So, unfortunately hackers have found a new way to hack Wordpress blogs by way of MySQL injection when registering for a new account on your blog.

Unfortunately my blog was hit, what this hack does is, a new user registers and achieves a level 10, which is an administrator account, and with this account changes your permalink structure. This in turn renders your blog useless when your readers try to click on an article they are presented with a page not found error.

This is the string that gets appended to your article’s URL:

/%&(%7B$%7Beval(base64_decode(Array%5BHTTP_EXECCODE %5D))%7D%7D|.+)&%

So How can you fix this issue ??

1. Login to your Wordpress Blog
2. Click on Permalinks under Settings
3. Change your Permalink structure to what you previously had it set to

Once you’ve corrected your permalink structure you need to remove the registered user that caused the damage. Unfortunately you will not be able to do this from within Wordpress, since the user will appear hidden. You can see this for yourself if you click on Users, then look under Administrators, you’ll see that there are 2 administrator accounts listed. Yours and a hidden one.

The only way to remove this hidden account is by using MySQL Query Browser or phpMyAdmin by logging into your servers cPanel or Plesk interface.

Once you have either MySQL Query Browser open or phpMyAdmin you’ll want to follow the steps below to remove the user account.

1. Browse the wp_users table in your MySQL Database and sort by ID to see the latest registered users.
2. You’re looking for a user that does not have an e-mail address.
3. Note the userid, you’ll need it for the next table, then delete the row for that user.
4. Browse the wp_usersmeta table and again sort by userid
5. Look for the userid you noted from the wp_users table
6. Delete all of the rows with that userid, there’ll be more then just 1 row

If you’ve followed the procedure above, your permalinks should be working again and the malicious user should be removed. To prevent further attacks you may want to consider disabling the registration of user accounts on your blog. At the time my blog was attacked I was running version 2.8.4, which is the latest version and didn’t prevent the hack. So maybe we’ll see a newer version of Wordpress soon.

I strongly recommend always running the latest version of Wordpress, as the newer versions are not just for feature enhancements but provide important security updates.

I was going to do a video tutorial on this at first but after checking out Wordpress 2.8 and discovering how easy it is to add themes now, I decided to just write up a quick how to.

So back on Wordpress 2.7 we used to have to download a zip file with all of the theme files archived and then extract the zip file, upload it to the themes folder and then go to wordpress and enable the theme, that’s the short version.

Now on Worpdress 2.8 it is much simpler to add / change your themes. Let’s take a quick look at how simple it is to install a theme.

 

1. Begin by logging into your Wordpress Admin Area
2. Once logged in, find the appearance panel on the left hand side.  
    
3. Click on Add New Themes and you should be presented with a screen similar to the one below  
    
4. From here you can choose to either upload your own theme or search for one on Wordpress. I’ve tried out this new search feature and I have to say, I like it. So lets go ahead and search for a theme on Wordpress. I’m going to put a check mark in 3-column since I want a 3 column theme and then click on Find Themes
5. When the search result display’s you’ll have 3 different links you can click on, Preview, Details, and Install
6. When you find the one you like simply click on Install
7. You’ll get another pop up window, click on Install Now
8. If you haven’t entered the information in already, Wordpress will ask you for your FTP account information. Go ahead and fill this out and click on proceed.
9. Now you have 3 options, Preview, Activate, or Return to Theme Installer, if you’d like to see what your blog will look like with the new theme, then go ahead and click on preview, otherwise click Activate to activate the new theme.
10. Your new theme is now Activated

I think that the Wordpress team has done a wonderful job adding this feature into the admin area. It really does make for a seamless theme installation and leaves no room for error. I am still exploring the new version of Wordpress, but so far I think this is the coolest new feature for Wordpress.

Just a quick note, if you’ve downloaded a theme somewhere else and you’d like to install it on your Wordpress 2.8 blog then all you have to do is follow the same steps as above but click on Upload Theme instead and browse to the zip file you’ve downloaded.

In this tutorial we will cover the process for installing Wordpress 2.8 on Plesk. There is a 2 part screen cast as well as some text you’ll need to read in order to accomplish this. So lets go ahead and get started. Read more