Old WordPress version? Attack warning. Please upgrade!

September 4th, 2009
Blogging News, WordPress Security

Old WordPress Versions Under Attack: Older version of WordPress are being attacked and characters are being added to the permalinks. Sure signs of the attack include strange characters in your permalinks (single posts do not work) and an extra administrator account in the users control panel which you cannot see. Look for the administrator count in brackets at the top. Is the number there what you would expect on your blog?

Please upgrade your WordPress blog to the latest version ASAP. Our own PluginBlog was vulnerable and was compromised (shame on me for not having upgraded from a really old version). Our blog had registration turned off.

After upgrading your blog and changing your password to a strong one, you can visit Lorelle’s post to find more ways to secure your install and remove the extra admin account that might have been created as part of the attack.

I removed the extra administrator account through phpMyAdmin and it was the last account created. You could also find the last account created and if it does not look familiar, could delete it and see if the number of Administrators in the user control panel is reduced to the original amount you expect to see.




  1. Spencer (5 comments.) says:

    so for god’s sake how do you delete the user from Table: wp_enusers
    user nice name???
    i cant think of the sql code to delete the user as it is years since i used mysql and never knew much anyway i keep calling the table up browsing it and cant find a way to edit it? can you post the details of how to do this please/ i have been attacked on 3 wordpress sites already
    upgraded but when i click on admin the hidden user appers for one second and disappears again before i can edit it.

    • ket says:

      Do not abuse Buddhist monk image. What makes you so happy doing this? I’m getting real angry to see this.

      • Spencer (5 comments.) says:

        thats me in the picture i was a Buddhist monk
        i disrobed 2 months ago
        You should try not to get angry because the reason we are caught in realms of suffering is because we identify and react to the vedhanas (sensations, moods and reactional emotions) which occur when our perception and senses come into contact with conditioned phenomena – we create concepts and phenomena and name them (“Buddhist monk” – “charlatan”, “abuser”, “enemy” “War” “table” “KFC” are examples of some abstract conditioned thoughts), when we name them we “assume” that that is what they really are and our “avicca” (wrong thinking/understanding of those phenomena) causes us to react and identify with the reaction as our “mood”. Anger is suffering and an internal experience which does nothing more than cause you to enter into wrong action (Negative thought, speech, or physical actions).
        Why shoud tyou be angry at seeing a picture of me as a Buddhist monk? i practised the dhamma before i was one, and continue to practise and keep certain precepts now after my disrobing. You don”t need to wear yellow to make yourself a practitioner. The outer shell of a being says nothing really, and one’s inner thoughts and practise remains invisible to others.
        I am happy to have experienced time as a Bhikkhu in the Buddha sasana, and using the picture as my avatar does not mean to suggest i am a monk now.. the assumptions of others are unavoidable, and i do not suffer for them as we cannot control outer phenomena, only observe them

    • Sue Bailey (10 comments.) says:

      Spencer, if you’re browsing in PHPMyAdmin, you should see a red X beside the row you want to delete – just click it.

      Otherwise it’s
      DELETE FROM [users table name] WHERE ‘ID’ = xx
      DELETE FROM [usermeta table name] WHERE ‘user_ID’ = xx

      where xx is the user number.

      • Spencer (5 comments.) says:

        Thank you so much.. in the end i exported all the tables and inserts and then emptied all of them and reinserted them using sql as i was having trouble finding the username id with thousands of users
        Thanks for the info

    • Mark Ghosh (386 comments.) says:

      I think you were also asking how to identify the user in the table.

      Unless you are real familiar with MySql and phpMyAdmin, I strongly suggest against doing anything directly with the database.

      My suggestion for you is to disable javascript in your browser and then visit the user management control panel in your browser. Once you are there, click on the administrator heading with the count next to it near the top of the page. That should display the hidden admin. It would really help if you knew how many admins were on your site. But find the one that looks suspicious and make sure it is not the one you need. Then you can delete it just like any other user.

      • Spencer (5 comments.) says:

        oh so it was the javascript which was allowing the third admin from popping out of view after a second or so?
        i solcved it before i could try that but this is veru interesting info thank you i shall try that if i get the issue again as i have quite a few wordpress scripted sites and not all are updated yet.
        Nice piece of info this very useful

  2. Harsh Agrawal (8 comments.) says:

    Thanks for the info. Upgrading mine..

  3. Banago (84 comments.) says:

    Which versions of WP are vulnerable practically?

  4. Frederick (4 comments.) says:

    Is this the same thing that happened to Smashing Magazine?

  5. Jessi says:

    I’ve never understood why some people don’t upgrade. I mean, some say it’s because of plugins and I’ve heard others say that it’s because there are too many upgrades. IMO, if you take your blog seriously, then you would always make sure that you’re up-to-date.

    • John (5 comments.) says:

      My best excuse is that I’ve half-started too many sites and if I was in any way organized I would have them all up to date. But I guess you already covered that because the ones I take seriously are always on the latest version.

      Something else I’ve recovered from is fear that the latest version will be the one with the vulnerabilities since it is untested, etc… Nothing will be 100% secure but the latest one is usually the safest.

    • Victoria Greenz (1 comments.) says:

      If yor have one blog upgrading is not an issue. But upgrading 30 blogs is the pain in a.

      • Justin Tadlock (51 comments.) says:

        I made backups and upgraded 26 installs in the less than an hour for 2.8.4. That was one hour out of my life. It’s nothing compared to the pain and time lost if those installs were hacked because of not updating.

