homepage Welcome to WebmasterWorld Guest from 54.227.41.242
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Content Management
Forum Library, Charter, Moderators: ergophobe

Content Management Forum

    
Wordpress hacked
Anyone have the definitive guide to repair?
WebWalla




msg:3858991
 8:46 am on Feb 27, 2009 (gmt 0)

I upgraded to the very lastest version of Wordpress recently and today received a Google alert that the bad guys have hacked it (and inserted links to bad neighbourhoods).

Can anybody point me to the definitive guide of what to do now? I have changed my admin password, but is there a step by step guide of how to get rid of all that bad code?

Thanks!

 

WebWalla




msg:3859022
 9:09 am on Feb 27, 2009 (gmt 0)

They had injected some code in the header.php include file, but one thing I'm worried about is that when I go to display the users, it shows 4 Administrator users at the top, yet below I can only see 2.

Is this normal? How can I see the users another way? Will I have to do this directly on the SQL database?

bill




msg:3859558
 11:07 pm on Feb 27, 2009 (gmt 0)

My solution was to uninstall it and use MovableType instead. Sorry, I know that's not the answer you were looking for, but all these stories about WP being hacked kind of makes me wonder why it's so popular with professional webmasters. </rant>

ergophobe




msg:3860233
 6:48 am on Mar 1, 2009 (gmt 0)

Hmm.. Well, I would definitely browse through the database to see what they've done, even if you do abandon WP for something else, you'll likely be porting the data, so best to know what's there.

The thing is, I thought the header.php hacks were all based on rather old versions of WP. I haven't heard of one in quite a while.

Anyway, if you can't identify what exactly got hacked and how, I would do a clean install, and import only vetted content/data. In other words, a whitelist rather than a blacklist approach. And yes, that will likely involve looking through the database. For that sort of task, I like to use SQLYog, much easier to browse data that with the command line client and much more convenient than PHPMyAdmin (you'll need to export your database and look at it locally - that advice assumes you have a MySQL server on your local machine)

WebWalla




msg:3860932
 1:50 pm on Mar 2, 2009 (gmt 0)

It was definitely a header.php hack, and the WP version was the previous one to the current one (don't know the exact number).

I haven't got an exact time record of events, but basically I was hacked on an old version, did a complete re-install with new database, imported a CLEAN backup (done before the hack) and then, around the same time of the new hack, changed my admin password back to what it was when the original hack took place.

I now suspect that it has something to do with this password change - is that possible?

I have now cleaned the header.php file, changed my admin password again, and am constantly looking at the source code of my online posts to make sure they're clean, which for the moment they are.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Content Management
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved