Support » Fixing WordPress » WordPress 2.5 Hacked

  • I recently upgraded to 2.5 and this morning had my site hacked redirecting all readers to I am now trying to figure out the easiest way to recover. Any suggestions would be appreciated.

    Don Ray
    [sig moderated]

Viewing 15 replies - 1 through 15 (of 30 total)
  • Don, the easiest way to redirect stuff is to edit your .htaccess file : has it been modified ?
    Next, you can use a program like flashget to download the supposed entry page of your blog, see if it downloads something containing an iframe.
    Next, download all html files to your harddisk and search the string cdpuvhfzz to see if it may be present in one of your hacked files.

    And of course, change all your passwords, don’t note them in places easy to see, etcetera…

    Hi Sabinou. I will try what you suggest. My ,htaccess has not been touched, but I don’t think my host used that any more. I remember they made a change to avoid using .htaccess

    If all else fails, ask your host to restore your site to the earliest backup. This, however, may pose a problem if you added a bunch of stuff to your site within the last couple days, yet their most recent backup is from last week.

    Good luck.

    Can anyone tell me if it is normal for the index.php module, in wp-content, to contain an iframe statement when a site is up and running? I know it doesn’t in the initial library. In other words, does WordPress use iframe itself?

    As with my question above, would the same iframe statement be in wp-config.php?

    The actual PHP file wp-content/index.php looks to simply be there to disallow directory browsing. The contents of this file (at least in 2.5) is simply:

    // Silence is golden.

    So there should be nothing else in that file…

    When I acutally browse there in a web browser, it outputs the following HTML:

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>

    No. It sounds like someone has been playing with your files…

    If you haven’t done much customization (or even if you have), you might want to download the version of the files on your webhost to your local machine. Then compare them to the local copy you had actually uploaded to the web host (you do have that right?). If you don’t, you can just download the WP2.5 zip again and extract it somewhere to compare.

    I’d suggest using something like (free) and just do a full directory compare. Then you’ll know if and what files have been changed from what WP delivers. If YOU didn’t make those changes… well there ya go.

    I have the originial files for WP 2.5 and uploaded them to my host site. However, these two files are requested to be left alone during an upgrade and that is why I am asking the question.

    I downloaded these from my host to see what they looked like and bothe containe something like the following:

    <iframe src=”” width=1 height=1></iframe>’; ?><?php echo ‘<iframe src=”” width=1 height=1></iframe>’; ?>

    Aha. That displays different in the post than what it looked like. That is the problem!

    I just had this happen to my website and it’s horrible. My sites are hosted at and this happened before but the redirect was something as ugly. I called godaddy about this and simply put it off spending no time at all to research this problem. I ended up having to shut down 7 websites that were all experiencing the hacked code. It was some kind of trojan that collected data. I had thought the bad hack came from a malicous russian programmer..hmm but i don’t know still what the problem is. i have godaddy studying this problem again. we’ll see how great the security team is over there and will keep everyone posted as to what the heck this thing actually is…

    Two days ago my web suffered the same attack i’m praising for not to recieve any other…

    Is there any solution?

    Experienced a similar problem.

    Four different WordPress installations all on the same web space have been infected. Php files contain inserted malicious code in the form of an iframe. Perhaps other insertions as well?

    The result is that various bits of functionality no longer work in the WordPress CMS, for example text editor tool bars, upload bar, etc. One of the WordPress sites isn’t even viewable from the front anymore!
    Desperately in need of a plugin that will rip out the malicious code?!
    Otherwise I’m going to have to download all the websites, strip out the malicious code by hand — which will take about eight years — then upload them again! (My web host doesn’t have backups of the files.)
    Can anyone help? A plugin? A script to replace the malicious code inserted in the name of or whoever wrote this hack – you are the scum of the earth.

    I stumbled across this on my website after I found google was saying my site may harm my computer.
    My internet is a bit slow at the moment so got a friend to have a poke around and she found a virus being blocked from the above site. She only had this happen in IE though?
    It gave me something to search on anyhow, and I came across this thread.

    I ditched wordpress hoping that would fix it, but I found it had infected every php and html document on my website. I noticed that they had a different date to the rest of the files, so once I had that date I could track the infected files.
    I wiped my coppermine gallery (too much to try to fix) and replaced all the html files with those on my hard drive.
    Not sure if it’s fixed the problem, might have to start fresh.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    A lot of the time, these hacks are the result of bad permissions on files, allowing other users on the shared servers to write to them.

    Remember, you’re sharing a system with 60-80 other sites. If any of them gets hacked, you can be attacked through there as well.

    Permissions are important. Read more on how to harden your setup here:

Viewing 15 replies - 1 through 15 (of 30 total)
  • The topic ‘WordPress 2.5 Hacked’ is closed to new replies.