  6. Ryan (55 comments.) says:

    Your plugin competition blog was horrendously out of date (was running 2.5 or 2.6 I think), so not surprising it was attacked. What versions are these attacks affecting?

    • Mark Ghosh (386 comments.) says:

      I agree, it should have been upgraded.

      I have had various blogs at various versions get attacked and compromised. I don’t think the version numbers have been localized yet and waiting to find out is not a good POA.

  7. Rick says:

    Please tell us the nature of the attack so we can use our own judgement. I’m not upgrading just because of hyperbole.

    Why not upgrade? How do I know the new version doesn’t have even more security issues?

    Can’t I just lock the users table?

    • Mark Ghosh (386 comments.) says:

      Wouldn’t it be easier to just upgrade the blog than lock the users and users_meta tables? The attack adds certain encoded strings to your permalinks and also adds a hidden admin user to your blog. The encoded strings simply break your blog. The admin user could come back to do massive damage in the future.

  8. Rick says:

    No. It’s easier to take down WordPress until this is sorted. I need to make a backup, etc, etc.

    • Rick #2 says:

      Go take your sites down, they must not function in any way or make any money.

      Then try to crawl back up into your mom and hide.

  9. Mathdelane (1 comments.) says:

    It happened to me before and I’ve learned my lesson. Here’s my post about it if you may allow:

  10. DG says:

    Some wrong conceptions, it’s not only happening on older WordPress softwares, but the latest WordPress 2.8.1 are also heavily spammed with RFIs and spam query string injection in the URL. Resulting in tons of 404s, draining bandwidth & other resources.

    Wish some HTACCESS Guru come to rescue.

    • Rick #2 says:

      Or how about upgrade your version, and if you can’t or think a plugin will break the site then you need to learn what to do.

      Do you treat this as a business or a game ? Because a business would have plans setup for this type of stuff.

      Just like smashing magazine took care of the problem, it should be just that easy for everyone else.

      If you are a newbie then you need to re-evaluate what you are trying to do and maybe switch up your type of work.

    • gestroud says:

      Actually, the “latest WordPress” is 2.8.4.

      • DG says:

        Of course, it’s 2.8.4, it was typing error.

        @Rick #2, I’ve read all your comments. If your so experienced, why don’t you share your expertise with WordPress community to block these attacks, rather making insulting comments to fellow members.

  11. jonty (1 comments.) says:

    I left my WordPress installation at version 2.7 until last week when I found that somebody somehow managed to disable and delete the Askimet plugin.

    This let a whole bunch of spam comments onto the site until I upgraded WordPress and reinstalled the plugin.

  12. Musiker Freak (1 comments.) says:

    I really do not like upgrading WordPress I allways just did not like upgrading. Everytime I forgot to make an update – deleted something important and had to reinstall everything! Ok I am not that good with all this Stuff. I admit… But in this case I really should upgrade I think I have to give it another try!

  13. Sharif (2 comments.) says:

    Thanks for this info.

  14. Spencer (5 comments.) says:

    i have discovered that some wordpress pkkugins are built by clever dicks who insert some naughty things in there too.. one of them is an adsense module (i thinc called easy adsense) – once you insert your ads with the easy ad code into your posts, the script takes the plugin maker’s adsense ads and serves about three of his to your one!
    anothert plugin i had once put some code into the index page which caused your newsfeed to be changed to come from another domain of his somehow all the news was rewritten and fed into his newsfeed and his ads appearing.. stealing use of your content so to speak .. be careful with plugins only use trusted and well rated ones!

  15. David D (1 comments.) says:

    I’m amazed how many web sites built by web design firms using WordPress still aren’t updated. Sigh.


  1. […] administrator count in brackets at the top. Is the number there what you would expect on your blog? (Read More) Old WordPress Versions Under Attack. Otto42 of OttoDestruct, a key WordPress developer and […]

  2. […] Old WordPress version? Attack warning. Please upgrade! Older version of WordPress are being attacked and characters are being added to the permalinks. Sure signs of the attack include strange characters in your permalinks (single posts do not work) and an extra administrator account in the users control panel which you cannot see. Look for the administrator count in brackets at the top. Is the number there what you would expect on your blog? […]

  3. Upgrade your WordPress sites NOW!…

    Older versions of WordPress are being attacked!  You should upgrade to the latest version immediately.  The newest version is not susceptible to the type of attacks that are occurring.   Read about the attacks and what you should do if you’ve alr…

  4. […] Shared Weblog Tools Collection: Old WordPress version? Attack warning. Please upgrade!. […]

  5. […] already heard that sites running out-of-date versions of WordPress have been under attack (Lorelle, Weblog Tools Collection, WordPress Dev Blog). Of course, sites running the latest version of the software seem to be safe, […]

  6. […] you are running an earlier version it is definitely time to upgrade—older WordPress versions are now under attack. Thousands of blogs have been hit already—all earlier versions before 2.84  […]

  7. […] Seitenbesitzer kleinlaut zugeben, noch immer eine ältere Versionen von WordPress benutzt zu haben (, Ob es nun ein Wurm ist oder ob es gezielte Einbrüche sind kann ich nicht […]

  8. […] Some developers Offers Help (he himself need help now ).  Some others Screaming to upgrade “after get hacked”  and a “LOT […]

Obviously Powered by WordPress. © 2003-2013

page counter