WordPresz 2.6.4 – fake?

When I logged into my admin account for my WordPress blog, I was surprised to find this waiting for me in the dashboard:

UPDATE 07/11/2008: Watch a short (less than 60 seconds) video demonstrating the dashboard hijack.

UPDATE 08/11/2008: Cleaning up after the WordPress 2.6.4 incident. Note that I did not install the fake 2.6.4, so it’s not a clean up for that scenario.

Wordpresz.org appears to be a spoof of wordpress.org. With the exception of the download link and one or two others (Facebook link, etc.) all the pages lead back to the front/home page.

I’ve just downloaded the wordpresz 2.6.4 offering to see what’s different. If I find anything, and if time permits, I’ll update this post.

22:26 UPDATE
Just looking at the respective home pages for WordPresz.org vs WordPress.org, a few differences jump out – check out items 1, 2 and 3 below.

Item 1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.

Item 2 – these are randomised over at WordPress.org, but are static at WordPresz.org.

Item 3 – The real WordPress.org has a “Showcase” link included.

Indeed, the source for both home pages reveals that WordPresz.org is simply an earlier snapshot of WordPress.org.

Looking at domain data for WordPresz.org, there are a few holes here. Google hasn’t indexed this site? What about the Alexa ranking?

Whereas, WordPress.org is pretty popular with Google and has an Alexa ranking.

23:59 UPDATE
Via Clayton, this may well be part of the problem. There’s further comment on the WordPress support forum too. I’ve since upgraded to 2.6.3 via the WordPress.org download.

The moral of this story: keep on top of WordPress updates and security fixes.


Images grabbed using TechSmith‘s SnagIt – an essential tool for developers and bloggers alike. With thanks to Betsy Weber

Technorati Tags: ,

72 thoughts on “WordPresz 2.6.4 – fake?”

  1. wp-includes/pluggable.php has extra lines in it that appear to call a script on that site to ‘do stuff’ with your cookies if you have more than 5 users…

    Are they just copying cookies of large sites hoping that someone is logged in as admin somewhere?

  2. Hi Craig,

    Excellent post. Have you considered passing this info on the The Register, they might be interested.


  3. Great catch Craig. All the publicity isn’t that bad either. These crafty crackers are getting annoying! I wonder how many people they fooled?

  4. that version has a backdoor in it which is designed to install malware to your computer and steal details of the users

  5. Thanks for warning and detailed notes. Users must be warned about this malicious code site. That is offline now though.

Comments are closed.