Latest WordPress Hack


Apple iTunes

So, unfortunately hackers have found a new way to hack WordPress blogs by way of MySQL injection when registering for a new account on your blog.

Unfortunately my blog was hit, what this hack does is, a new user registers and achieves a level 10, which is an administrator account, and with this account changes your permalink structure. This in turn renders your blog useless when your readers try to click on an article they are presented with a page not found error.

This is the string that gets appended to your article’s URL:

/%&(%7B$%7Beval(base64_decode(Array%5BHTTP_EXECCODE %5D))%7D%7D|.+)&%

So How can you fix this issue ??

  1. Login to your WordPress Blog
  2. Click on Permalinks under Settings
  3. Change your Permalink structure to what you previously had it set to

Once you’ve corrected your permalink structure you need to remove the registered user that caused the damage. Unfortunately you will not be able to do this from within WordPress, since the user will appear hidden. You can see this for yourself if you click on Users, then look under Administrators, you’ll see that there are 2 administrator accounts listed. Yours and a hidden one.

The only way to remove this hidden account is by using MySQL Query Browser or phpMyAdmin by logging into your servers cPanel or Plesk interface.

Once you have either MySQL Query Browser open or phpMyAdmin you’ll want to follow the steps below to remove the user account.

  1. Browse the wp_users table in your MySQL Database and sort by ID to see the latest registered users.
  2. You’re looking for a user that does not have an e-mail address.
  3. Note the userid, you’ll need it for the next table, then delete the row for that user.
  4. Browse the wp_usersmeta table and again sort by userid
  5. Look for the userid you noted from the wp_users table
  6. Delete all of the rows with that userid, there’ll be more then just 1 row

If you’ve followed the procedure above, your permalinks should be working again and the malicious user should be removed. To prevent further attacks you may want to consider disabling the registration of user accounts on your blog. At the time my blog was attacked I was running version 2.8.4, which is the latest version and didn’t prevent the hack. So maybe we’ll see a newer version of WordPress soon.

I strongly recommend always running the latest version of WordPress, as the newer versions are not just for feature enhancements but provide important security updates.

Similar Posts:

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Be Sociable, Share!

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!