Anyone have the definitive guide to repair?
I upgraded to the very lastest version of Wordpress recently and today received a Google alert that the bad guys have hacked it (and inserted links to bad neighbourhoods).
Can anybody point me to the definitive guide of what to do now? I have changed my admin password, but is there a step by step guide of how to get rid of all that bad code?
They had injected some code in the header.php include file, but one thing I'm worried about is that when I go to display the users, it shows 4 Administrator users at the top, yet below I can only see 2.
Is this normal? How can I see the users another way? Will I have to do this directly on the SQL database?
My solution was to uninstall it and use MovableType instead. Sorry, I know that's not the answer you were looking for, but all these stories about WP being hacked kind of makes me wonder why it's so popular with professional webmasters. </rant>
Hmm.. Well, I would definitely browse through the database to see what they've done, even if you do abandon WP for something else, you'll likely be porting the data, so best to know what's there.
The thing is, I thought the header.php hacks were all based on rather old versions of WP. I haven't heard of one in quite a while.
Anyway, if you can't identify what exactly got hacked and how, I would do a clean install, and import only vetted content/data. In other words, a whitelist rather than a blacklist approach. And yes, that will likely involve looking through the database. For that sort of task, I like to use SQLYog, much easier to browse data that with the command line client and much more convenient than PHPMyAdmin (you'll need to export your database and look at it locally - that advice assumes you have a MySQL server on your local machine)
It was definitely a header.php hack, and the WP version was the previous one to the current one (don't know the exact number).
I haven't got an exact time record of events, but basically I was hacked on an old version, did a complete re-install with new database, imported a CLEAN backup (done before the hack) and then, around the same time of the new hack, changed my admin password back to what it was when the original hack took place.
I now suspect that it has something to do with this password change - is that possible?
I have now cleaned the header.php file, changed my admin password again, and am constantly looking at the source code of my online posts to make sure they're clean, which for the moment they are.