Support » Requests and Feedback » Security Hole in 2.0.3?

  • I got an email from Google on Thursday indicating that my site (a WordPress blog) contained hidden offending terms (about buying drugs) and that I would be removed from Google’s listings.

    Some evildoer injected this code, and similar code into the Start Title Head Bar section of each post, just before the legitimate code:


    [click VIEW SOURCE in IE if you don’t see the code]

    Looking at my site the day after Google and Yahoo spidered and cached it with the bad code, NONE of the offending code was there.

    I call this a drive-by hack job. A quick injection then they removed it, but again it was long enough to get into the search engines.

    I just upgraded to 2.3.1. I do NOT believe my password was compromised, but rather some security flaw was taken advantage of. Any ideas? Any sense this cannot happen in 2.3.1?


Viewing 1 replies (of 1 total)
  • there is an exploit that allows you to get the admin hash in 2.0.6 and lower.
    wordpress automated password gets cracked very fast so probably your password was compromised, you should change it.

    Also i’ve notice in php-nuke that there are some themes that add hidden links, this is possible also in wordpress so you should be carefull when downloading themes also.

    Excuse my english.
    Best reggards.

Viewing 1 replies (of 1 total)
  • The topic ‘Security Hole in 2.0.3?’ is closed to new replies.