Support » Fixing WordPress » Repeated sucessfull sql injection hacks

  • Hi

    I’ve got a blog running wordpress 2.3.3 (upgraded a few days ago).
    Over the last week or so, i’ve being suffering repeated sql injection attacks that dump a few hundred hidden (incredibly) dodgy html links in all my posts.

    I’m not sure how they’re doing this, (or how I can stop them doing it).

    It’s a hosted environment (, that I’m 99% certain hasn’t been compromised, so I’m (guessing) it’s sql injection.

    I have:
    – reset all my passwords (both to shell and to blog)
    – deleted xmlrc.php
    – upgraded to wordpress 2.3.3
    – disabled comments and registration.
    – checked that I am the one and only record in wp_users table.

    I’ve removed the links about 4 or 5 times but they keep getting re-inserted so apparently all that I’ve done is not enough.

    The only thing I’ve found somewhat effective is to restore the wp_posts table from backup every 5 minutes (via cronjob), but that’s obviously not a viable long term solution.

    Any one got any idea’s what else I could do to stop this?

    Dave Smylie

Viewing 11 replies - 1 through 11 (of 11 total)
  • maybe its a vulnerable plugin youre using? try turning them off and seeing if they fixes it.




    disabling a plugin with a vulnerability does nothing to stop the plugin from being vulnerable.

    The OP isnt running that many plugins anyway.. if we are talking about the blog in your profile, Dave.

    I have a suggestion.. if you drop me an email, Ill happily share it with you privately.

    whoo (((AT)))


    What do you mean by “repeated sql injection attacks that dump a few hundred hidden (incredibly) dodgy html links in all my posts.”? Do you mean that you get spam links only in the source code or you actually get spam comments automatically posted in articles?

    Content of your wp-includes folder is viewable to anyone. wp-content/themes/ and wp-content/plugins/ are open as well.




    Content of your wp-includes folder is viewable to anyone.

    yes and that doesnt mean jack. The contents being visible is a MINOR issue, and doesnt make or break ANY SQL injection attacks. In fact, anyone with a 1/4 of a brain can download WP and know exactly what is inside that folder. It being viewable, is, frankly, trivial.

    The same thing for themes.. pretty much.

    Arguably, being able to browse the plugins directory is an issue. Especially, if you happen to be using a plugin that is known to be insecure.. but guess what, macsoft.. the vast majority of injection attempts .. theyre not coming from ppl that have previously poked around on your site and know what you have on it.

    I get thousands of RFI attempts a week. Nary a one of them has actually ever been directed at a plugin that I have on my site. Not one.

    Do your homework, install mod_security, and watch your mod_sec logs. I look at mine every day.


    Sorry. Ignore the statement that I made. I prefer to ignore the idiot.




    yeah, Im the idiot.

    1. I dont post “crap” to my site for googlejuice, and then spam it on here, to get more googljuice.

    2. I actually help ppl privately for their good, not my own.

    3. I have 12 years of experience on the web, four plus of it with WP

    How many times have you been mentioned on a WP developer’s blog, macsoft?

    Im calling a spade the way I see it..

    You, for all your professing to want fight spam, for such a small posting history on this forum, have four arguably questionable threads that you started.. all of which, while informative, are in fact, spam, by their very nature of being posted here.


    The links are inserted into the body of the posts in the wp_posts table and are ‘hidden’ from view via css.

    I can dig out a backup of the hacked db and post a sample if you’d like?

    Thanks everyone for the quick feedback =)


    I’ve removed privs from themes/ and plugins/ – the permissions were what came from the wordpress.tar.gz so presumably they’re the defaults and (hopefully?) safe…

    I’ve also disabled plugins (apart from the wordpress stats one).

    I hope some of this has some effect =)


    What ‘da?

    I prefer to ignore the idiot


    c.1300, “person so mentally deficient as to be incapable of ordinary reasoning,” from O.Fr. idiote “uneducated or ignorant person,” from L. idiota “ordinary person, layman,” in L.L. “uneducated or ignorant person,” from Gk. idiotes “layman, person lacking professional skill,” lit. “private person,” used patronizingly for “ignorant person,” from idios “one’s own” (see idiom).

    I’m not defending anyone, and do not know Whoo personally, however I do not think any advice I have ever received from, nor read about, from Whooami has ever met the above criteria nor justifies any side-saddled, barely transparent “zingers”. (Poorly executed play of words on her URI noted and dismissed).

    In fact, I perceive her occasional curtness and unusually high rate of pinpoint accuracy as a sign of due diligence and practical experience.

    Regardless of any hubris afforded to us by our personal PHD’s, let’s face it… some people just know their shite.

    (kicks soapbox into the crowd and pops another cold one).

    Yeah, baby. ‘come ‘git some… Just havin’ fun, everyone. No need for the po-lice.

    Just my 2 cents. 🙂




    heh, thanks 😉 You actually “get” me.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Repeated sucessfull sql injection hacks’ is closed to new replies.