About Andrew Wee
Andrew Wee | Blogging | Affiliate Marketing | Social Traffic Generation | Internet Marketing

BizExcellerated Internet Marketing: Achieve mastery in blogging, affiliate marketing, social traffic generation at Andrew Wee

URGENT: If Your WordPress Blog is Acting Strangely, Follow These Steps

I checked my blog and the URLs looked malformed, with the following structure: http://www.whoisandrewwee.com/2009/09/03/unlocking-unconventional-traffic-sources-for-affiliate-campaigns/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929

If you notice something similar or weird with your WordPress blog, you might want to take the following steps:

  • Check the “users” tab from the WP admin interface
  • Remove any unfamiliar users, esp those marked as “administrator”
  • To prevent users from registering, I’d go as far as to remove wp-register.php (keep a backup and FTP it back in if you have problems)
  • Check all of WordPress’ PHP scripts, remove global “execute” privileges

Once you’ve secured the perimeter, look at the “Settings” and “permalinks” tab.

If you see some weird stuff like “%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929″, you’d want to clear that, and replace it with your original permalink structure, or look it up on the WordPress codex.

You can also check out this other blog post for more details.

Note: this issue seems to be affecting WordPress 2.6.x. Not sure to what extent it’s affecting version 2.8.x.

UPDATE: Matt Mullenweg from the WordPress development team has posted about the security issues if you’re using an older version of WordPress. Here’s a WP support forum write up about what might be happening.

You might want to upgrade to a newer version of WordPress. Just take note that some of your plugins/themes might not work if the developer hasn’t updated the plugin for compliance with the newest version.

24 comments on URGENT: If Your WordPress Blog is Acting Strangely, Follow These Steps

  1. BrianB
    September 5, 2009 at 3:22 am (6 years ago)

    We got it, too. Is this a world wide problem? I googled the change script and it seems a few similar problems have popped out recently.

  2. Andrea_R
    September 5, 2009 at 4:00 am (6 years ago)

    Thanks for this post – we’ve seen it three times today, not sure what versions were running.

  3. mougela
    September 5, 2009 at 4:35 am (6 years ago)

    Thank you, it helped me tonight !! :)

  4. Mr Woc
    September 5, 2009 at 5:09 am (6 years ago)

    Hi there

    Many thanks for this information, I was at my wits end trying to resolve this lol, I think mine occured because of installing the seo plugin pack, but doing what you said on this post worked fine !


  5. Edward Mills
    September 5, 2009 at 5:37 am (6 years ago)

    They got me. Thanks for the info on how to clean it up. Wasn’t as cut and dried as you made it sound… had some trouble with my htaccess file. But it’s all good now!

  6. KirstyM
    September 5, 2009 at 6:12 am (6 years ago)

    Thanks so much Andrew, my blog was also similarly affected and I’ve followed your instructions to fix the issue. I’d have been completely stumped without this post.

    Wonder if they’re targeting online marketers, the rotters?!

  7. KirstyM
    September 5, 2009 at 7:20 am (6 years ago)

    Andrew – a colleague also affected has just told me that most people affected will also have had a new admin inserted directly into their SQL database that doesn’t show up in WordPress interface.

    I found this had been placed into my SQL db, it has obviously been stored for later foul internet deeds to be performed…

  8. Andrew Wee
    September 5, 2009 at 8:49 am (6 years ago)

    Hi Kirsty,
    Thanks for that. I’ll drop a note to my server admin.

    For those who’re using fantastico/cPanel, it should be an easy fix from the “mySQL database” or “phpMyAdmin” consoles.

  9. Luke Rumley
    September 5, 2009 at 1:28 pm (6 years ago)

    Lots more going on beneath the surface! Permalinks and hidden admin users! This blog post worked for me to clean house: http://blog.nachotech.com/?p=125

    I also renamed my xmlrpc.php and wp-register.php files as a stop-gap solution. It seems 2.8.4 blogs are safe so far. I am guessing 2.8.5 will be out ASAP to correct this is 2.8.4 doesn’t.

  10. Melayu
    September 5, 2009 at 1:43 pm (6 years ago)

    This post is very good for me.. i can get many tips and trick on this blog.. thank’s for u’r information my friend! this is my first time to visiting to your blog..

  11. Machja
    January 5, 2010 at 5:26 am (5 years ago)

    Thanks for your post! I just had the problem. :(

  12. Dire
    May 26, 2010 at 6:37 am (5 years ago)

    Thanx a lot! Really works!

  13. Erik
    March 10, 2011 at 3:51 am (4 years ago)

    This helps! Thank you! I was trying to figure out these problems the other day!

  14. doudoututu
    September 9, 2011 at 8:07 pm (4 years ago)

    I just could not depart your web website before suggesting that I really enjoyed the usual information a person offer on your visitors? Is going to be back continuously to check out new posts.

  15. jDxOeU
    January 5, 2013 at 8:20 am (2 years ago)

    wyXfmbFltkZ Isabel Marant Boots wgWfheLqdiT Isabel Marant Sneakers wrLqgbFmfgY http://www.isabelmarantbootsneakersz.com/
    wtZwblZmusV Hyperfuse 2012 wlMfdtUickH Nike Hyperdunk 2012 wdLyktLtsdX http://hyperdunk2012.weebly.com/
    wcXcjxOiklJ Jordans Retro Shoes wjRvobSorbZ New Jordan 2012 Shoes weKbnhRxtpP http://www.cheapjordanshoez.com/
    wbThhuDpzfN Jordan 11 wrHoosRelnH Jordan 11 Concord wsJydbWbbcZ http://www.jordan11concordbred.com/
    wqJbtqUajdR nike air penny 5 wpFtxnHaqcI air penny 5 wuSgfsRsmpF http://nikeairpenny5.weebly.com/
    wfGotlQbvcF nike air penny 5 whBmrjGaqzE penny 5 wkYwzxJeduA http://airpenny5s.com/
    wpZbohZfooW isabel marant boots wtDiywHnciX isabel marant sneakers wfEwllNzdpP http://isabelmarantsneakers2012z.weebly.com/
    waTsnmObquH Black Foamposites wtHuooKvfsO Foamposites For Sale woMojlLvsyN http://www.cheapfoampositez2013.com/

  16. pokemonxetyrom
    March 29, 2014 at 3:22 am (12 months ago)

    This helps! Thank you! I was trying to figure out these problems the other day!

  17. blood pressure medications
    July 28, 2014 at 5:36 pm (8 months ago)

    Wow, incredible weblog format! How long have you ever been blogging for?
    you made running a blog look easy. The total
    glance of your web site is excellent, as smartly
    as the content material!

  18. Cloud PBN Blackhat
    August 28, 2014 at 12:56 am (7 months ago)

    Hi there, just became alert to your blog through Google, and found that it’s really informative.
    I’m going to watch out for brussels. I will be
    grateful if you continue this in future. A lot of people will be benefited from your writing.


  19. weight loss with supplement
    September 16, 2014 at 4:43 pm (6 months ago)

    Useful info. Lucky me I found your web site by chance, and I’m stunned why this accident didn’t happened earlier!
    I bookmarked it.

  20. Teodoro
    October 2, 2014 at 11:51 am (6 months ago)

    Admiring the persistence you put into your website and
    in depth information you present. It’s good to come across a blog
    every once in a while that isn’t the same outdated
    rehashed material. Fantastic read! I’ve saved your site and I’m adding your RSS feeds to
    my Google account.

4 Pingbacks & Trackbacks on URGENT: If Your WordPress Blog is Acting Strangely, Follow These Steps

Leave a reply