ThemeLab's Blog

Stay up to date with our newest WordPress themes, WordPress plugins, WordPress tutorials, and other announcements.

Security Alert – Upgrade to WordPress 2.8.4 Now

Last Updated on by

There is a security exploit going around, and it could affect anyone not using the most up-to-date version of WordPress at the moment, which is WordPress 2.8.4. Lorelle has a good writeup on how old WordPress versions are under attack. To summarize, here’s what to look out for if you think your WordPress site may have been compromised.

  • Unusual additions to your WordPress permalink structure. If you see anything like “eval” and/or “base64_decode” in your URLs, you’ve already been hit.
  • This is a real kicker: a hidden admin account. That’s right, the exploit can let the attacker set up a hidden admin account that may not even be displayed in your user list.

This post offers some solutions if you have already been hacked. Remove the extra permalink code in Settings → Permalinks, remove the extra admin account, and (obviously) upgrade to the latest version of WordPress.

Has anyone been affected by this exploit? I’m happy to say out of all of my WordPress sites, I haven’t been hit, although I have still upgraded all of my WordPress installations to the latest version, including Theme Lab, and I highly recommend you do the same (as long as you backup first). Just another reason to keep your WordPress version up-to-date.

About

Leland Fiegel was the original founder of ThemeLab. He is a web developer who loves WordPress and blogging.

  • http://human3rror.com John (Human3rror)

    a number of older clients got it. the landing page was bad…

  • http://www.iam-here.com Detoam

    scared me there for a second. I thought that 2.8.4 were affected. Still I do thank You.

  • http://blaineblogger.com blaineblogger

    I haven’t been effected but some top blogs like robert scoble have.

  • Leland

    @John: What landing page did you see?

    @Detoam: Don’t think this particular security exploit affects 2.8.4, but that doesn’t mean you’re 100% safe. Just make sure to keep updated.

    @blaineblogger: Yep, he wasn’t up-to-date though. ;)

  • Aipo

    Hey Leland. I had four windows open, 3 wordpress blogs and youtube, and a huge window slowly creeped up from the bottom on my screen and said…. a file, and it gave the name… is trying to hack your computer. Then it gave options for me to do, one of which was marked already. I said ok, and my antivirus program said it had been deleted. I then closed all windows and ran my antivirus program. Nothing showed up. I wonder if it was the wordpress blogs I was on? SCARY!

    Thanks for this post!

  • http://imanto.com Anto

    Yea scoble wasnt updated haha. But still, i keep mine up to date always, its just hard to keep up to date all the time, because a plugin might not work, or some part of a theme or something, but either way. im sure everyone has updated now.

    id love to know how to do the hack, theres some bitches id like to get back at :P

  • Zipo

    Can a person act as a conduit for the hacker? If you have three different windows open with 3 wordpress blogs working, and you get a warning you are being hacked, can you by association, infect those other blogs?

  • Leland

    @Aipo/Zipo: I doubt it. Sounds like it was one of those popup ads that say something like “You have 50209340234 pieces of spyware, click here for a free scan!” which is fake.

    @Anto: Yeah it can be hard, especially if you have a lot of sites. Thankfully it’s not public knowledge how to do it or I’m sure a lot of people would be taking advantage of it, like you lol :P

  • Zipo

    Thank you for your response. Sorry about my error on sign in. (totally stupid)

    However, no it wasn’t a pop up. It was my Panda AVPro that posted the alert. The file is in quarantine on Panda file.

    As long as I am not the contaminant for other sites, I am good to go.

  • Leland

    @Zipo: I’m not exactly sure, but I would recommend you do a virus scan as sometimes sites (any sites, not just WP blogs) can have malicious code on it that could cause your antivirus software to go off.

  • Zipo

    Yes I did do that. I always do a full hard drive (external included) after major site viewing.

    FYI and just for the laugh, my first thought; it was Anto hacking me….

    Again, thank you!

  • http://imanto.com Anto

    @Zipo, why would i hack you ? :) you havent did anything seriously wrong hehe

  • Daniel

    My blog got infected bad, every single page (on my site) I went to lead to my antivirus going crazy saying that a html trojan had attacked, ant after reading about it I realized there was not much more to do than to reinstall the who blog, so that’s what I’m doing now.