You may have already heard that sites running out-of-date versions of WordPress have been under attack (Lorelle, Weblog Tools Collection, WordPress Dev Blog). Of course, sites running the latest version of the software seem to be safe, which once again takes us back to what I said over a year ago: Upgrade or else! I haven’t seen complete details yet about how this new worm works, but reports say that part of the hack is to create a new Administrator level account, and then try to hide the existence of that account (via javascript) when you view your list of users.
If you want a sure-fire way to make sure there are no “extra” administrator accounts registered in your blog, I suggest going straight to the source: your MySQL database. The following SQL query, run against your WordPress database will show you all users who have the Administrator role:
-
SELECT u.ID, u.user_login
-
FROM wp_users u, wp_usermeta um
-
WHERE u.ID = um.user_id
-
AND um.meta_key = 'wp_capabilities'
-
AND um.meta_value LIKE '%administrator%';
Advanced users can run this directly in the command-line MySQL client, or you can do it from phpMyAdmin by selecting your WordPress database and then going to the ‘SQL’ tab to run the query. If you use something other than the standard ‘wp_‘ prefix for your table names, make the appropriate change in the query (three occurrences).
Pingback: Tweets that mention Checking Your WordPress Security -- Topsy.com
Pingback: Attacks on old versions of WordPress | Blog Mum | WordPress made easy
Thanks for posting that query. I host blogs for others and because they’re infrequent bloggers, they rarely update. I updated their blog from 2.6.1 today to 2.8.4 and with your query, I verified that, luckily, they were safe.
I tried to copy and paste the query directly but it had the line numbers copied in, so here it is in a single line: SELECT u.ID, u.user_login FROM wp_users u, wp_usermeta um WHERE u.ID = um.user_id AND um.meta_key = ‘wp_capabilities’ AND um.meta_value LIKE ‘%administrator%’;
Thanks again.
Yeah, sorry about the formatting. I didn’t realize until too late that the syntax highlighter plugin that I’m using turns the code into a list in order to get the ability to (optionally) display line numbers.
Thanks for the quick tip!
Once I heard of it, I run to backup my databases and then all I wanted to know was how to find out if I was attacked.
Well, my sites have only 1 user, and I saw it right from phpmyadmin
I’m gonna update some plugins and then upgrade my other site.
Pingback: Check If Your Wordpress Blog is Hacked | Dotnetwizard.net | MyDNW.com
Hey Dougal, thnx for sharing this. I just wanted to ask you that, besides running this query, would viewing the users table confirm the same thing. Or Running the query would do the trick
Muhammad,
Dougal’s SQL query shows you data from two tables simaltaneously. You will not see user right’s level from the single wp_users table. You need additionally check wp_user_meta table for admin right of every wp_users table record with the same id. To make it mannually when you have a lot of users is very time consuming, right? That’s why you need the query here.
Pingback: How to Ensure that your WordPress has not been affected by the latest attack | Geekword
Pingback: LlamaLabs » Archive » Monitoring Your Wordpress Administrator User List
Thanks for the information Dougal,
I’m somewhat new to wordpress, and blogging in general. Shortly after I put my blog online there was a new version available. I have a tendency to hold off on upgrades with the “If it ain’t broke, don’t fix it” attitude, but this time something told me the upgrade was a wise move.
Thanks again for the support.
~ Orion
I set up a new WP site 2 weeks ago and immediately upgraded to 2.8.4. Unfortunately, hackers got in anyway, set up a new front page and used that as a coverup to set up 2 bank phishing directories deep in the admin and plugins directories. The site has been redone and is, hopefully, more secure.
Today, after reading about the new worm, I searched the rest of the sites I manage (which had all been upgraded to 2.8.4 last week) and found one small one had 2 admin accounts that were visible and 4 that were hidden (visible for about 1/2 second and then gone). I did not readily have the database password to get rid of the bogus admins and didn’t want to wait until I could get to my second office to find the info. I deleted all files, set up a new database, and reinstalled WP. Now there’s just 1 admin, me.
I appreciate every alert that comes out. This one I wouldn’t have caught.Pat
Pingback: WordPress Blogs Under Attack
Pingback: Problème de sécurité sur les anciennes versions de WordPress !
Pingback: Blake Helms | Birmingham, Alabama
Pingback: Psybertron Asks
From what I have read in the wordpress link above, this is a very serious hack job because the hacker manages to insert spam (hidden links) into your old post.
When my blog was hacked the hacker inserted hidden links only in the footer and cleaning that wasnt a big problem. I just removed the old install and installed a fresh one. If you have a blog with 1000 plus post and all of them are infected you might have big problem in your hands.
The big problem is when google discovers the spam links, you will be slapped with a penalty and your blog de-indexed until you clean up.
Hello! Thank you so much for this post. I actually found a bunch of users in one of my sites that weren’t supposed to be My webhost warns me that more than 150 emails are being sent per hour, so this issue is somehow affecting my email account by sending emails automatically via my website.
Could someone please tell whether I should do anything other than delete these users in order to stop sending spam involuntarily? Thank you!!
Pingback: Wordpress Security Warning: Update Your Wordpress « PSDPunk
Pingback: Upgrade Your Wordpress now! | Pinoy Problogger
Pingback: Uppgradera alltid WordPress | Eyesx
Hmm, interesting. I found a weird username: ‘WordPress’, with admin capabilities and invisibility. Does anybody else have one like this?
I found one site that had a username of WordPress, and another that had a username of ‘admine’
I’ve seen the WordPress user twice now, and now also admins and adminj. wondering if they start with WordPress and then add additional items . . .
Pingback: Community News: WordPress worm makes its way around the web | Webs Developer
Pingback: Sicher bloggen mit Wordpress? Teil 1
Thank you for the query
I found one invisible administrator on my database. I deleted directly on the database.
A thankfull french blogger.
Thanks for pointing this out. I will make a search asap and check even though I am using the latest version of wordpress.
Thanks for pointing this out. I will make a search asap and check even though I am using the latest version of wordpress.
Thank you for tips. I run checking for my own site. It’s OK, cos I just built it 5 mins ago. Thanks
Pingback: Sicher bloggen mit Wordpress? Teil 1 « My Blog
I would like to say thanks for sharing such a nice post. I ‘ll try to check out it.
I don’t know about this, thanks for the tutorial.
David
Pingback: Week 36 in Review – 2009 | Infosec Events
Wow!!! Nice Stuff buddy…..
Recently there is a attack over WordPress Blogs by Hackers.The saddest part is exploited security Hole not yet Identified,
Dirty Attack Over Hundreds Of WordPress Blogs
http://www.techpraveen.com/2010/04/dirty-attack-over-hundreds-of-wordpress.html
Pingback: Milestone Search
How can I find and remove the Javascipt that is hiding the unauthorized administrators? Or is it somehow imbeded in the Database for that user?