WordPress Blog Worm

Yesterday, while I was checking on my WP Dashboard, I came across Lorelle’s post that warned WordPress users about old WordPress versions being attacked. From that post, I learned that there are reports of attacks on older versions of WordPress and that the number of sites being hit was increasing by the hour. When I tried to look for related news in the web, I found out that popular web design blog Smashing Magazine and tech evangelist Robert Scoble’s blog – Scobleizer, recently fell victim to these attacks.

At first I thought that it was the same kind of attack that was recently done on my blog, 2-3 days ago. If you follow me on Twitter or Facebook, you might have come across my status updates about an attack on my blog using the wp-pass redirect vulnerability which is a securitly flaw found in older versions of WordPress.

Later that day, Matt Mullenweg published a post on the WordPress Dev Blog entitled – How To Keep WordPress Secure> There I learned that these recent attacks were different and were caused by a smart and malicious computer worm.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

I’m sure alot of WordPress blogs are still under attack even as we speak but those who are at risk are those self-hosted WordPress blogs that are running older versions of WordPress (versions prior to 2.8.4). WordPress.com blogs are not at risk because they are always kept up-to-date. In this case, hiding your WordPress version is not enough and the only way to keep your blog safe from this type of attack is to always update to the latest version available.

How do you know if your blog was already attacked?

Lorelle shares two clues to look for and check if your blog has been attacked.

1. There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

2. A “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. If you can’t access that account, check out Journey Etc’s solution.

If you have confirmed that your blog has been attacked, the WordPress Dev team has setup a My Site Was Hacked page to help you out.

If you have access to your MySQL database and want to make sure that there are no extra administrator accounts registered on your blog, copy and paste the following code or SQL query and run it against your WordPress database.

SELECT u.ID, u.user_login
FROM wp_users u, wp_usermeta um
WHERE u.ID = um.user_id
AND um.meta_key = ‘kPaqAwJE_capabilities’
AND um.meta_value LIKE ‘%administrator%’;

[via Dougal Campbell]

Here in JaypeeOnline, I always encourage and preach to everyone to always keep your WordPress install up-to-date. Whenever there’s a new version of WordPress released, I publish it here so more users would be aware of it. I always say, “better safe than sorry” and “prevention is better than cure”. I like Matt’s analogy:

Upgrading is taking your vitamins; fixing a hack is open heart surgery.

Its unfortunate that some users wait until their blogs get compromised or wait for something like this to happen before they upgrade WordPress. Save yourself the hassle, problems and headache and always keep your WordPress blogs up-to-date! It also helps if you do regular backups of your WordPress database and your local files. If you finished reading this post and still haven’t upgraded your WordPress install, what are you waiting for? UPGRADE IT NOW!!!

Anyone else had their blog victimized by these recent attacks? If so, what did you do to fix it? If not, what preventive measures did you take to keep your WordPress-powered blogs secure?

JaypeeOnline is supported by its audience. When you click on the advertisements or purchase through links on our site, we may earn an affiliate commission. Learn more



Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.


  • JP Habaradas, September 9, 2009 @ 8:25 PM Reply

    @Loy – They could be the initial targets but I’m sure even regular blogs have been victimized by these recent attacks. If I were you, I’d just play safe and update my WordPress install and don’t wait for something bad to happen to it. ;)

  • Loy, September 9, 2009 @ 8:21 PM Reply

    I think those “big names” are the one that are most likely to be attacked. I’m not yet in that category so my blog is safe for now. Hehe!

  • JP Habaradas, September 8, 2009 @ 7:05 PM Reply

    @@hmad – Which are you referring to? WordPress or WordPress blogs?

  • @hmad, September 8, 2009 @ 7:02 PM Reply

    no more secure

  • JP Habaradas, September 8, 2009 @ 5:30 AM Reply

    @IJ – Yup, we need to be vigilant. Not only do we have to keep our own blogs up-to-date but we also need to spread the word and promote safe computing.

  • IJ, September 8, 2009 @ 5:28 AM Reply

    Yeah, I agree, Bloggers should always make a frequent update on their blogs.

  • JP Habaradas, September 8, 2009 @ 12:10 AM Reply

    @Smart Boy – That’s true. We need to always keep our WordPress blogs up-to-date. Thanks for sharing and for stopping by! :D

  • Smart Boy Designs, September 8, 2009 @ 12:05 AM Reply

    Great thoughts. In short – we really need to be sure our blogs are up-to-date in regards to WordPress software. Update, update, update!

  • JP Habaradas, September 7, 2009 @ 5:50 AM Reply

    @Michael – Yes, they should. I try to always post about the latest WordPress updates here in my blog and preach about the importance of upgrading to the latest version and backing up your database and files. :)

  • Michael, September 7, 2009 @ 5:45 AM Reply

    This is bloggers should update everytime there is a new release. I hope this is not lurking around anymore.

  • JP Habaradas, September 6, 2009 @ 8:30 PM Reply

    @Raju – Really? Good thing your blog wasn’t attacked and got compromised. It pays to always keep your WordPress blog up-to-date. Yes, I had that same problem with earlier versions where the auto-upgrade function didn’t work and showed errors. It started working after I upgraded to the latest version, 2.8.4.

    That’s quite an experience you had there. Backups come in very handy in situations like these coz if something happens you can always restore your WP database.

  • JP Habaradas, September 6, 2009 @ 8:10 PM Reply

    @jan – Thank you my friend! Glad you like and find this post useful. I guess playing basketball has its benefits? Hehe :D

  • Raju, September 6, 2009 @ 8:25 PM Reply

    I was on 2.7.1 till yesterday and suddenly found a flurry of warning tweets and posts and tried to upgrade my wp. To my astonishment, Tools–> Upgrade option in admin panel told me that no upgrade is needed and I already have the latest WP version :| How lame is that?
    So now I had to manually upgrade wordpress and trust me it wasn’t easy. Many plugins stopped working and I had to disable each of them one-by-one to know which plugin is causing the issue. Horrible experience really.

  • JP Habaradas, September 6, 2009 @ 7:10 PM Reply

    @K – No, other blogs are also under attack not only popular blogs. It’s just that more people are aware of it when a popular blog gets it. Yes, it is always better to be safe than sorry.

    Haha..yeah, I read that post of yours regarding men’s leggings. So you’re getting a lot of hits for that post? :D

  • K.noizki, September 6, 2009 @ 7:06 PM Reply

    Curious, are these hackers only attack popular sites such as the ones you mentioned above or can actually happen to any blogs? I just noticed these attacks mostly happened to those who are “big” in the net. The last time I recalled was the site of David Airey.

    Well it’s better be safe than sorry.

    If I have been attacked, I would blame those who love “men’s wearing leggings” for giving me hits on my latest posts on me wearing leggings.

  • jan geronimo, September 6, 2009 @ 8:05 PM Reply

    Wow – how to find out if your blog is under attack part of the post is very valuable. No wonder you’re getting hits for it. Well deserved. You’re a whiz at ball handling, Jaypee. You didn’t drop the ball on this one. :)

    And a great picture to boot.

  • JP Habaradas, September 6, 2009 @ 6:55 PM Reply

    @Ambo – That’s good practice bro! Your blog would be safer that way. :D

  • Ambo, September 6, 2009 @ 6:54 PM Reply

    Thank God i regularly upgrade all my blogs to the latest version.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.