This post has nothing to do with personal finance, yet it’s be important to many readers. Please ignore it if it doesn’t apply to you.

It’s 2:30 a.m. I just spent the last eight hours tracking down an insidious hack that had affected all of my WordPress blogs except for Get Rich Slowly. This hack redirected search traffic from Google (and other sources) away from my blogs to AnyResults.Net and similar sites. Direct links were not affected.

To tell if your blog has been hacked, clear you browser’s cookies. Go to Google and search for your blog. Follow a link. If you wind up at your site, you’re probably safe. If you wind up someplace else, you’ve been hacked. You are:

  • Losing traffic.
  • Losing revenue.
  • Possibly in danger of being delisted by Google.

Several of my sites were already running the latest version of WordPress (2.5.1) when they were hacked, but it may be that the vulnerability was introduced earlier. In each case, a file was planted on May 7th of this year.

I’m very tired and don’t have time to go into great detail, but I feel like I should get what I know out there for others to share and build upon. If you believe you’ve been affected by this problem, follow these steps.

  1. Back up your WordPress database.
  2. Download the latest version of WordPress.
  3. Check your header.php and your index.php for suspicious code. If you have something inlcuding a line like “if($ser==”1” && sizeof($_COOKIE)==0){ header(“Location:”, delete the code. (It’ll be several lines.)
  4. Edit your WordPress database. If you don’t know how to do this, you’ll need to get help. (But not from me — sorry.) Specifically, you must:
    • In the wp_options table, find the active_plugins row and examine it (which may mean entering edit mode). You’ll see a list of your plugins, but one of the files won’t be right. It’ll be named something like “XXX_old.jpeg” where XXX is something arbitrary. Don’t edit anything here, but note the path to that file.
    • Using FTP, navigate to the path you just found. Delete the file.
    • From your WordPress admin panel, activate a plugin (any plugin). (You may have to deactivate and then reactivate a plugin.) This will clear the gunk from your active_plugins row.
    • While still in the wp_options table, find a row containing this string: “rss_f541b3abd05e7962fcab37737f40fad8”. Delete that row. (You will see several other similar strings. Do not delete them.)
    • Now edit the wp_users table. You’ll find a nameless user created at 00:00:00 on 0000-00-00. Note the userid, then delete the user.
    • Finally, edit your wp_usermeta table. You’ll find three rows associated with the userid of the invader you just deleted. Delete these three rows.
  5. Again via FTP, create an empty “index.html” file in your plugins directory. (This makes it more difficult for hackers to determine which plugins you’re running.)
  6. If you are not currently running WordPress 2.5.1, upgrade to this latest version (which you downloaded in step two). If you are already running WordPress 2.5.1, then use the fresh download to replace the file called “wp-blog-header.php”.
  7. Change your password.

I’m not convinced that this will take care of everything. There may be other crap inserted into the database or scattered in various directories. But this will deal with the immediate problem. (Actually, just replacing wp-blog-header.php probably removes the problem, though it leaves all the malicious stuff behind.)

I realize that this has nothing whatsoever to do with personal finance, but it’s important, and there’s very little information out there about his exploit right now.

Many thanks to Nickel, who discovered this problem yesterday, and who helped me with troubleshooting tonight.