website, or download it from our very own website.

With ExpressionEngine 2.0 just around the corner, you’ll be happy to know that the guys at Hop committed themselves to releasing an update to their module shortly after the 2.0 release. You’ll never be without decent spam protection again.

Welcome to the family EEers!

We’re glad to add it to our list of supported platforms.  You can download it on the Defensio for Textcube page.

Amazon, our hosting provider, is currently having problems and we’re suffering from it. A very important piece of our “puzzle” is unreachable. We have already communicated with Amazon to resolve the problem.

I’ll post updates on Twitter. Sorry about the inconvenience.

UPDATE: We’re back up and running. Thank you for your patience!

UPDATE 2: Spoke too soon…

UPDATE 3: Things have stabilized.

UPDATE 4: Everything’s back to normal!