Cleaning the mass WordPress attack that happened over the weekend, on old installs of WordPress…

1. Manually upgrade to the latest WordPress 2.8.4. Once you’ve finished, go to your WordPress dashboard, and open up Settings / Permalinks. Set Permalinks back to default or whatever you used before (Google if you can’t remember how your permalinks were set up). Now click on “save changes”.

2. Now stay in your WordPress dashboard and go to Users”‰/”‰Authors & Users. Look up at the top. You’ll probably have “Administrators (2)”, whereas you only see one Administrator shown in the list on the page. In this case, there is a hidden second account you need to clean out.


Use your web browser to “View Source” on the Users”‰/”‰Authors & Users page. Search for: class=’administrator’. You are id=’user_1′ class=’administrator’. The invisible rogue administrator is id=’user_82′ or somesuch number. Find and make a note of that number.

3. Now visit the URL…


…and make sure you add that rogue number to the end of the URL. e.g.: user_id=82

That URL will show you the details of the invisible rogue administrator. Delete the masking code he entered where his first name should have been. Change his account to Subscriber. Save.

Now go back to Users”‰/”‰Authors & Users. He’ll show up there now. Simply delete him and any posts or comments he may have made.

4. Now log into your web space provider’s dashboard, and then locate the link to the database tool. If your web space provider has given you the database access codes, then click the link to the database, and thus log into the database. Then click through to a view where you see your various WordPress database entries (there should be about twelve of them and they start with wp_….). Then click on the MySQL query box in the sidebar. Paste in…

SELECT u.ID, u.user_login

FROM wp_users u, wp_usermeta um

WHERE u.ID = um.user_id

AND um.meta_key = ‘wp_capabilities’

AND um.meta_value LIKE ‘%administrator%’;

And then press GO. If the results show you that you have two administrators, delete the one who you know is not you.

It’s probably also wise to change your access password for your blog. That’s it.