Eeek! First off, let me say Thank God that I had the WordPress plugin “WordPress File Monitor” installed, because that is what alerted me to the problem. Note to Bart B if you are reading this, heehe, I am glad I wasted my time with that voodoo! 😉
So, I get an email today from the WordPress File Monitor (dated yesterday, I am slow) informing me that a bunch of files were uploaded to one of my other blogs in the “uploads” directory – left as 777 permissions for easy photo uploading.
In the uploads directory, a file named “img1.php” was added, along with a fresh new directory named “2008” with a bunch of sitemap files. (note: I just started this blog in July of 2009, and I have no entries or uploads from 2008, so it was very fishy.)
So, of course my first thought is am I going crazy? Did I somehow upload these files without knowing? Initially at first I didn’t notice the .php file, so I only thought the 2008 sitemap files were added.
I contacted my host, and she assured me that it wasn’t anything too terrible, that it was an every day run of the mill spammer. Sneaky spammers! She has seen this sort of thing many times.
She suggested I change my WordPress password and check the database for any extra users. I found no other user accounts, thankfully!
For future reference, I found two articles that list details on how to find and remove any hidden admin users:
http://blog.nachotech.com/?p=125
http://www.studionashvegas.com/wordpress/latest-wordpress-hack-check-your-permalinks-people/
But now I am left puzzled on how they got in!
My WordPress admin password was pretty strong – 15 characters (numerical, upper and lower case letters) and I wasn’t using the default “admin” as my user name either. My host also suggested it might have been from “an exploit via a plugin that isn’t secured against arbitrary remote inclusion/retrieval”
I am only running 4 plug-ins. Akismet, Hello Dolly, WP Security Scan, and WordPress File Monitor. I did also have the un-updated WordPress Exploit Scanner plug-in, but it was left de-activated. I have since removed it from the plugins folder.
I suppose since I don’t have a secure login, I imagine that possibly my password could have been bypassed? I dunno. I think I might install the Login Lockdown plugin – yeah, Bart more voodoo!
Well, anyway, I am going to really search through my files and make sure everything else is alright.
I found an article that might help me search through the database just in case the spammers attached anything to my posts.
Right now, it doesn’t look like much damage was done. But worse case scenario, I have database backups every night. I can always revert back to one of the older ones and re-create the newer entries I wrote, or I could even export my entries and install a fresh copy of wordpress. We’ll see.
So, be wary of your WordPress blogs! I dunno how they got into mine, but they did, and thankfully I was lucky and it wasn’t too painful!
PS. I took a look at the .php file they added, and one of the first lines of code was $language=’ru’ (aah, From Russia with love!) But anyway, here is the some of the code from the file:
error_reporting(0); $language='ru'; $auth = 0; $name='abcdef1234567890abcdef1234567890'; $pass='abcdef1234567890abcdef1234567890'; @ini_restore("safe_mode"); @ini_restore("open_basedir"); @ini_restore("safe_mode_include_dir"); @ini_restore("safe_mode_exec_dir"); @ini_restore("disable_functions"); @ini_restore("allow_url_fopen"); @ini_set('error_log',NULL); @ini_set('log_errors',0);
It’s been advised to change the default “admin” user name on WordPress installs, and it sounded like a great idea, until I tried to do it.
I found instructions, but details on how to actually edit the mySQL table were not explained. I tried to figure it out, but it just seemed too complicated.
The instructions over at guvnr.com were very helpful, but I didn’t want to start a new admin username, and delete the default user name, when I had so many older posts.
Well, I figured it out. WordPress allows you to move your posts, pages, etc to a different user! Yay!
Add a new user with Admin privileges.
Go to Edit Posts and select all posts on the first page
Choose “Edit” from the Bulk Edit pull down menu and hit the Apply button
In the Bulk Edit editing area, choose your new user account from the Author pull down menu.
And lastly, hit the “Apply” button.
Go through each page of posts and repeat.
Awesome! I love WordPress!
ETA: hahaa, okay, I admit I am a big dope. I went through the above steps on one of my WordPress. After all posts were moved to the new user, it was time for me to delete my original admin user account.
I guess when you delete a user, WordPress asks you if you want to attribute all posts to a new user, and gives you the opportunity to do so.
Oh well, I guess you all can ignore this post! haha!
One last note: Just make sure before you delete that you are logged out of the original admin account and logged in to the new one. And for safety, BACK UP your database first!!! Just in case!
Slowly, I am working through all my WordPress blogs and trying to make them more secure. I have found several web site articles and WordPress plugins that have been very helpful.
http://wordpress.org/extend/plugins/exploit-scanner/ – WordPress Exploit Scanner – this one is a bit tricky, the version on the author’s web site is older (version 0.3) and that has legit md5 checksum, but there doesn’t seem to be a md5 checksum for the version 0.4 that works with newer versions of WordPress, so I am not activating this until I can research further.
