Comments on: My WordPress Blog was Hacked… again! http://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/ My humble blog about fitness, health, diet (paleo and zone), CrossFit, PDR self defence, weightlifting, general life musings and occasional jollity. Tue, 07 Feb 2012 15:45:23 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Colin McNultyhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-2280 Colin McNulty Sun, 26 Apr 2009 20:36:40 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-2280 Thanks for the tips Frank. I'll take a look at that plugin, and changing the admin user is always a good idea too. My password is fairly "strong" in that it's not a real word etc, so I assumed the security hole was probably a known vulnerability in an old version of WordPress. EDIT: I've just looked at editing the admin user, but I get this: <em>"Your username cannot be changed."</em> next to the username. Thanks for the tips Frank. I’ll take a look at that plugin, and changing the admin user is always a good idea too. My password is fairly “strong” in that it’s not a real word etc, so I assumed the security hole was probably a known vulnerability in an old version of WordPress.

EDIT: I’ve just looked at editing the admin user, but I get this: “Your username cannot be changed.” next to the username.

]]> By: Frankhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-2279 Frank Fri, 24 Apr 2009 12:23:02 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-2279 Changing the default "admin" user is a must do for any new Wordpress installation. I also have installed a WP plugin that protects you against brute force attacks. It is called Login Lockdown: http://wordpress.org/extend/plugins/login-lockdown/ Changing the default “admin” user is a must do for any new WordPress installation. I also have installed a WP plugin that protects you against brute force attacks.

It is called Login Lockdown:

http://wordpress.org/extend/plugins/login-lockdown/

]]> By: Jonathan Dearhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-2269 Jonathan Dear Mon, 20 Apr 2009 23:23:44 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-2269 Hi Colin, Funny - when I take out that line of code, It still displays the footer of the blog - so it must be an extra function call. The wordpress default theme also had it, but not the original theme. So they had gone to the trouble of adding that code to the other themes as well. Your right though, I need to find where the code is that the function is called. I'll load up the files and do a search for it. thanks for the update on google - our traffic has suffered bigtime as a result. Hi Colin,

Funny – when I take out that line of code, It still displays the footer of the blog – so it must be an extra function call. The wordpress default theme also had it, but not the original theme. So they had gone to the trouble of adding that code to the other themes as well.

Your right though, I need to find where the code is that the function is called. I’ll load up the files and do a search for it.

thanks for the update on google – our traffic has suffered bigtime as a result.

]]> By: Colin McNultyhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-2267 Colin McNulty Mon, 20 Apr 2009 20:23:59 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-2267 Hi Jonathan, it looks like you've removed the whole footer code. It would be better to find the file that's got the offending code in. Download all your website WordPress files and do a search. Or an easy trick is to sort by file size, the largest file is likely to be the culprit. And yes your rankings do come back. It wouldn't hurt to file a re-inclusion request with google, which you can do through your Google WebMaster Tools account. FYI it took my site 3 weeks to get its rankings back. Hi Jonathan, it looks like you’ve removed the whole footer code. It would be better to find the file that’s got the offending code in. Download all your website WordPress files and do a search. Or an easy trick is to sort by file size, the largest file is likely to be the culprit.

And yes your rankings do come back. It wouldn’t hurt to file a re-inclusion request with google, which you can do through your Google WebMaster Tools account. FYI it took my site 3 weeks to get its rankings back.

]]> By: Jonathan Dearhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-2264 Jonathan Dear Mon, 20 Apr 2009 03:28:18 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-2264 I had the exact same thing happen to me recently... Now I don't come up in any google searches - all while running 2.7.1 which is strange. changing themes still yielded the same crap in the footer (I used websniffer.net) to simulate how googlebot views. Tricky sucker - doesn't show up at all, except to googlebot, so a simple view source on your page of your browser doesnt show the dirty links. I found the offending code in the footer.php file. After the RSS links code there was this line of code: <?php // WordPress footer wp_footer(); where this wp_footer(); function is I dont know, but commenting it out - putting //wp_footer(); in instead removed the links. There was also a wordpress user in the database so I deleted him, and renamed my admin user to something other than admin. I hope this info helps someone else - not much info on it on the net. I hope google adds me again soon! I had the exact same thing happen to me recently… Now I don’t come up in any google searches – all while running 2.7.1 which is strange. changing themes still yielded the same crap in the footer (I used websniffer.net) to simulate how googlebot views.

Tricky sucker – doesn’t show up at all, except to googlebot, so a simple view source on your page of your browser doesnt show the dirty links.

I found the offending code in the footer.php file. After the RSS links code there was this line of code:

<?php
// WordPress footer
wp_footer();

where this wp_footer(); function is I dont know, but commenting it out – putting //wp_footer(); in instead removed the links.

There was also a wordpress user in the database so I deleted him, and renamed my admin user to something other than admin.

I hope this info helps someone else – not much info on it on the net. I hope google adds me again soon!

]]> By: Ostwaldhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-2244 Ostwald Tue, 14 Apr 2009 16:45:25 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-2244 The consequences of such attacks (for small bloggers) could be severe, not only as a temporary disruptions, but also as a long term SEO penalties. Especially with Google which seems to keep record of your bad content for a long time. The consequences of such attacks (for small bloggers) could be severe, not only as a temporary disruptions, but also as a long term SEO penalties. Especially with Google which seems to keep record of your bad content for a long time.

]]> By: bobhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-2243 bob Tue, 14 Apr 2009 16:43:20 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-2243 Just to be clear on the current issue of recent hacks, many non-WordPress blogs and websites are impacted by the current Google/Search Engine Redirect hacks, so this might not be a WordPress specific issue. Upgrading, especially for security issues, has been around as long as software has been around, so blasting away at WordPress isn’t helping anyone, especially as many of the recent attacks are not WordPress-specific. Just to be clear on the current issue of recent hacks, many non-WordPress blogs and websites are impacted by the current Google/Search Engine Redirect hacks, so this might not be a WordPress specific issue. Upgrading, especially for security issues, has been around as long as software has been around, so blasting away at WordPress isn’t helping anyone, especially as many of the recent attacks are not WordPress-specific.

]]> By: Joshhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-2242 Josh Tue, 14 Apr 2009 16:37:53 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-2242 My comment feed hasn’t worked in forever. A few times I went in to track down the problem but never found it. After this post, I think I will look at my site more closely. My comment feed hasn’t worked in forever. A few times I went in to track down the problem but never found it. After this post, I think I will look at my site more closely.

]]> By: Colin McNultyhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-1858 Colin McNulty Wed, 04 Mar 2009 19:24:06 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-1858 Hi WT. I already had an auto updating plugin. I just need to be more proactive at keeping uptodate. Hi WT. I already had an auto updating plugin. I just need to be more proactive at keeping uptodate.

]]> By: welshtrollhttp://www.colinmcnulty.com/blog/2009/02/22/my-wordpress-blog-was-hacked-again/comment-page-1/#comment-1857 welshtroll Wed, 04 Mar 2009 19:03:17 +0000 http://www.colinmcnulty.com/blog/?p=406#comment-1857 The new backend of Wordpress notifies you when there is a new version on the admin page and now also does automatic update without the need to ftp the files :) Hopefully will allow you to keep up with the versions The new backend of WordPress notifies you when there is a new version on the admin page and now also does automatic update without the need to ftp the files :)

Hopefully will allow you to keep up with the versions

]]>