Attacks on old versions of WordPress

Lorelle has news that older versions of WordPress are being attacked. Symptoms include:

  1. odd additions to permalinks - "eval" and "base64_decode". Your blog's permalinks will no longer work.
  2. a new administrator account, perhaps named Administrator (2), created but not by you. This can happen even if registration is turned off on your blog.

If you haven't upgraded, DO IT NOW. As of today, you should be running version 2.8.4: check your dashboard. If it has any number lower than that, you need to upgrade. If you're using a version of WP higher than 2.7, it'../../../2009/06/upgrading-wordpress-just-do-it-will-you/">here they are.

If you've been hit with this already, then copying your posts and comments into a completely clean installation of WordPress seems to be the best way to deal with it. Simply upgrading now will most likely not deal with this (hackers know how WordPress upgrades work, and make the compromised files ones which are not over-written in an upgrade). Smackdown has more advice.

I'm going to say too, I'm pretty shocked by the attitude of some people: Weblog Tools Collection's comments have some who are saying they won't upgrade. If you take that line, frankly, you deserve what you get.

Update: one of the tricks this worm apparently uses is to use javascript to hide the existence of the extra administrator account within WP admin. If this is happening, you can look directly in the database (e.g. via PHPMyAdmin). Check wp_users (your blog may have a different prefix): if you normally only have one user, you'll easily see if anything's been added. If, however, you have a lot of registered users, you'll want to list out administrators and make sure they're all legit. Dougal Campbell has more details on this.

Share this post:
  • email
  • Facebook
  • FriendFeed
  • LinkedIn
  • StumbleUpon
  • Tumblr
  • Twitter

Posted by Sue on September 5, 2009 in Security, WordPress.


  1. RT @blogmum BlogMum post: Attacks on old versions of WordPress

Leave a Reply