URGENT: If Your Wordpress Blog is Acting Strangely, Follow These Steps September 4, 2009
Posted by Andrew Wee in : blogging , trackbackI checked my blog and the URLs looked malformed, with the following structure: http://www.whoisandrewwee.com/2009/09/03/unlocking-unconventional-traffic-sources-for-affiliate-campaigns/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929
If you notice something similar or weird with your Wordpress blog, you might want to take the following steps:
- Check the “users” tab from the WP admin interface
- Remove any unfamiliar users, esp those marked as “administrator”
- To prevent users from registering, I’d go as far as to remove wp-register.php (keep a backup and FTP it back in if you have problems)
- Check all of Wordpress’ PHP scripts, remove global “execute” privileges
Once you’ve secured the perimeter, look at the “Settings” and “permalinks” tab.
If you see some weird stuff like “%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929″, you’d want to clear that, and replace it with your original permalink structure, or look it up on the Wordpress codex.
You can also check out this other blog post for more details.
Note: this issue seems to be affecting Wordpress 2.6.x. Not sure to what extent it’s affecting version 2.8.x.
UPDATE: Matt Mullenweg from the Wordpress development team has posted about the security issues if you’re using an older version of Wordpress. Here’s a WP support forum write up about what might be happening.
You might want to upgrade to a newer version of Wordpress. Just take note that some of your plugins/themes might not work if the developer hasn’t updated the plugin for compliance with the newest version.
Popularity: 6%
Text Blog feed
[...] Gracias a este post, me di cuenta y lo puede solucionar http://www.whoisandrewwee.com/blogging/wordpress-26-permalink-problem/ [...]
[...] http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/ oder http://www.whoisandrewwee.com/blogging/wordpress-26-permalink-problem/ [...]
We got it, too. Is this a world wide problem? I googled the change script and it seems a few similar problems have popped out recently.
Thanks for this post – we’ve seen it three times today, not sure what versions were running.
Thank you, it helped me tonight !!
Hi there
Many thanks for this information, I was at my wits end trying to resolve this lol, I think mine occured because of installing the seo plugin pack, but doing what you said on this post worked fine !
Woc
They got me. Thanks for the info on how to clean it up. Wasn’t as cut and dried as you made it sound… had some trouble with my htaccess file. But it’s all good now!
Thanks so much Andrew, my blog was also similarly affected and I’ve followed your instructions to fix the issue. I’d have been completely stumped without this post.
Wonder if they’re targeting online marketers, the rotters?!
[...] Read Andrew Wee’s Fix Here >> [...]
Andrew – a colleague also affected has just told me that most people affected will also have had a new admin inserted directly into their SQL database that doesn’t show up in Wordpress interface.
I found this had been placed into my SQL db, it has obviously been stored for later foul internet deeds to be performed…
Hi Kirsty,
Thanks for that. I’ll drop a note to my server admin.
For those who’re using fantastico/cPanel, it should be an easy fix from the “mySQL database” or “phpMyAdmin” consoles.
Lots more going on beneath the surface! Permalinks and hidden admin users! This blog post worked for me to clean house: http://blog.nachotech.com/?p=125
I also renamed my xmlrpc.php and wp-register.php files as a stop-gap solution. It seems 2.8.4 blogs are safe so far. I am guessing 2.8.5 will be out ASAP to correct this is 2.8.4 doesn’t.
This post is very good for me.. i can get many tips and trick on this blog.. thank’s for u’r information my friend! this is my first time to visiting to your blog..
[...] further steps, as suggested in the comments section of this post by Andrew Wee, are to rename a couple of your WordPress files in the hope that these actions minimise the chances [...]
Thanks for your post! I just had the problem.
Thanx a lot! Really works!