New Exploit In WordPress

A friend noted that he was experiencing weird behavior when he surfed my site. Whenever he clicked a link on my site, provided he’d visited FriendFeed previously, he would randomly be redirected to This is apparently a new exploit of WordPress that has arisen in the past week or so. I’m running WordPress 2.5.0.

The exploit is simple – it registers itself as an active plugin in your WordPress installation. To disguise itself slightly, the PHP code for this plugin is held in an image file. A quick look in the wp_option database should allow you to identify a plugin you don’t recognize. To do this:

  1. Login to your instance of MySQL: mysql <database name> -u <username> -p -h <database server>
  2. Find the active plugins registered in WordPress: select option_value from wp_options where option_name='active_plugins';
  3. Look for a plugin you don’t recognize: You should probably be able to figure out which plugins are which, based on their names – look for a plugin which is an image file.

For example, in my case an active plugin had been registered that was held in an image file called “rtl_old.jpg”. The result of looking at the active_plugins entry in wp_options:


Clever eh? I’m not clear on the mechanics by which this plugin is hidden from the Plugins panel of the WordPress, but nevertheless, the result is that you won’t be able to remove this malicious plugin from the WordPress admin panel. To remove the plugin, you’ll have to manually update the active_plugins entry for option_value.

You’ll need to craft a new value for option_value. Note that the entry encodes the data as an array of sorts (I’m not a big PHP guy, so I don’t know if this is standard practice or not). The “a:” entry specifies the length of the array, and the “i:” entry for each plugin specifies its location in the array. To remove the malicious plugin, I altered my option_value to the following:


To effect the necessary change in MySQL:

  1. Login to your instance of MySQL: mysql <database name> -u <username> -p -h <database server>
  2. Update the option_value entry: UPDATE wp_options SET option_value = '<new value for option_value>' WHERE option_name='active_plugins';

I’m curious about the content of the rtl_old.jpg file, but that can be dissected later. For now, these instructions should get you back on track and remove the malicious plugin.

WordPress Migration Complete

The blog has been a bit stagnant for the moment, but I was dealing with transitioning from MovableType to WordPress. I’ve met Matt Mullenweg on a couple of occasions and I figured it was time I give his team’s software a shot. One word describes my reaction to WordPress: wow.

Matt’s tag line for WordPress has been “Code is Poetry”, and after seeing the software in action it is an apt motto. In the past, I spent a fair amount of time cobbling together a solution that would address not only my blogging needs, but also my resume and portfolio of personal projects. The combination of MovableType and server-side includes gave me a consistent look, but not a consistent way of working with my site. I edited the blog via the MovableType interface, and individual project pages with a text editor. Ugh.

With WordPress, all of that has changed. Now I can manage blog posts and pages all from within WordPress, all with the same look and feel. Not only that, but with the new K2 theme (still in beta) I don’t have to spend a lot of time mucking about getting a clean look-and-feel. A couple plugins here and there, and poof!, a nice looking website.

Now, that said, it wasn’t all easy. The script to import MovableType entries was a little shakey – I ended up having to whip together a script to explode the file exported by MovableType and import entries individually. I also had a bunch of non-XHTML cruft I needed to clean up in my old blog entries, as well as write a bunch of redirects in my .htaccess to ensure a smooth transition. Of course, there’s still work to be done – I’ll still have to tweak the CSS over the next little while to adjust the color scheme (but it’ll be way less work than I had to do before). And I’ll be installing the new version of Gallery to allow me to start hosting all my photos.

So, kudos again to Matt Mullenweg, Michael Heilemann, and Chris Davis. They have produced a truly beautiful combination.