Support » Fixing WordPress » My WordPress Hacked

  • v2.0.3

    I got an email from my WP site (wordpress@..

    Subject: Password Lost/Change
    Password Lost and Changed for user: admin

    I went to the site and couldn’t log in, I tried to retrieve the password but “Sorry, that user does not seem to exist in our database.”, that user being Admin. I checked the database and I’m pretty sure the wp_users table was empty (I was in a bit of a panic but pretty sure)

    On the site I then noticed the lastest post had been edited to…

    hax vs YOU
    hax was here, hax fucked you, please no 3war ras

    همود يهبيني؟

    which seemed to sum up the situation.

    Back to the database; I now see one user, admin, email listed as [ Redacted ] and user registered 2006-06-09 16:07:10. I have now changed that account and regained access but I see no reason why they shouldn’t be able to do whatever they did again whenever they want.

    I need to know how this happened, I have a few wordpress sites and this could happen to any at any time…

    anyone have any ideas?

Viewing 15 replies - 1 through 15 (of 17 total)
  • whooami



    there are a few more things that anyone trying to help/stop repeat occurances would need to know:

    OS (flavor and kernel version if nix based obviously), php version, mysql version, whether or not you have contacted your host, what they said, any other software installed on that domain/whatever, was it touched..

    Also, Matt/Dougal/someone has set up a special email addy for those sorts of reports:

    middle of the way down..

    if it were me, i would get all the above info (most of it is available on the left side of your cpanel), and send off an email.




    as an aside, is a real domain, for those that havent already checked, (all ONE of you) 😛 and while there does appear to be some “arab” influence on the site (check the forums) I couldnt locate that username (upx) anywhere — not to say it doesnt exist

    The site hacked is something not yet live (although it is online) so I have decided to leave for a bit so you can have a look.
    php info here

    The WP site is at

    I just want to find out what happened so I can stop it happening to my other WP sites that are live.

    I will send that email – cheers.




    I for one, would be VERY interested in seeing your Apache logs.. unfortuntely theres no telling without a good scouring to know exactly when that was done, or is there?
    Assuming that post date of June 13 was edited.. whens the last time you actually checked that site? Has it been a month?

    IF you do archive your Apache logs, some do, some dont (its an option in CPanel) I would LOVE to take a close look at your Apache logs for June (if in fact you think thats when that happened, July, obviously (if you think thats when it happened).

    If you are OK with that, and have them archived, feel free to contact me [ Redacted ]. Rest assured, I wouldnt share anything I find without your prior approval.

    Good luck either way, and take care!

    It happened today, they edited an existing post.

    I have to go now but I will see if I can get the logs later and contact you. Thanks.

    I had my wordpress blog hacked last week…. we worked out the only realistic reason was that the blog was created using fantastico – which is a cpanel plugin. If you happen to use the same username/password as your ftp during your fantastico wordpress install – it seems there is a security flaw.

    I’m back! I was away a little longer than expected. My logs are not archived! I’ve never looked before, if I had looked on the day they would have been there but I just presumed they would be there for more than a day. oops.

    Although I did use it once I am fairly sure I didn’t use fantastico with this install.

    It is a bit worrying. There is nothing to stop it happening again.

    Can’t stop if you don’t know how it happened. He might have cracked into mysql. Perhaps a plugin let him in.

    I would ask that you have your account moved to another server. Perhaps that one was already compromised, or perhaps it now has a compromise left behind.

    Your blog was hacked? That sucks.

    Just thought I’d mention this in case anyone’s interested, that little bit of Arabic seems to be saying;

    Hmood Loves Me

    I’m pretty sure that’s what it’s saying even though the person has misspelled the words.

    I was hacked 13 times in a row.

    they used an index.php file with the following code:

    $surl_autofill_include = TRUE; //If TRUE then search variables with descriptors (URLs) and save it in SURL.


    the fellow even created an email and altered my cPanel email address… I suspect he came through the WordPress On Demand Backup Plugin.

    Any ideas?

    Why would you suspect that plugin was the culprit?

    I mean, without logs to trace anything, the attacker could have compromised the server and gotten at you via a PHP hack. I’m not disagreeing with you, but I’d be interested in how you figured it out.

    i have 5 wordpress blogs running on my server, the only blog that was hacked was the one with the plug-in activated.

    i experimented with switching the plug-in off, and activating it on another one, and sure enough, the one with the plug-in activated was hacked.

    so, ya, i must say i found out the hard way.

    Dear RyuMaou:

    Someone else made the same observation:

    Do you mind sharing what version of the plugin you’re using? It is the one from skippy dot net, right?

    I’m asking because I’ve had some problems in the past with someone hitting my site via a PHP injection attack of some kind and, while I “fixed” the problem, I never did figure out how they were doing it. (In my case, I adjusted the directory permissions on the blog directories and that shut down the attacker.)


    it’s the one that came with the standard installation of wordpress 2.0.4

    which directory did you alter permission? may i ask?

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘My WordPress Hacked’ is closed to new replies.