WordPress security checkup

If you aren’t using the latest version of WordPress, your blog might have been hacked. There’s an attack going on right now that creates and then hides administrator accounts.

You can see if this has happened on your blog by going to the Dashboard and then the Users panel. The number listed in parentheses after Administrators should match the number of actual admins that you have for the blog!

WP users panel

If that number is higher than the amount of admins for the blog, you probably have hidden users. You could try turning Javascript off in your browser to see those hidden users.

Then, delete them (if you can) from the panel. I didn’t try this myself, but I think it will work.

Or, you can use mysql or phpmyadmin to delete those users from your database. If you don’t remember how to connect to your database, look at the files in your wordpress folder and read the contents of wp-config.php. That will have the username and password and database host name. You might also need to look at the help or FAQ files for your web host.

In phpMyAdmin, you can find and delete the hidden users by connecting to your database, then browsing the users table. Check the boxes by the wp_users and the email fields (or just check all of them) and then click Browse again. This should show you a list of all the users on your blog.

This is what a row of user data should look like in phpMyAdmin:


This is what a “hidden user” account will look like. It’ll be a name that doesn’t show up in your WordPress Dashboard, and it won’t have an email address in that 5th field. Might be a good idea to delete these users right away.


I followed Lorelle’s instructions for how to recover from my WordPress blog being hacked. That worked fine:

* I did an xml export from the Dashboard and made sure I knew what that file was named and where I saved it.
* I did an sql dump of the whole blog (from the mysql command line, but you could do one from phpMyAdmin too) Just to make sure I would have everything, and so that I could do some forensics later on the contaminated db.
* Then I deleted that db, made a new db, and saved the information on how to log into it. You could also drop all the tables in the old one, I guess, and keep using it. While you could leave the old db there, it seems unwise.
* I deleted all the stuff in my wordpress folder on my server. If I’d thought, I would have saved a few custom banners and images first.
* I downloaded WordPress latest version, 2.8.4 and unzipped it, along with some themes and plugins.
* I then went to the url for my blog and told the install screen a blog name and my email address, and got a new admin password. Voila, new empty blog.
* Then, from the WordPress Dashboard, went to Manage and then Import. I imported the xml file as a WordPress import, with its attachments. This brought me all my pages, posts, comments, and so on.

A little tweaking and my blog was as good as new.

Total Crisis Panic Street Sign (While Danger is Eminent sometimes, I don’t think that’s what the signmaker meant!)

I think for your average user, who finds upgrading and installing a bit scary, this will seem even more scary. But it’s not bad at all. It just requires you to follow the steps, write down or cut and paste all the information you will need to keep track of:

– one set of info for your web host account
– one set for your sql database account and phpmyadmin
– the information for your blog itself, for the WordPress install
– where you’re saving the export file with your blog posts and comments!

In a pinch, if you really mess up in this process, you can get a backup and restore from your web host.

Now, even though I went through this process, I think that someone might potentially write a plugin or script to reveal and delete those hidden users. It might not catch all the modified data touched by those users, though. Spam may already have been inserted into your old posts, or some other havoc wreaked, which you could catch with Exploit Scanner or some other useful tool. The problem with this approach might be that there are multiple versions or exploits based on this security flaw and no one is sure yet if it’s modified core WordPress code or created some other exploitable security hole. So at this point, I think it’s best to do a clean install if you think you can manage it.

If you’re not sure, turn off Javascript in the browser, go to the Users panel, and delete the people who shouldn’t be admins — at least. And maybe there will be an easier fix in a few days — keep checking the WordPress development blog to see if it says something more useful than “OMG, you dumbass, why didn’t you upgrade right away, never, never, never do that again!” (Thanks… I know… thanks for the lecture, grumpy sysadmin…)

When I did this — and I had to, because “upgrade WordPress to latest version” was not #1 on my to do list, and a blog of mine got messed with — I had to re-install my plugins and go through the steps to re-create my blog. This goes to show that it’s a good idea to keep a worklog of all the things you’ve done to a blog, or a wiki or any sort of installation, so that you can recreate it from scratch! You can do this on your blog itself, by creating a section in your About page or somewhere else, listing the plugins you use, and when you’ve upgraded, and so on. It is especially useful to share this information a group blog where you might have more than one administrator. If you haven’t done this you could just be sure to do it next time and then write a really cranky blog post about how you don’t understand how anyone in the world could be so clueless. HA.

Good luck and here’s some more links on the subject!

WordPress Codex FAQ: My site was hacked
Old WordPress Version attack warning: please upgrade
Checking your WordPress security

Related posts: