[...] Jeff Freeman is nice, thanks. Although I’m linking to Raph’s blog for some reason. [...]

[...] read the advice from Jeff Freeman in the last post on [...]

http://luiscosio.com/0day-exploit-for-wordpress-211

Upgrading will fix it, but if you were already compromised then you should change your admin password, first thing. I’ll wait here.

Ok, done?

You might still be at risk due to code in your database. Upgrading beyond 2.1.1 will stop it happening again, but it won’t remove any code already in there.

The link you posted to Roberto Galoppini’s page explains what to look for and how to delete it… mind, your malicious code isn’t necessarily the same malicious code that he got, so you really have to look for “stuff like that” rather than that, exactly.

Last, check you footers.php file, too. Or heck, check all the theme’s files, why not?

That and a WP install should do you. I definitely recommend the “delete all existing files except content, then ftp the new versions files over.” You could set your ftp client to “always over-write” (probably it defaults to “only if newer”), but in the event a file was removed from the project between your old version and the new one, you don’t want it hanging-around doing nothing.

If deleting wp_header() from your header.php file was part of your solution, you’ll want to put that back in there. Lots of plugins won’t work or won’t work right unless it is there.

…

This assumes none of your plugins were the actual source of the vulnerability. Being paranoid, I’ll likely go through them all line by line. Probably just as effective would be to Google for the plugin name and ‘vulnerability’ or ‘SQL injection’ or maybe even “+plugin-name +header.php”.

But since 2.1.1 and under were vulnerable and your cached page on Google reports version 2.1 – seems unlikely your vulnerability was not WP itself.

Simple little things you can do to harden your WP install:

1. Delete your ‘admin’ user, if you haven’t already (make a new user with a secret user-name and admin rights first).

2. Edit your header.php where there’s a comment:

<!– leave this for stats please –>

… remove the WP version number it is asking you to leave, and add your own comment there:

<!– Sorry, but no –>

You need to not be hacked more than anyone needs to know which vulnerabilities you are offering to hackers (aka your version number).

Besides, providing data for stats or anything should be an opt-in affair, not opt-out requiring php editing. So there’s that reason to remove it even if removing it for security reasons feels sleezy.

I mean, that only works because it is an obfuscated opt-out affair, meaning lots of people would leave it even without the “please”, meaning your benefit comes at their expense.

This conclude my being on-topic.

It’s sort of how home security stickers on your windows provides security by making your house seem relatively less vulnerable than your neighbors’.

They always say, “Sure, no system provides absolute protection, but if Joe Sixpack had an alarm system sticker on his window, maybe the victim of this crime would have been the next house down the road.” They say that without any shame, admit boldly that their alarm system works because your neighbor doesn’t have one.

I always think, “How do they know Joe Sixpack’s home wasn’t the next one down the road?”

They can’t possibly believe the robbers will move on indefinitely, have already confessed their service relies on your neighbors’ exposure, yet every single time they’ll chastise Joe as though he did something stupid, when their security depends utterly on guys like Joe.

If he’d had a security system, maybe the next house would have been robbed, but then they’d just be saying the same thing about that home’s owner, eh?

Also I am suspicious of them never talking about all the people with security systems whom have not been robbed. That’s what you really want it to do, right? Ok, we get it, people without it get robbed… but that only implies the people with it do not. They never say that.

What’s up with that? Since when is sufficient such a claim as “Not using my product has proven to be ineffective at improving your girth and length.”?

END OF COMMUNICATION

http://wordpress.org/support/topic/138376

http://robertogaloppini.net/2007/12/12/wordpress-spam-injection-goro-hacked-my-blog/

http://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/

So far it has happened to us twice in the last week, and may have been part of why the blog was broken last weekend.