WordPress hacked

by Bill Ferris on June 7, 2008 · 16 comments

in Blog Software

For those of you using WordPress to power your blogs you need to be on the look out for some hacking which appears to be widespread.

If you’re looking at your site you won’t notice it, but if you look at your stats you may notice a dip in referral traffic. The hack redirects visitors to your site coming from Yahoo and Google to a site called anyresults.net.

Not being a techie I can’t fully explain what is going on, but somehow the hacker gets access to upload a file and register it as a plug-in. Fixing it is a pain, and there may be other solutions, but here is what I did:

  1. Look in the wp_options table for the record with active-plugins. If you look at the list of active plugins you’ll see a number of familiar names as well as other characters. But there will also be an image file (jpeg, png) that has a name similar to an image somewhere on your site. That file isn’t actually an image, but a file with a bunch of garbage in it. Note the name and location of the file.
  2. Using your FTP client find the malicious file and delete it.
  3. Going back into MySQL check the users table. I noticed that in each instance there was another user created that doesn’t show up when you go in through your blogs control panel. Delete the record for that user.
  4. Reinstall WordPress. And don’t just do an overwrite, but delete all the files and reload them.
  5. Change your passwords.

This doesn’t seem to discriminate as to the version of WordPress you’re using. I was already at the latest, 2.5.1, and still got hit. I also doubt that these changes will persist so you may have to go through the exercise again – at least until WordPress offers a security update.

The wordpress support thread can be found here.