Support » Fixing WordPress » Two WordPress sites hacked on 9/11

  • I manage two WordPress sites (, and yesterday I received notification from two different sources that each site was hacked and was hosting phishing attacks. The only common threads between the two sites is that both are running WordPress and both are managed by me. One site is owned by me and hosted on Zerolag while the other site is owned by someone else and hosted on GoDaddy.

    Both sites were updated to 3.2.1 shortly after that version was released as were the themes and plug-ins for each site. Somehow someone was able to place folder(s) into each sites wp-content/uploads subdirectory. The GoDaddy hosted site,, had one folder called “wassa” and a single file called “wassa.htm” that I was able to clean out myself. The attack on the Zerolag hosted site was much more involved, with a couple dozen folders, including one named “altem” added to my wp-content/uploads subdirectory and files distributed through my directories. The Zerolag people are working on that now.

    Is anyone else experiencing this?

Viewing 13 replies - 1 through 13 (of 13 total)
  • Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    The wassa hack is old (about 2006 I think).

    Change your passwords etc etc.

    We’re working on that now.

    I typed “wassa” when I meant “wasse”. The file folder they set up for this was named after the first five letters of the URL. I was just curious if this was part of a larger issue.

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Aaaaand… off to check all my sites….

    Interesting. I was just going to come on here with an update. While my Zerolag based website is being cleaned up by Zerolag, I attempted to clean up my GoDaddy hosted site myself. When attempting to install a new plug-in, I found myself being redirected to, which quickly (I had to do a print screen to capture the URL) forwards me to I just checked my Zerolag site and it is not having this issue.


    Another interesting thing is that the Go Daddy control panel is trying to get me to “upgrade” to WordPress 3.1.3.

    Did you originally install via 1 click on godaddy, and then upgrade WP through WP?

    Godaddy doesn’t track that, so they think you are still on the version you installed. They only know if you upgrade, if you use their upgrade feature. If your sites are up to date, ignore the godaddy warning

    My godaddy install thinks I’m on version 2.2.1

    The original install was done through GoDaddy; subsequent updates have been through the WP control panel.

    After deleting anything that was created between 9/11 and 9/13, along with any of the legacy stuff on the server, I seem to have cleaned up my site, at least according to the scanner linked above.

    I found another thread on here from a week or two ago describing something very similar.

    I was beginning to think it was something coming from my computer, but now I’m not so sure.

    The fact that it happened at 2 different hosts does make that seem a possibility

    Don’t forget to change all your passwords

    DB (and thus in wp-config.php), ftp, hosting, wordpress

    I’m working on it now.

    It may be a bit late for you…. but in case you didn’t know, you can roll back files on godaddy for something like a month or so

    From the file manager area in hosting, there is a history tab

    You can roll back single or batch files/directories

    Good to know for the future. Fortunately the site hosted by GoDaddy is relatively new with only a handful of posts. My concern is my other site; which has more posts and would be more of an issue to rebuild, labor-wise.

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Sweet donkey… Upgrade to version TWO!?

    *head desk* Poor GoDaddy.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Two WordPress sites hacked on 9/11’ is closed to new replies.