When I logged into my admin account for my WordPress blog, I was surprised to find this waiting for me in the dashboard:
UPDATE 07/11/2008: Watch a short (less than 60 seconds) video demonstrating the dashboard hijack.
UPDATE 08/11/2008: Cleaning up after the WordPress 2.6.4 incident. Note that I did not install the fake 2.6.4, so it’s not a clean up for that scenario.
Wordpresz.org appears to be a spoof of wordpress.org. With the exception of the download link and one or two others (Facebook link, etc.) all the pages lead back to the front/home page.
I’ve just downloaded the wordpresz 2.6.4 offering to see what’s different. If I find anything, and if time permits, I’ll update this post.
Just looking at the respective home pages for WordPresz.org vs WordPress.org, a few differences jump out – check out items 1, 2 and 3 below.
Item 1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.
Item 2 – these are randomised over at WordPress.org, but are static at WordPresz.org.
Item 3 – The real WordPress.org has a “Showcase” link included.
Indeed, the source for both home pages reveals that WordPresz.org is simply an earlier snapshot of WordPress.org.
Looking at domain data for WordPresz.org, there are a few holes here. Google hasn’t indexed this site? What about the Alexa ranking?
Whereas, WordPress.org is pretty popular with Google and has an Alexa ranking.
The moral of this story: keep on top of WordPress updates and security fixes.