Here’s an excerpt from the WordPress blog to give you an idea on how the vulnerabilities can be used to attack blogs with open user registration.

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

If you implement open user registration on your blog, then you definitely have to update to WordPress 2.6.2 immediately. Although this is not a very serious security risk, if you don’t update your WordPress installation there’s a possibility that someone would use this vulnerability and be able to guess the generated password, gain access to your blog and mess it up. You wouldn’t want that to happen don’t you?

By the way for those of our friends who are new to WordPress and aren’t sure whether their blogs have open user registration or not, here’s how you can check: In your WordPress dashboard, go to Settings and under the General tab look for Membership options. If the “Anyone can register” option has a check on it then it means your blog is using open user registration. To disable it, just uncheck it and click on the Save Changes button below.

If you don’t have open user registration on your blog and don’t mind spending time doing an upgrade, then go ahead. Nothing wrong with keeping your WordPress installation up-to-date. Personally, I’d rather wait for WordPress 2.7 which is schedule to be released in November unless of course there’s a security release like WordPress 2.2.3, then I’d most certainly do an upgrade.

Because of the 3 month long hiatus, I wasn’t able to do much with my blog except for approving comments. Spam comments have piled up and numbered at the thousands. No matter how much spam comments I have, I always make it a habit/practice to check the spam queue for valid comments. When I was done going through the list, I clicked on the Delete All button and waited for the spam comments to disappear. It was taking quite a while to finish and at first I thought it was taking long because of the large amount of spam comments I had but when I saw that the browser stopped loading and the spam comments were still there I knew something was wrong. Anyways, I tried doing it again and ended up repeating the process like three times to no avail.

The next thing I did was to do a Google search for “akismet can’t delete spam” and found this entry at the WordPress support forums. It turns out that the current version I was using, 2.1.7 had a bug – the Delete All option didn’t work, a bug that is specific to this version of Akismet. Previously, the only way to fix it was to revert to an earlier version, Akismet 2.1.6. Shortly after the bug was found, the folks over at Automattic released a newer version – Akismet 2.1.8 which fixed the bug. After reading this I immediately upgraded Akismet, went to my spam queue, clicked on the Delete All button and VIOLA!, all the spam comments disappeared.

In case you’re experiencing the same problem with “un-deleteable spam comments” or if you’re still running an older version of Akismet and plan to do an upgrade make sure you upgrade to the latest version which is Akismet 2.1.8 to fix/avoid this bug.