- Share This Post
- submit
- 13
-
Sparkle (0)
If you aren't using the latest version of WordPress, currently 2.8.4, your blog might have been hacked. There's an attack going on right now that breaks into your blog to create, and then hide, administrator accounts.
You can see if this has happened on your blog by going to the Dashboard and then the Users panel. The number listed in parentheses after Administrators should match the number of actual admins that you have for the blog!
If that number is higher than the amount of admins for the blog, you probably have hidden users. You could try turning Javascript off in your browser to see those hidden users.
Then, delete them (if you can) from the panel. I didn't try this myself, but I think it will work.
Or, you can use mysql or phpmyadmin to delete those users from your database. If you don't remember how to connect to your database, look at the files in your wordpress folder and read the contents of wp-config.php. That will have the username and password and database host name. You might also need to look at the help or FAQ files for your web host.
In phpMyAdmin, you can find and delete the hidden users by connecting to your database, then browsing the users table. Check the boxes by the wp_users and the email fields (or just check all of them) and then click Browse again. This should show you a list of all the users on your blog.
This is what a row of user data should look like in phpMyAdmin:
This is what a "hidden user" account will look like. It'll be a name that doesn't show up in your WordPress Dashboard, and it won't have an email address in that 5th field. Might be a good idea to delete these users right away.
I followed Lorelle's instructions for how to recover from my WordPress blog being hacked. That worked fine:
* I did an xml export from the Dashboard and made sure I knew what that file was named and where I saved it.
* I did an sql dump of the whole blog (from the mysql command line, but you could do one from phpMyAdmin too) Just to make sure I would have everything, and so that I could do some forensics later on the contaminated db.
* Then I deleted that db, made a new db, and saved the information on how to log into it. You could also drop all the tables in the old one, I guess, and keep using it. While you could leave the old db there, it seems unwise.
* I deleted all the stuff in my wordpress folder on my server. If I'd thought, I would have saved a few custom banners and images first.
* I downloaded WordPress latest version, 2.8.4 and unzipped it, along with some themes and plugins.
* I then went to the url for my blog and told the install screen a blog name and my email address, and got a new admin password. Voila, new empty blog.
* Then, from the WordPress Dashboard, went to Manage and then Import. I imported the xml file as a WordPress import, with its attachments. This brought me all my pages, posts, comments, and so on.
A little tweaking and my blog was as good as new.
(While Danger is "Eminent" sometimes, like Godzilla, I don't think that's what the signmaker meant!)
I think for your average user, who finds upgrading and installing a bit scary, this will seem even more scary. But it's not bad at all. It just requires you to follow the steps, write down or cut and paste all the information you will need to keep track of:
- one set of info for your web host account
- one set for your sql database account and phpmyadmin
- the information for your blog itself, for the WordPress install
- where you're saving the export file with your blog posts and comments!
In a pinch, if you really mess up in this process, you can get a backup and restore from your web host.
Now, even though I went through this process, I think that someone might potentially write a plugin or script to reveal and delete those hidden users. It might not
