Please also see this post on how to recover your permalink structure if you have forgotten it: WordPress Permalink Recovery
This is a short guide on how to fix the recent hacker attack on wordpress blogs, that causes the posts to be unreachable, by altering the WordPress permalink settings.
Please note: This is advise only, kingpin-seo.co.uk, nor it’s writers cannot be held responsible for any harm done by messing with your wordpress install, please always backup, backup and backup some more to be sure you can’t loose any data. Bear in mind that if you backup your user accounts though, you may be backing up the hackers account 
Unfortunately, like many people running WordPress on a self hosted basis, we suffered a hacker attack over the last few hours. The effects of this attack were that our permalink structure was altered, making all of our news stories/press releases unreachable, and causing a ‘Bad Request’ error in the browser.
Initially, we thought it was just an error with the permalink settings, or .htaccess – possibly caused by a recent blog update. So we fixed the permalinks, job don, right?
Wrong!
A few hours later, the permalink structure had been altered yet again! – This caused us to suspect foul play.
So, we did a bit of investigation on every researchers friend, Google.co.uk.
What we found has that there is a hacker at large, who has found a vulnerability in WordPress. It has been suggested that this may be fixed in the latest version of WP, however we have not ourselves had this confirmed by the WordPress team, as yet.
What does the wordpress permalink hacker do?
It appears that the hacker has found a way to create himself an account on WordPress blogs (and to those that say it’s only if the blog has the setting ‘Anyone can register’ – we didn’t have this ticked, yet we still got hacked!) and he then adds some javascript to his ‘First Name’ – causing his account to not appear in your list of registered users.
That’s right! – He may not appear in your list of registered users, so read on!
The account this hacker registers is given admin rights, which is something that is both annoying (due to him being able to mess with your blog!) – but also allows us to track his account, and remove it!
Steps to Remove The WordPress Permalink Hacker… Let The Eviction Begin!
1) Login to wordpress
2) Go to Users – Authors & Users
3) Check the number of Administrators, this is the important bit folks!…
If you count the number of administrators that you have on your blog, by looking down the list of users (or at the top of this page, click on the ‘Administrators’ link, to just show administrators) – Then compare this number with the number of Administrators that is next to the link at the top of the page (see image below)
If the number shown next to the Administrators link (like above) is different to the actual number of Administrator accounts shown in the table of users, there is a good chance that you have been hacked!!!
Now it’s time to remove the hacker!
What we need to do is find the hackers ‘User Number’. As he is not visible in the list of users, this may seem tough, but fear not! – There is a simple way!
Go back to the page of wordpress users (/wp-admin/users.php)
View the page source (Firefox press control U – or click view, page source – IE users… – download firefox! – only joking! – its ‘View, Source’ in IE – Google Chrome users – Just hit Control U)
Now, what we are looking for here, is the administrator accounts, in a table Search for Then you should see something like this (Click on the image to enlarge it): Now, on our blog, we only have one Administrator… and his userID is ’1′ You see in the image above, where it says: class=’administrator’ We only have one admin account, user ID of ’1′, yet if you look at the image above, you can clearly see: Meaning that the person with userID of ’10′ is an administrator, yet we know he shouldn’t be because our admins userID is ’1′. So, we now know that the hackers UserID is ’10′. If you are getting confused right now, and you have more than one Administrator account, consider setting all your user accounts except the main one back to subscriber, writer or contributor temporarily. Once you have his user ID (in our case, the UserID is 10) then you want to go to this address (you will need to be signed in as an Administrator yourself) This should take you to the edit user page. Just follow these quick steps: 1) Change the guys account to a Subscriber * Using an ftp program, login to your site Whilst there is no guarantee that having an up to date WordPress install will mean you are safe, at least you will be Safer —- You may also like to visit our great new Webmaster Magazine by kingpin-seo – An Ethical Search Engine Optimisation Company, based in the UK Tags: hack, security hole in wordpress, wordpress hacker, wordpress security
id=’user_10′ class=’administrator’
– Then go through the steps above, to find the extra Administrators UserID.
: http://www.[yourdomain].[co.uk(or your tld)]/wp-admin/user-edit.php?user_id=10
The number in bold (userID) should be replaced by your hackers user ID.Removing the wordpress permalink hacker is easy now!
2) enter a fake email address
3) enter a password twice
4) Go back to the users page (/wp-admin/users.php) and delete his account!Precautions to make sure your wordpress blog is now safe
* Check all the blog php and config files, looking at when the ‘last modified’ date was. If it appear to have been altered recently, and it wasn’t you, open the page and check for bad code (read here and here)
* Visit this page on WordPress.org: http://codex.wordpress.org/FAQ_My_site_was_hacked
* Once you are sure your site is clean, immediately upgrade to the latest version of wordpress… AND KEEP IT UP TO DATE!
* It may be best to change your mysql password, as that is good standard practice with any hack kind of situation, so changing your blogs Administrator password, your ftp/hosting control panel password, and your mysql database password may be advisable.
* Now go to the permalinks setting page (/wp-admin/options-permalink.php) and enter your normal permalinks.Comments
6 Responses to “WordPress Hacker Stikes, How to Fix The Hack That Causes Permalinks / URL Structure Error.”
Do you have any comments on WordPress Hacker Stikes, How to Fix The Hack That Causes Permalinks / URL Structure Error. ?
Good overview – one thing to watch out for if 2.8.4 doesn’t fix it: he may alter his Javascript to change that count down by one now that this has been exposed.
I did wonder about that.
I guess it is worth checking the page source even if the number there appears to be correct, so that you can see how many administrators there actually are in the source
Nice comment Luke, thanks!
these hackers always do useless idiot works
wish they use those skills in constructive than wasting other times
Thanks for this. I was wondering why I had two Administrators!