The More-Frustrating-Than-Nasty WordPress Exploit

If you are a WordPress user, beware – there is a nasty exploit on the loose. It occured on this very site and on another one I created, as well. After detailed study along with my hosting provider, it looks like a MySQL injection. And that is pretty plausible – both sites had 4-character dictionary word MySQL passwords, because of me being stupid and forgetting to change those after deployment.

What the exploit does, is alter your posts, adding random hidden containers, including links to various sites.

As far as I understand it, it tries to trick Pagerank and help SEO-ing those sites. Containers are randomly generated and placed at random spots within post content. Most commonly you will find them at the bottom, but also amid lists, paragraphs and everything else. They generally look like this:

<p style="display:none"><a href="http://lavamp3.com/buy_mp3_album1609846/N-P-G-/Gold-nigga.html">N.P.G. Gold nigga download</a></p>

<div style="display:none"><a href="http://johnquiggin.com?sweat">sweat.mp3</a></div>

<p style="display:none"><a href="http://lavamp3.com/buy_mp3_album2430365/Rex-Stout/Nw-46-A-Family-Affair.html">buy Nw 46 - A Family Affair mp3 album</a></p>

But it does not only affect post contents, it does alter post dates, which results in posts being rearranged and some of them being scheduled for publishing in the next weeks or month. And that’s how you will know you’ve been hit. As soon as you see your front page posts shuffled, you should know you are pwned.

But that’s not the worst part yet. You will soon find out the inevitable – you need to go through all your posts and clean up injected code by hand. Unless, of course, you can come up with some ingenious tool, that does it for you. I’ve got totally frustrated having to clean like 40 posts, so I can’t even imagine the amount of fury one will develop if they need to go through a couple hundred. Don’t even want to think thousand or more. But, hey, there is good news too – at least it seems it does not affect drafts.

So what should you do? First of all – see if you have got a recent database backup. Depending on the number of your posts restoring it may save you hours or days. Even at the cost of few recent posts and comments lost, it’s still worth it.

1. Change your MySQL database password to something brute-force resistant – use special characters, capital letters and numbers and make it at least 8 characters long. Do it now!
2. Change your admin password to something equally complex just in case.
3. If there are scheduled posts, reset them to draft so they won’t get published in the meantime.
4. If you don’t have a recent database backup, either dump your database and find an automated way to clean up every segment containing display:none (I think Dreamweaver’s advanced search and replace abilities might be used for that task, but haven’t tried it), or start cleaning it yourself post by post.
5. Once you clean the mess up make sure to check on shuffled post dates. Unfortunately, you can’t revert to original dates, so you will have to improvise here.

Good luck.