How to detect and fix the latest WordPress attack
by Liz HenryIf you aren't using the latest version of WordPress, currently 2.8.4, your blog might have been hacked. There's an attack going on right now that breaks into your blog to create, and then hide, administrator accounts.
You can see if this has happened on your blog by going to the Dashboard and then the Users panel. The number listed in parentheses after Administrators should match the number of actual admins that you have for the blog!
If that number is higher than the amount of admins for the blog, you probably have hidden users. You could try turning Javascript off in your browser to see those hidden users.
Then, delete them (if you can) from the panel. I didn't try this myself, but I think it will work.
Or, you can use mysql or phpmyadmin to delete those users from your database. If you don't remember how to connect to your database, look at the files in your wordpress folder and read the contents of wp-config.php. That will have the username and password and database host name. You might also need to look at the help or FAQ files for your web host.
In phpMyAdmin, you can find and delete the hidden users by connecting to your database, then browsing the users table. Check the boxes by the wp_users and the email fields (or just check all of them) and then click Browse again. This should show you a list of all the users on your blog.
This is what a row of user data should look like in phpMyAdmin:
This is what a "hidden user" account will look like. It'll be a name that doesn't show up in your WordPress Dashboard, and it won't have an email address in that 5th field. Might be a good idea to delete these users right away.
I followed Lorelle's instructions for how to recover from my WordPress blog being hacked. That worked fine:
* I did an xml export from the Dashboard and made sure I knew what that file was named and where I saved it.
* I did an sql dump of the whole blog (from the mysql command line, but you could do one from phpMyAdmin too) Just to make sure I would have everything, and so that I could do some forensics later on the contaminated db.
* Then I deleted that db, made a new db, and saved the information on how to log into it. You could also drop all the tables in the old one, I guess, and keep using it. While you could leave the old db there, it seems unwise.
* I deleted all the stuff in my wordpress folder on my server. If I'd thought, I would have saved a few custom banners and images first.
* I downloaded WordPress latest version, 2.8.4 and unzipped it, along with some themes and plugins.
* I then went to the url for my blog and told the install screen a blog name and my email address, and got a new admin password. Voila, new empty blog.
* Then, from the WordPress Dashboard, went to Manage and then Import. I imported the xml file as a WordPress import, with its attachments. This brought me all my pages, posts, comments, and so on.
A little tweaking and my blog was as good as new.
(While Danger is "Eminent" sometimes, like Godzilla, I don't think that's what the signmaker meant!)
I think for your average user, who finds upgrading and installing a bit scary, this will seem even more scary. But it's not bad at all. It just requires you to follow the steps, write down or cut and paste all the information you will need to keep track of:
- one set of info for your web host account
- one set for your sql database account and phpmyadmin
- the information for your blog itself, for the WordPress install
- where you're saving the export file with your blog posts and comments!
In a pinch, if you really mess up in this process, you can get a backup and restore from your web host.
Now, even though I went through this process, I think that someone might potentially write a plugin or script to reveal and delete those hidden users. It might not catch all the modified data touched by those users, though. Spam may already have been inserted into your old posts, or some other havoc wreaked, which you could catch with Exploit Scanner
or some other useful tool. The problem with this approach might be that there are multiple versions or exploits based on this security flaw and no one is sure yet if it's modified core WordPress code or created some other exploitable security hole. So at this point, I think it's best to do a clean install if you think you can manage it.If you're not sure, turn off Javascript in the browser, go to the Users panel, and delete the people who shouldn't be admins -- at least. And maybe there will be an easier fix in a few days -- keep checking the WordPress development blog to see if it says something more useful than "OMG, you dumbass, why didn't you upgrade right away, never, never, never do that again!" (Thanks... I know... thanks for the lecture, grumpy sysadmin...)
When I did this -- and I had to, because "upgrade WordPress to latest version" was not #1 on my to do list, and a blog of mine got messed with -- I had to re-install my plugins and go through the steps to re-create my blog. This goes to show that it's a good idea to keep a worklog of all the things you've done to a blog, or a wiki or any sort of installation, so that you can recreate it from scratch! You can do this on your blog itself, by creating a section in your About page or somewhere else, listing the plugins you use, and when you've upgraded, and so on. It is especially useful to share this information a group blog where you might have more than one administrator. If you haven't ever done this, be sure to do it next time and then write a really cranky blog post about how you don't understand how anyone in the world could be so clueless. HA.
Here's some more links on the subject!
WordPress Codex FAQ: My site was hacked
Old WordPress Version attack warning: please upgrade
Checking your WordPress security
Thanks to Lorelle again for a fantastic post! The links at the bottom of her long juicy explanation, Old WordPress Versions Under Attack, make really great reading. Happy upgrading, change your passwords to something that isn't your kid's name, and don't panic.
Posted In
Related Topics
XML Feed Recent Comments
We have provide cheap on post Book Lists?
I'm doing an article
now on on post Cheap, green, and easy ways to spend less on the holidays -- without feeling deprived
now on on post Cheap, green, and easy ways to spend less on the holidays -- without feeling deprived
Bad Sex Written on post Writing Sex
BlogHer Conferences
- Home
- About Us
- BlogHer Community
- Conferences
- BlogHer Network
- Special Offers
- Contact Us
Follow us on Twitter:
@blogher @bloghersupport @blogherdeals
Become a Facebook Fan
© Copyright 2009 BlogHer | Terms of Service
Comments
wow
Quick check but all is ok. Phew!
That sounds like a good idea.
By the way, how do I quickly check what version of WordPress I am using?
