I just stumbled upon this post about an exploit which allows a hacker/spammer to inject links and HTML into your WordPress installation. If you see a /wp-content/1/ directory in your FTP, you have likely been affected. Over 9000 other WordPress blogs are in the same boat.
As you can see, ringtones, gambling, the usual spammy stuff. I’m not going to directly link to these results as some of these links have been reported to be malware-infested. Definitely not a good idea to visit them. Google will likely penalize you if these spam links on your exploited site are crawled, so you should delete this directory ASAP along with all files under it if you see it.
As of yet, no official word from WordPress developers on this vulnerability has been released. Until then, it’s best to use good security practices (which should apply to all websites, not just WordPress-powered ones). Password protect your directories, don’t publish the version of the script you’re using, disable indexes on WordPress core directories – to name a few. I’ll be posting some general WordPress security tips up on Theme Lab soon.
Note: More information available on this WordPress.org support topic, where the exploit was initially reported.
Thanks for the heads up. Really informative and great content. The tips should help many avoid this problem.
I also wrote about it at
http://www.bontb.com/2008/03/wp-content1-trojan-virus-for-wordpress-bloggers/
ill keep posting what i find out
Nice find. Hopefully they’ll get round to sorting it. Im sure they know about it now tho.
i saw your post and thought i’d give this issue some importance, because i also use wordpress and a friend told me he got hacked.
so i wrote this article about the issue
http://websecurity.ro/blog/2008/03/28/wordpress-233-probably-a-0day-exploit/