WordPress has recently come under attack from hackers exploiting the older versions of WordPress… I myself have been compromised!
If you are running an older version of WordPress (anything before version 2.8.4) please check your user panel, how many admin are showing? I have one admin, in the user panel and it was only listing me, however above it showed “administrators (2)”.
It occurred to me that something may be wrong because in the past week 3 subscibers joined even though i dont give this oprtion on my blog.
To date, although WordPress have admitted their is a problem i have been unable to find a definitive definition of a “fix”. I have however managed, after much deliberation, to delete the extra administrator. I deleted them like this:
I logged into my Cpanel, selected ‘phpmyadmin’, selected the database that my installation is using, selected users and then managed to delete the hidden user. However, i am still unsure as to whether their are other steps i should be taking. I will keep my eyes peeled and let everybody else know as i find out.
As an extra step of security:
By default WordPress will name the administrator user account as “admin.” If you haven’t changed anything while installing WordPress, that is probably what you use to log in.
The problem with this is evident: if someone wanted to gain access to your blog, all he would need to do is to keep using the “admin” user name with a bunch of passwords combinations. This is called brute force attack, and with automated tools it works quite often.
Whenever installing WordPress from scratch, therefore, remember to use some other name for the administrator user account. If you already have WordPress installed, the fix is quite simple. Just create a new user and set it as administrator. Then log in with that new user and delete the “admin” user. Don’t worry if you have many posts written by that user, WordPress will ask whether you want to delete them or re-assign them to a new user (choose the latter obviously).
This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage.
Im sure after this latest attack many bloggers will be looking for a new blogging software, however i will remain on WordPress until things get too hot to handle.
by 
September 15, 2009 at 9:49 pm
[…] I checked the Users page in WordPress and although there was only one administrator’s name and email listed, in brackets at the top it said there were two. […]