Those of you who host their own WordPress blogs may have noticed a sharp upswing in user registration spam. This is when you get new users registered with obviously fake IDs. They are extremely irritating because raw WordPress has no way of removing them other than deleting them by hand.

At first these users puzzled me. What was the purpose of this spam? The only person who gets to see it is the administrator of the website. The answer is rather troubling: WordPress has a security flaw that allows registered users to edit the posts of other users. In other words, a hacker could very easily get into your WordPress site and change perfectly good posts into spiels for certain erectile dysfunction treatments, mail order Russians, and Nigerian lottery winnings. It’s easy to stop this: upgrade to WordPress 2.3.3 and the security hole will close.

But upgrading WordPress is a pain, especially if you’re not tech-savvy. As a result, a lot of people do not upgrade even when a security patch is released. This not only exposes that person’s blog to the hackers, it also means that hackers will register on lots of WordPress blogs just to find out if they are still vulnerable to exploitation. Failing to upgrade puts yourself at risk and makes life painful even for those who do upgrade promptly.

So here is my easy solution:

1. Upgrade to 2.3.3 today.

2. Install the Sabre plugin for WordPress. Sabre is free, and since I’ve put it in place I haven’t had to deal with a single cruddy registration.

2a. If you want even more security against fake users, install Deadbolt. (I haven’t installed Deadbolt as Sabre is doing all I need right now; Deadbolt is probably more useful if you run a high-traffic site.)