WordPress and the worm

There's a worm going around that attacks WordPress blogs:

This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The way to prevent it is, according to WordPress, upgrade to version 2.8.4 of their software. Actually, version 2.8.3 is not susceptible to the worm. Not this one. But, if you have a WordPress blog running version older than 2.8.3, you are susceptible. And you could be infected. If you have a WordPress blog, and it's hosted at wordpress.com, then you're okay. This is only for WordPress installations on other hosts, and only for versions prior to 2.8.3 of WordPress. Within the last few hours, I found two blogs running older versions of WordPress that had been hit. Here's how to find out if your WordPress blog has been hit... Look at the list of users. Then click on Administrators. Then count them. Really. Does the number of Administrators match the count listed? If so, you've not been impacted. But, if the count doesn't match up, you've been hit. And that happened with a couple of blogs I've worked with. The counter said one number, and when I counted, I got another number. That meant there was a hidden administrator! How do you get rid of a hidden administrator? You have to find the bugger. And here's how. You're already on the Users page, and have clicked on Administrators, and found the count didn't match up. So, next, in your browser, view the source code. (On most browsers, you can right-click, and select View Source.) When it opens, scroll down past the HEAD into the BODY section. Now, start looking for JavaScript. You could try searching for: <div id="user_superuser"><script language="JavaScript"> At least, on both blogs (a version 2.6 and a version 2.8.2) that I found had been hit, that was the code that gave it away. That piece of JavaScript is what hides the rogue administrator. Just above it is the data about the hacker account. Look for the user number. That's the user number you need to remove. It may look something like this: <tr id='user-1234'> In this example, "1234" is the user number. Click on, say, the Admin user (usually, that's user number 1), and look at the URL (in the Address Bar). It's probably something like this: http://www.myblog.com/wp-admin/user-edit.php?user_id=1 Anything after the user number isn't needed. Remove it from the URL (Address Bar) and press enter. It should show the account information of the initial Admin account. Now, replace the "1" with the user number of the rogue administrator and press enter. This next is very, very important. Did an account you were unfamiliar with show up? If you know about the account, you've entered the wrong user number. Try again. If no account information is showing, you've entered the wrong number. Try again. But, if it's an account with which you were unfamiliar, you have the correct account. To get rid of it, you must make it display. To do that, you'll have to change one or more values. First, change the role to Subscriber. Next, change the email address. It doesn't matter what. Make something up. troll@myblog.com would be fine. Finally, change the password. Oh, and make a note of the Username. You'll need that later. Try to submit your changes (role, email, password) by clicking Update User. If an error occurs, note the field that you need to change, make all the other changes (role, email, password) and click Update User again. Keep it up for that account until you get the information changed. Now, go back to the Users page (where you see the list of all users), and look for the Username. If there are a lot of users, you may want to search for the Username (remember where I said make a note of it? now you know why). If you have WordPress 2.7 or later, you should be able to click Delete under the user name. If you have an earlier version, put a check next to the Username, then click Delete (at the top of the list). Finally, recheck your count of Administrator accounts. If the physical count matches the number shown, you should be okay. Now, let's be clear: This only removes the rogue administrator. It doesn't clean up any damage done by the rogue administrator. Fixing that is a pain. Also, until you upgrade to the latest version of WordPress, it can happen again. Nobody said blogging was easy.