Checking on your version of WordPress
Hi Mashadutoit! You can do it one of several ways. PRobably the easiest is by viewing your blog in the browser, then view source and look for a line like this, that identifies the version number:
" meta name="generator" content="WordPress 2.8.4" / "
Also, you can look at the Dashboard and in recent versions it does list the version in the "right now, at a glance" section, center middle of the page, like this,
"You are using WordPress 2.7.1"
-----------------
Liz Henry
Composite: Tech & Poetics
lizzard@bookmaniac.net
Panicking and getting ready to run away
Man that chart was made for me. My chest is actually tight right now. I absolutely hate upgrading WP. Gah.
So far I have only one administrator as I should. But now I know I have to do this and I don't want to so I'll probably stay in a holding pattern in Don't Think Stay Fearful and Alert. But when I do upgrade it I will reference this post.
Thanks for the detailed instructions. (Crosses fingers that she doesn't have to upgrade and skitters away.)
Cardiogirl 19% body fat 100% fun
http://www.cardiogirl.net
It's easier to upgrade then re-install!
I definitely feel for you! It's a million times easier to upgrade than to re-install a hacked blog. So, get someone to hold your hand and go through it with you - that can be super helpful and steadying! I also advise printing out the instructions and reading them all first before doing anything. It helps to have an idea of what's coming next. And checking stuff off a list is helpful too.
-----------------
Liz Henry
Composite: Tech & Poetics
lizzard@bookmaniac.net
Admin accounts
The other issue is the Admin account. I had a friend's blog hacked when someone logged in as an admin user. We think her password was obtained over an insecure wireless network. We were able to get to it in time.
I created a second user account with Admin privileges, logged out, and logged into the new Admin account and deleted the account named Admin.
I used to list the plugins I used, but no longer. I think it's better to share it with a group via Google Docs.
In addition, once you've updated to the latest version, I suggest installing these plugins:
Secure Wordpress - Remove Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.
Login Lockout-Limit Login Attempts blocks an Internet address from making further
attempts after a specified limit on retries is reached, making a
brute-force attack difficult or impossible.
One Click Plugin Updater - I used this to update the core install after an attempt to edit the WP-config file to add the security keys didn't work (and I ended up with a blank white page).
Viviane
www.thesexcarnival.com
Great advice on WP plugins from Viviane!
Viviane that's fantastic advice, thank you! I also like Login Lockdown and the OneClick Plugin Updater. I haven't tried Secure Wordpress but will definitely take a look. Exploit Scanner is hard to decipher, but very much worth it.
Other useful looking plugins for security:
* Theme Authenticity Scan - make sure the theme you're downloading doesn't have malicious code.
* WP Security Scan - just what it sounds like
-----------------
Liz Henry
Composite: Tech & Poetics
lizzard@bookmaniac.net
useful
wow this is very useful info. Thanks!
Weird
To think of even "upgrading a version" on a blog. I primarily use Typepad, although I have a small blog in WordPress. I don't really understand how you would have to upgrade a web application - Shouldn't that happen behind the scenes?
Oy, I don't really even get it enough to word my comment right here!
I did check my admins, and I guess I'm OK for now...
Liz Rizzo
I blog at Everyday Goddess.
wordpress.com vs. your own hosted install
The idea is that the WordPress software is running on a server account you control directly. You can use wordpress.com, which is hosted on that site and they keep it upgraded. But! If you want much more control over your blog and its software, you can download it from wordpress.org, install it, customize it, and upgrade it. It's open source, so you can see all its code, and there's a big developer community that writes new code to contribute back into the project.
The same is basically true for Moveable Type, and for the software behind Identi.ca, StatusNet which is software to run a Twitter-like service on your own account or your own machine.
So, similiarly, with web pages of any kind, there is a difference between having made a web page on Geocities or somewhere like that, vs. making a web page and uploading it to a server account on someone else's server (a web host) vs. having your own server, a physical machine you control all of including its operating system.
I'm not sure if that leaves you any more enlightened or if it's too much explanation. Basically, you can leave Wordpress.com in the drivers' seat, a bit like getting on a bus and holding up your blog out the bus window; or you can like, download a snap-together model car kit and DIY. Or not quite DIY, more like DI-with-the-community. Good for control freaks, idealists, and people who like to twiddle and learn things about php.
-----------------
Liz Henry
Composite: Tech & Poetics
lizzard@bookmaniac.net
Oh! OK
So this applies to people that have downloaded and are self hosting the blog software.
That makes much more sense - Thank you!
Liz Rizzo
I blog at Everyday Goddess.
the wordpress bus
that made me smile. It is a bit like that. I have one of each - .com, and .org.
.org is a bit more nerve wracking as you have to look after things yourself. But actually, its not such a big deal.
May I recommend a Wordpress expert?
Her name is Kim Woodbridge, she's a friend of mine, and she's a wonderful Wordpress consultant who does paid work at very reasonable prices. I paid her to upgrade my own blog when it needed a major upgrade a while ago from 2.3 to 2.6
She is also very helpful if you just have a question about Wordpress.
I like the calm way she handles Wordpress issues, very different than the panicky mode I tend to enter whenever something goes wrong.
----
Need to hire a blogger? I’m a mommy blogger and a blogger for hire.
Ive Been Hit
Ok - I know that I have been hit as I saw an unfamiliar author yesterday but couldnt delete it in my settings. I am trying to follow what you suggest above to delete the users by connecting to the data base but I dont even know where to go to find phpMyAdmin? Embarassing to say the least but I need to start somewhere. Where do I find that?