New blog article from Matt – UPGRADING is the only way to keep yourself safe!
I was having trouble with my WordPress admin login using Firefox; I would need to login every time my browser window was closed or I exited Firefox. Strange because one of my other WordPress blogs had no problems.
I cleared Firefox cookies, my cache, passwords, form data! Nothing seemed to work. I tried it on Safari, and same problem. Wouldn’t “remember me” and I would have to log in every time. So, I knew it wasn’t just a Firefox issue.
Then I found this post on the WordPress Support forum.
I had my Settings>General>WordPress Address set for “http://www.splashofstyle.com” with the “www” but whenever I tried to access the blog, (typing the address or from any of my bookmarks) I was using “http://splashofstyle.com” without the “www” – THAT was the problem; it didn’t match the WordPress Address setting, so it made me log in every time.
So, now I am consciously including the “www” whenever I access my WordPress Admin and it now remembers me every time. yay!
I knew setting a future publish date could be done in WordPress, but I never really had a need for it. But I decided to try it out on another WordPress blog and it works great!
On your ‘Add New Post’ page, on the right column, there will be an option to ‘publish immediately’ or click the ‘edit’ link to change the publish date. It’s also a good way to publish past dates too.
Change the publish date and click OK
The new publish date is displayed. You can change it at any time by clicking the edit link. Hit the “schedule” button to update your post.
EEk, held my breath as I used the WordPress automatic updater. I have always updated manually using sFTP, but with the release of WordPress 2.7, there is now an option to auto update.
I used the auto-update on another blog, and it was quick and painless, but with the Splash of Style site, I didn’t know if it would mess up my personally coded theme. And it looks like it worked seamlessly. phew.
For those that haven’t updated to WordPress 2.7, do it! It’s great!
I have a blog for my Rat Terrier dog, Mindy. But since we just added a new Rat Terrier to our family, I wanted to start a new blog with a new domain name. I didn’t want to lose all my original blog entries and comments, etc.
I thought I was going to have to import data from the old MySQL database, and that was kind of a scary thought. But it turns out it’s much easier than that.
In your original WordPress blog, click Export under Tools
Check out wordpress.tv – interesting!
The RC1 (release candidate #1) for WordPress 2.7 was released yesterday. Since it sounded like a fairly stable release, I installed.
Boy, is this an amazing upgrade! I LOVE IT!
Just last week, I was wanting batch editing, and voila! It’s here. I think that might be my favorite new feature. oh and I adore the “quick edit” too. hmm, that could be my favorite as well.
There’s a list of new features (and poll to vote for your fave) on the WordPress blog
http://wordpress.org/development/2008/11/whats-your-favorite-thing-about-the-27-beta/
I really love this new release!!! whooo hoooo!
Edit: found this new cool feature in the Discussion (Other Comments) Settings:
And I wonder what the threaded comments are about. I wonder if that means you can reply to a specific comment author. I enabled it, and checked back here to see if there were changes. I don’t see anything. I will keep it disabled for now, and take a peek over at wordpress.com to find more answers.
For the past couple of days, I have been working with the trial for a cool lesson/tutorial building app called Screensteps. I am hoping that it will allow me to write tutorials much faster and easier.
It’s been a lot of trial and error, and lots of experimentation, but I am starting to really love this app.
This article really won’t interest anyone unless you are using Screensteps with WordPress, but I figured I would post it, just in case there were a few people out there that might be having the same problem I was having.
It wasn’t all love at first sight though, because I couldn’t figure out how to fix the annoyance of having multiple uploads of each image file.
The original image files were uploaded, and those were the files referenced in my blog article/lesson. But then there were extra files resized to 150 and 300 pixels. I tried removing the setting for maximum width in my template file. And I tried making sure that all images were not resized in my Screensteps lesson, keeping it at 100%. Nothing worked.
Then I realized. Wait, what about my WordPress blog settings? That was it! Hurray!
In WordPress Admin, click the "Settings" tab, then "Miscellaneous"
Since I don’t normally use files larger than 500 pixels wide and I don’t normally use thumbnail or medium images, I figured it was safe to change both settings to 500. Now when I export my Screensteps lesson, only one of each image file is uploaded. Just what I wanted!
If you are someone who loves creating tutorials or lessons, then you might be interested in Screensteps, Check out the 30 day trial and make sure to watch the Quick Intro (Long) screencast – and if you are interested in a purchase discount code, check out the Nosillacast podcast. She has a discount coupon code over on her web site sidebar. While you are there, take a listen to one of her shows. It’s the one podcast that I need to listen to every week. She is my favorite! In fact, I first learned about Screensteps from her show.