So, unfortunately hackers have found a new way to hack WordPress blogs by way of MySQL injection when registering for a new account on your blog.
Unfortunately my blog was hit, what this hack does is, a new user registers and achieves a level 10, which is an administrator account, and with this account changes your permalink structure. This in turn renders your blog useless when your readers try to click on an article they are presented with a page not found error.
This is the string that gets appended to your article’s URL:
/%&(%7B$%7Beval(base64_decode(Array%5BHTTP_EXECCODE %5D))%7D%7D|.+)&%
So How can you fix this issue ??
- Login to your WordPress Blog
- Click on Permalinks under Settings
- Change your Permalink structure to what you previously had it set to
Once you’ve corrected your permalink structure you need to remove the registered user that caused the damage. Unfortunately you will not be able to do this from within WordPress, since the user will appear hidden. You can see this for yourself if you click on Users, then look under Administrators, you’ll see that there are 2 administrator accounts listed. Yours and a hidden one.
The only way to remove this hidden account is by using MySQL Query Browser or phpMyAdmin by logging into your servers cPanel or Plesk interface.
Once you have either MySQL Query Browser open or phpMyAdmin you’ll want to follow the steps below to remove the user account.
- Browse the wp_users table in your MySQL Database and sort by ID to see the latest registered users.
- You’re looking for a user that does not have an e-mail address.
- Note the userid, you’ll need it for the next table, then delete the row for that user.
- Browse the wp_usersmeta table and again sort by userid
- Look for the userid you noted from the wp_users table
- Delete all of the rows with that userid, there’ll be more then just 1 row
If you’ve followed the procedure above, your permalinks should be working again and the malicious user should be removed. To prevent further attacks you may want to consider disabling the registration of user accounts on your blog. At the time my blog was attacked I was running version 2.8.4, which is the latest version and didn’t prevent the hack. So maybe we’ll see a newer version of WordPress soon.
I strongly recommend always running the latest version of WordPress, as the newer versions are not just for feature enhancements but provide important security updates.
I was going to do a video tutorial on this at first but after checking out WordPress 2.8 and discovering how easy it is to add themes now, I decided to just write up a quick how to.
So back on WordPress 2.7 we used to have to download a zip file with all of the theme files archived and then extract the zip file, upload it to the themes folder and then go to wordpress and enable the theme, that’s the short version.
Now on Worpdress 2.8 it is much simpler to add / change your themes. Let’s take a quick look at how simple it is to install a theme.
- Begin by logging into your WordPress Admin Area
- Once logged in, find the appearance panel on the left hand side.
- Click on Add New Themes and you should be presented with a screen similar to the one below
- From here you can choose to either upload your own theme or search for one on WordPress. I’ve tried out this new search feature and I have to say, I like it. So lets go ahead and search for a theme on WordPress. I’m going to put a check mark in 3-column since I want a 3 column theme and then click on Find Themes
- When the search result display’s you’ll have 3 different links you can click on, Preview, Details, and Install
- When you find the one you like simply click on Install
- You’ll get another pop up window, click on Install Now
- If you haven’t entered the information in already, WordPress will ask you for your FTP account information. Go ahead and fill this out and click on proceed.
- Now you have 3 options, Preview, Activate, or Return to Theme Installer, if you’d like to see what your blog will look like with the new theme, then go ahead and click on preview, otherwise click Activate to activate the new theme.
- Your new theme is now Activated
I think that the WordPress team has done a wonderful job adding this feature into the admin area. It really does make for a seamless theme installation and leaves no room for error. I am still exploring the new version of WordPress, but so far I think this is the coolest new feature for WordPress.
Just a quick note, if you’ve downloaded a theme somewhere else and you’d like to install it on your WordPress 2.8 blog then all you have to do is follow the same steps as above but click on Upload Theme instead and browse to the zip file you’ve downloaded.
In this tutorial we will cover the process for installing WordPress 2.8 on Plesk. There is a 2 part screen cast as well as some text you’ll need to read in order to accomplish this. So lets go ahead and get started. Read more
WordPress is probably one of the most widely used blog scripts in the Internet today and with the growing use of flash videos in the Internet (Youtube, Google Video), integrating both of these can cause a problem. Since WordPress filters out some HTML tags, unless you alter the PHP source script, you will have to use a modification. I took the liberty to create a package that you can easily add to your existing wordpress installation.
- Download the WP-FLV Package
- Extract the contents of the zip file and upload it to the following location. WordPress Root/wp-content/plug-ins/
- Activate the WP-FLV on your WordPress blog.
In the admin control panel for your blog, click on the Plugins tab on the top and you should see the WP-FLV plugin listed there along with the other plugins. Click Activate the get the plugin working.
- Point WP-FLV to the location of the JW FLV Player you uploaded.
Go to the Settings tab on the admin CP. Now go to WP-FLV in the submenu (right below the tabs on the top). The first text box should ask you for the full url to player.swf. First, type in the root URL for the blog and then add this: “/wp-content/plugins/wp-flv/jwflvplayer/player.swf” (without the quotes). For this blog, it would be http://www.chris-fletcher.com/wp-content/plugins/wp-flv/jwflvplayer/player.swf. After your done, click Update Options on the bottom.
If you followed these steps correctly, the plugin should be ready to be used. Basically, this mod lets you embed FLV files by using a <flv> tag when creating posts. To use the tag, begin writing a new post and switch to the Code view. Now, there are four attributes for this tag. The “height” attribute alters the height of the video and the “width” attribute alters its width. The “href” attribute is where you type in the URL of the FLV you want to embed. And finally, the “autostart” attribute determines whether the video should start automatically or not.
Here are a few examples:
<flv href="http://www.example.com/video.flv" height="320" width="240" autostart="false" />
<flv href="http://www.example.com/video.flv" autostart="false" />
<flv href="http://www.example.com/video.flv" />
The first example used all the attributes, but the second one omitted the dimensions. When this happens, the mod uses the default dimensions (these can be edited in the WP-FLV sub-tab under the Options tab in the admin CP) As per the third example, you can also use the default autostart value, which can also be edited. You can also use the WP-FLV quicktag in the Visual view to help you out.
Here’s an example of how a finished product might look:
First the code:
<flv href="http://lost.blooperblog.net/bloopers/SmokeMonster.flv" height="240" width="320" autostart="false" />
And the actual player (the video is a clip from Lost – Season 1 – Episode 1 showing a mistake made in the CGI):
***The JW FLV Media Player also supports extensions such as SWF, MP3, H.264, JPG, GIF, and PNG, streams, and playlists, you can also use them using WP-FLV. Just replace the href attribute with the desired source.
Posted by Chris on Friday, May 1, 2009 at 7:28 pm
Filed under Computers, Scripts, Tutorials, Wordpress · Tagged with embed, flash, flv, h.264, mp3, swf, wordpress, wp-flv
