A couple of hours ago I received an automated email from our Travelblog site, saying that we had a new user registration; which was strange, since we disabled that feature a long time ago! Great! We’ve just been hacked!
I put my hands up in the air, I’d been running an old version of WordPress (2.2) … which I’ve been meaning to upgrade for a long time; but hey, I’ve bought a house, had a baby and build my business during that time! It’s not been at the top of my priories. So yes, I’m aware of the security holes/risks, etc.
Needless to say, WordPress 2.2 has an ugly security hole which allows hackers to remotely inject SQL statements into the database. I’d heard about this at the time, but thought I was covered because it relied on the hacker having a valid username/password (see the trac ticket). Well it seems they don’t!
Within a minute of receiving the new user registration email, I deleted the user account, changed our passwords and upgraded to WordPress 2.6 – which came with it’s own set of problems (i.e. all the category names disappeared).
Here are the details of the would-be hacker, so others know about him: