Support » Everything else WordPress » My WordPress has been hacked

  • I’m running a blog using WP 2.0 and about 10 days ago, I went over my monthly bandwidth limit for the first ever time. I have a 7 gig limit, and running a small hardly-read blog, I’ve never even got close to that before.

    So now it’s the start of a new month, and I checked my cPanel logs to find out what used up all that bandwidth. I found this:


    I googled xpersia.php and I still have no idea what it is. Some kind of Iranian porn thing?! Whatever it is, it used virtually all of my bandwidth in the space of four days last month and I most certainly did not put it there.

    My question: Does anyone know what the hell it is? More importantly: How do I ensure I get it all off my server? Will I mess anything up by just going in via FTP and deleting all the contents of the cache folder?

    Is there any way of telling if there’s any other nasty stuff on my server?

Viewing 4 replies - 1 through 4 (of 4 total)
  • whooami



    oh the joys of responding to someone that hasn’t heeded security issues.

    Honestly, who cares what it is. Your site was exploited.

    Notify your host. Delete the files. Change your passwords. UPGRADE your wordpress. Make sure any other software you are using is current as well.

    Dont use crappy wide open file permissions:. Obviously, they were able to write to your cache directory, so the permissions on that were world writable.

    You cant combine permissions like that with an exploitable web app — the results are obvious.

    Lastly, pay attention. Look at your dashboard occasionally. Rummage around your site using an ftp client sometimes. Treat your web site like its your virtual house.

    Yes, I should have paid more attention. I know. I’ve informed my host, and deleted the script.

    Obviously it was my file permissions, but I’m not an expert, and obviously changed something I shouldn’t have. Could you recommend a good guide for dealing with permissions in WP?

    I found this, but I’m still confused:

    Says things like “all files should be writable only by your user account” but what chmod is that? 600? 644? I presume I’m “user”, but what’s the difference between “group” and “others”.




    UGO = user/group/other

    You are the user, you are in a group, others is everyone, including you, including your group, including those that arent you, and arent in your group, aka everyone.

    755 =

    7 for User
    5 for Group
    5 for Other

    writable only by you is 600

    a decent explanation of the different octets is here:

    if thats unbearable just Google “linux permissions”

    Okay, whooami, here’s the newbie again with another “stupid” question:

    Do my files have to be writable to get the plug-ins to work? I have several plug-ins that don’t seem to be working, so I changed the sidebar permissions to 666. Should they be 600?
    In that panel where you can edit your theme, below the place where the code shows is the notation, if this were writable, you could edit this.” I do want to do a little editing. What should the permission be changed to? Does “me” include my plug-ins?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘My WordPress has been hacked’ is closed to new replies.