WordPress Blog Worm

Yesterday, while I was checking on my WP Dashboard, I came across Lorelle’s post that warned WordPress users about old WordPress versions being attacked. From that post, I learned that there are reports of attacks on older versions of WordPress and that the number of sites being hit was increasing by the hour. When I tried to look for related news in the web, I found out that popular web design blog Smashing Magazine and tech evangelist Robert Scoble’s blog – Scobleizer, recently fell victim to these attacks.

At first I thought that it was the same kind of attack that was recently done on my blog, 2-3 days ago. If you follow me on Twitter or Facebook, you might have come across my status updates about an attack on my blog using the wp-pass redirect vulnerability which is a securitly flaw found in older versions of WordPress.

Later that day, Matt Mullenweg published a post on the WordPress Dev Blog entitled – How To Keep WordPress Secure> There I learned that these recent attacks were different and were caused by a smart and malicious computer worm.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

I’m sure alot of WordPress blogs are still under attack even as we speak but those who are at risk are those self-hosted WordPress blogs that are running older versions of WordPress (versions prior to 2.8.4). WordPress.com blogs are not at risk because they are always kept up-to-date. In this case, hiding your WordPress version is not enough and the only way to keep your blog safe from this type of attack is to always update to the latest version available.

How do you know if your blog was already attacked?

Lorelle shares two clues to look for and check if your blog has been attacked.

1. There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

2. A “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. If you can’t access that account, check out Journey Etc’s solution.

If you have confirmed that your blog has been attacked, the WordPress Dev team has setup a My Site Was Hacked page to help you out.

If you have access to your MySQL database and want to make sure that there are no extra administrator accounts registered on your blog, copy and paste the following code or SQL query and run it against your WordPress database.

SELECT u.ID, u.user_login
FROM wp_users u, wp_usermeta um
WHERE u.ID = um.user_id
AND um.meta_key = ‘kPaqAwJE_capabilities’
AND um.meta_value LIKE ‘%administrator%’;

[via Dougal Campbell]

Here in JaypeeOnline, I always encourage and preach to everyone to always keep your WordPress install up-to-date. Whenever there’s a new version of WordPress released, I publish it here so more users would be aware of it. I always say, “better safe than sorry” and “prevention is better than cure”. I like Matt’s analogy:

Upgrading is taking your vitamins; fixing a hack is open heart surgery.

Its unfortunate that some users wait until their blogs get compromised or wait for something like this to happen before they upgrade WordPress. Save yourself the hassle, problems and headache and always keep your WordPress blogs up-to-date! It also helps if you do regular backups of your WordPress database and your local files. If you finished reading this post and still haven’t upgraded your WordPress install, what are you waiting for? UPGRADE IT NOW!!!

Anyone else had their blog victimized by these recent attacks? If so, what did you do to fix it? If not, what preventive measures did you take to keep your WordPress-powered blogs secure?

JaypeeOnline is supported by its audience. When you click on the advertisements or purchase through links on our site, we may earn an affiliate commission. Learn more



Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.


  • JP Habaradas, September 9, 2009 @ 8:25 PM Reply

    @Loy – They could be the initial targets but I’m sure even regular blogs have been victimized by these recent attacks. If I were you, I’d just play safe and update my WordPress install and don’t wait for something bad to happen to it. ;)

  • Loy, September 9, 2009 @ 8:21 PM Reply

    I think those “big names” are the one that are most likely to be attacked. I’m not yet in that category so my blog is safe for now. Hehe!

  • JP Habaradas, September 8, 2009 @ 7:05 PM Reply

    @@hmad – Which are you referring to? WordPress or WordPress blogs?

  • @hmad, September 8, 2009 @ 7:02 PM Reply

    no more secure

  • JP Habaradas, September 8, 2009 @ 5:30 AM Reply

    @IJ – Yup, we need to be vigilant. Not only do we have to keep our own blogs up-to-date but we also need to spread the word and promote safe computing.

  • IJ, September 8, 2009 @ 5:28 AM Reply

    Yeah, I agree, Bloggers should always make a frequent update on their blogs.

  • JP Habaradas, September 8, 2009 @ 12:10 AM Reply

    @Smart Boy – That’s true. We need to always keep our WordPress blogs up-to-date. Thanks for sharing and for stopping by! :D

  • Smart Boy Designs, September 8, 2009 @ 12:05 AM Reply

    Great thoughts. In short – we really need to be sure our blogs are up-to-date in regards to WordPress software. Update, update, update!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.