Support » Fixing WordPress » WordPress 2.5 Hacked

  • I recently upgraded to 2.5 and this morning had my site hacked redirecting all readers to I am now trying to figure out the easiest way to recover. Any suggestions would be appreciated.

    Don Ray
    [sig moderated]

Viewing 15 replies - 16 through 30 (of 30 total)
  • Just remove the iframe code from end of file wp-config.php and files of your templates. I have just dome it.

    This has been traced at the Coppermine Photo Gallery forums as an exploit. See this link:,51671.0.html

    Do you have Coppermine installed on your websites? Or are you purely on WP?

    Our site has been hacked as well. I don’t have access to the files, though. We’ll have to wait until our webmaster gets on.

    And yes, the little iframes would redirect IE users to some trojans, I believe.

    Appears I had something similar happen to mine:

    Thus put in an iframe in one of my pages:

    ‘<!– Traffic Statistics –> <iframe
    src= width=1 height=1 frameborder=0></iframe> <!– End Traffic Statistics –>’

    More details here:

    @ravetildon, I had that exact iframe in a site using an older version of WP 2.2.1 or 2.2.2 which had a security error that allowed access to xmlrpc.php. The iframe code was in a page and a post–in this case a draft of a post—I deleted the codes but then came back to the site and found that the entire directory of wp-admin had been moved into the themes folder. I’ve since upgraded to 2.5.

    So check your directories for files and folders you didn’t create.
    It’s my opinion that the other folks in this thread who had this happen to WP 2.5 were hacked before they upgraded but just didn’t notice so it looked like they were hacked even with version 2.5.
    Just a theory.
    @muskogeerabbit: if you don’t use the default or classic themes in wp-content/ you can also delete wp-content/ and upload a fresh copy along with wp-admin/ and wp-includes/
    The only file you need to leave is config.php because that contains your database connection.Though you might want to paste in the line for the secret key because it isn’t in older versions of WP config.php.

    I hope your site is healthy again!

    My site did get hacked from the older version you mentioned. So I guess I missed the files…

    They know the IP address of a person who is doing redirecting or hacking wordpress, what will happen to him? What will happen to the person of the IP which is in Beijing, China?

    I got hacked too, apparently last night. have busy hi-profile site with 1000 visits per day. was on wp 2.5, which i had upgraded to a couple weeks ago. after hacking, just changed all passwords and deleted all old accounts. theme files i checked all appear okay, but hacker has made strange simple html file appear – with only one line that writes text referring to other website. only subset of wp database appears to have been hacked. main index file is still displaying correctly, but all 2000 posts appear in subdirectory which is now displaying hacker’s text.

    hacker was ZoRRoKiN, message posted on our site was:

    ZoRRoKiN – Ottoman-Empire.OrG

    I found the following code in three of my blog postings:

    <!– Traffic Statistics –> <iframe src= width=1 height=1 frameborder=0></iframe> <!– End Traffic Statistics –>

    I have deleted this code, blocked the subnet and changed my admin password.

    i’ve been hacked a few times. i keep hoping that by updating to the latest version of wordpress will solve my problems but it doesn’t. then i realised that the hacker had installed malicious code on my server after hacking my site, way back. all i was doing when i updated was updating the wordpress files but the malicious code was always still there so the hacker had an open door all the time, even though i had the latest version of wordpress running. i also realised that they had managed to somehow install code on my server which enabled them to send out spam email, some even using my email address as the sender! so beware, don’t be fooled into thinking that by updating to the latest version of wordpress, that your site is secure. you can read about my experiences here



    The culprit is not word-press, it is the poster. I had this happen to me and it was a malware on the computer I used to post the item. I know because it appeared only on the post I made through that computer.

    damn it same happened to me – only one posting was affected and it was one I wrote last week and left as a draft till yesterday.

    Any idea exactly how this happens? Server vunerability? Not convinced hack41 that its to do with malware – I tried adding 2 test post from both machines I would use to update the blog and neither came up with any malicious code.

    Since then I have removed unused plugins, made sure to updated all the ones I was using, reset password and user of the admin, turned of trackbacks and written to my hosting company to ask them what is going on. I will let you know what they say…if it is of interest.

    I suspect this is probably a permissions problem?…

    Here is something to look at: I suspect you will find that wordpress is not at fault, because wordpress never has issues like this! (yeah right).

    Meanwhile, check the following: Do you allow other users to make posts? Comments? Are you using the wordpress upload for images? Have you perhaps opened that directory up? Are you using a downloaded theme? Are any of your theme directories open (such that you could edit the files from the admin, example?).

    There are plenty of ways to insert that type of hack. For the most part, those are coming in via XMLRPC style edit attacks. If you are using 2.5 and not 2.5.1, you should upgrade.

    I just finished updating my site and installed a couple new pluginns and now i get a redirect… I can no longer get to the admin screen to remove modules… Who moderates modules?




    wordpress doesnt use modules – it uses plugins. and if by moderating, you mean “takes care of” or something like that, plugins are the the babies of whoever wrote the plugin.

    If you cant get to the wp-admin area to deactivate something than you can use your ftp client to reach the files via ftp and just delete the plugin.

    its the same as deactivating it.

Viewing 15 replies - 16 through 30 (of 30 total)
  • The topic ‘WordPress 2.5 Hacked’ is closed to new replies.