The vulnerability allowing the attack was discovered on August 11, at which point WordPress encouraged users to upgrade to version 2.8.4. However, many people have yet to upgrade, and reports online indicate the worm is making progress by the hour.
The worm does not affect the current version 2.8.4 and the one prior to it, and it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected.
Users can find upgrade links and instructions on WordPress.org. WordPress has also posted an FAQ for people who think their blog has been hacked.
This article was originally posted on CNET News.