Comments on: An Open Note to WordPress Spammers & Hackers

By: Debbie Mahler

Debbie Mahler — Tue, 09 Feb 2010 17:04:58 +0000

Michael, If you cannot login to your FTP, you need to start your process by contacting your web host company. Explain what happened and get them to reset your account. That’s where you start.

By: Michael REMY

Michael REMY — Sun, 07 Feb 2010 20:58:03 +0000

hi !

you can add this email “makilovitalcamader@gmail.com” to your hacker list !
my wordpress has been subscribe and (i guess) hacked!
i can’t manage to login in my usual ftp account to alter my website !

any help please !

By: Alexandra Wolfe

Alexandra Wolfe — Sat, 02 Jan 2010 19:38:58 +0000

Thank you for this. I’ve started a list of my own having found several “hacker” email addresses and registrations on our web site. We have disabled registration for the moment in the hope of combating them.

By: WP Hacker's At It Again! | Technical Tidbits

WP Hacker's At It Again! | Technical Tidbits — Tue, 27 Oct 2009 21:51:24 +0000

[...] you’ve been following our blog tracking the WordPress suspicious subscribers starting with, An Open Note to WordPress Spammers & Hackers, and then, Adding to the WP Hacking Post, you’ll know many people are listing suspicious [...]

By: Debbie Mahler

Debbie Mahler — Fri, 23 Oct 2009 15:07:59 +0000

Thanks for all that information! And I’m so happy you found the file and the database entry! Great advice. I appreciate you commenting and letting everyone know how to check for this.

By: O'Ryan

O'Ryan — Tue, 13 Oct 2009 19:49:41 +0000

oops i meant i found the PHP file in my 2009/09 directory. my mind has too many numbers floating around right now. lol

By: O'Ryan

O'Ryan — Tue, 13 Oct 2009 19:42:15 +0000

Hey firstly thanks for posting this. Helped me narrow down a few suspicious “subscribers”

I was perusing my uploads folder via FTP and noticed in my 2009/02/ directory there was a php file there that i did not put there. the file was “963991.php” (filled with some base 64 gibberish)so immediately i knew something was up. i updated my WP to the current version and then logged into myPHPadmin to check out my DB user tables. and sure enough there was a user with no email or any other credentials in there. that did not show up in the WP dashboard. so they are able to cause mass damage if they can upload a php file and add admin users.

I would definitely recommend to any one with these “subscribers” to check your user tables. and your upload directories (specifically September’s)then remove anything un-authorized.

By: Phil

Phil — Fri, 18 Sep 2009 19:59:42 +0000

Thank you so much for leting me know this especially about Username: Andrianq
E-mail: pulvillarrac@gmail.com

I noticed a bunch of minor irregularities on my blog. I have now shut down all subscribers- I make my money from people that find my site from the search engine anyway.

I have now bookmarked your site and will try to give it a plug in an applicable Blog. Thanks Again. You are the Man!

By: Bill Bartmann

Bill Bartmann — Fri, 18 Sep 2009 15:10:23 +0000

Hey good stuff…keep up the good work! I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say I’m glad I found your blog. Thanks,)

A definite great read…:)

-Bill-Bartmann

By: Manisha

Manisha — Wed, 09 Sep 2009 06:06:16 +0000

Confirming the following:
Username: MikeWink
E-mail: bugbeemershonyhe@gmail.com
Signed up as subscriber on one of my WP blogs.

The next day, there was a new user GayleRodger64 with no email address for just one day. This was followed by RogerRizo63, also with no email address but with admin privileges. That was when the js script was injected into the db and my permalinks started failing. (I have incremental backups of my database.)