Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

Here are two quick steps to avoid unnecessary risks:

Turn off user registration

This one is simple. Just log in to your administrator screen and visit the “General Settings” screen (listed under Settings) and make sure the checkbox labeled “Anyone can register” is not checked.

Block access to your blog’s admin area

This can be accomplished with simple authentication.

If your site runs on Apache, you can create an .htaccess file in your /wp-admin/ directory to require authentication before the page is displayed. This post provides the necessary steps.

The task becomes a lot easier under Apache. So I threw away the plugin code and added the following rule to the Apache configuration:

<directory "/public_html/mysite.com">
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{HTTP_HOST}/$1	[R,L]
</directory>

The directive above can be placed inside a VirtualHost or Directory directives, but this usually requires access to the Apache server configuration, which is not typically possible in a shared hosting environment — in that case, the rule can be added to the .htaccess file.

Alternatively we could have used the SSLRequireSSL Apache (2.x) directive, but this would only block access to the non HTTPS address. In our case we want to automatically redirect the users instead of displaying an error message.