Update: I’ve done a mass hardening (that sounds gross) on everything here at the ThemeShaper ranch and—and it looks like we’re cool now. Let’s hope things stay that way. Hey!—at least I learned something about WordPress security, right?
—
I’m not sure when but some time ago ThemeShaper.com was hacked. I’m fairly sure it wasn’t a random sort of script-based bot attack but targeted directly at this site. I know this because the idiot that did this uploaded a hacked version of Thematic to a downloads folder on my site and altered the links on the Thematic landing page to point to it. Crap.
You’ll know you have a hacked version if you’ve got an sv_ss.php file in thematic/library/languages/.
If you’ve recently downloaded Thematic or are worried at all there’s a simple fix. Download Thematic again from the WordPress.org Themes directory and thank God there’s a free central repository for these sort of things.
Again, crap. And my apologies. I like making ‘the WordPress news’ but not for something like this. But I would like to assure you this is not a hack resulting from anything wrong with Thematic. Just one of those things that tends to happen to popular WordPress-based sites. It could happen to anyone.
I just wish it didn’t happen to me. Or you guys.
Now, as for the hack. I don’t know how it happened. It’s been suggested to me that it came through a weak plugin. I usually keep everything up to date here on ThemeShaper so, well, I don’t know. We’ll see, I guess. I do know that last night I discovered my wp-admin and wp-includes directories were 2 megabytes larger than they should be. I deleted them and replaced them. Here’s hoping that put an end to this.
If it doesn’t, and my site disappears suddenly, well, crap, it didn’t work.
Hey, at least the front page isn’t ThemeShaper recommended hosting right? Right?
Sigh. And it’s my birthday today too. What a day.
ThemeShaper 
I’m sorry for you. Not the best birthday present 😦
Happy Birthday! I hope it gets better.
Ouch, what a crappy birthday present 😦
But Happy Birthday anyways, and thanks for all your work!
Ouch, that really sucks man. I guess this means that it happens to the best of us. Now I’m worried about WPTavern and having something happening to it.
Well, I feel like I’m becoming an expert in WordPress security, so that’s good! You should check out Hardening WordPress.
Every weakness is an opportunity to develop a strength, yes? 😉
^^ Awesome quote…
Thanks for the link Ian…
Ian this is terrible news. Hope you figure it out quick.
Anyway, not the best timing, but I’ll take the chance and wish you a Happy Birthday!
Bummer! But thanks for the prompt and professional response. Hope the rest of your birthday is more pleasant.
Sorry to hear that Ian. Hope your day gets better.
[expletives deleted] Sorry to hear that Ian, hope you can forget about it for a while to enjoy your birthday!
Ian, sorry to hear that, you may want to have a look at WPIDS at http://blogsecurity.net
btw, happy birthday.
People with nothing better to do than break things should be… insert dirty words. I was hacked on one of my sites last summer. What a bummer that was.
Sorry to hear it.
Ouch, that hurts. Better safe: delete every file and get clean copies of WP and plugins from the repo. Might want to check every post/page in the DB too.
Thanks for the tips, Ozh. Done and done. It’s nice to know you have a fresh and clean set of files.
… and I haven’t been seeing anything spammy in post_content, Ozh. Thankfully!
Ian,
At least you caught the hack. Think how bad it would have been if you didn’t uncover it for weeks or longer. Hackers suck. Happy Birthday.
Wow Ian, sooooooooo sorry to hear about this, hackers suck BIG time. Hopefully you’ll get it resolved soon and have an awesome birthday!!!
Sorry to hear that.
Happy birthday!
sorry to hear it.
it must have been after nov 24 or nov 27? b/c i downloaded from thematic on one or maybe both of those dates and the file you noted sv_ss.php is not in the library. is that the only file that would have been different?
my download: thematic.0.9.5.1.zip was 205 kb and i show it dated Nov 24/09 7:43 pm
and those files in /library/ are dated June 21/09 1:09PM
so happy b-day and hope the holes get plugged
I’m pretty sure now that the link to the hacked file was only there for about 24 hours. As far as I know that was the only weird file.
It is unfortunate when things like this happen. However, it is good you caught it. Although for one way, it might look bad, but another… you caught it and posted about it. Things happen. You do not expect numbnuts to hack your hard work.
I’m not so concerned about looking bad … that’s … that’s just life. I’m more concerned about letting people down. Within 3 minutes of finding out my site was suddenly linking to a compromised version of Thematic this post was published. Pretty much as fast as I could type it. It’s worth looking like a fool to make sure I’m not making others look like fools.
Thanks for your help, kind comments and concern everybody. I’ve been cleaning things up and hardening other things. Here’s hoping!
You all might want to check out Hardening WordPress with htaccess too.
Sorry to hear about the hack Ian. I’ve been the victim of the automated stuff, but never directly targeted. And on your birthday, no less. Not the best way to spend the day.
If you go to my profile at delicious (vangogh99) and search wordpress security I have quite a few posts bookmarked. You’ve likely seen most, but maybe there’s one or two with a few things you haven’t seen.
Sounds like you caught this sooner rather than later so at least that’s something good.
I know it wasn’t the greatest day, by Happy Birthday anyway.
That hacker sent you a surprise gift buddy… Not surprise though it is kinda scary. Anyways happy Birthday friend.
Bummer to hear about your birthday ordeal. I remember when something similar happened to me. Fortunately I managed to find someone willing to help who knew quite a bit more about WordPress than me. The breach was traced to a caching plugin that was out of date by about a week.
But hey, at least you caught it. Happy Birthday!
DOH! I feel for you, thanks for all the WP magic you do, though. Sucks that one rotten apple can sour the whole barrel. Just wanted to give you some move positive feedback so you know the community loves you! that and say Happy Birthday!!! Hope this sorts out and you can enjoy some of it.
Comments subscribers: I’ve updated this post with the following note.
“Update: I’ve done a mass hardening (that sounds gross) on everything here at the ThemeShaper ranch and—and it looks like we’re cool now. Let’s hope things stay that way. Hey!—at least I learned something about WordPress security, right?”
Good way to look at it. Sucks to have been hacked, but if you came away from it with more knowledge of how to secure a WordPress site the end result is positive.
Hi Ian,
Really sorry you had this unfortunate thing happen on your birthday. How lame is that? But I’m sure the outpouring of appreciation is helping.
In any event, Happy Birthday to you!
Ian, thanks so much for your efforts on this. Sometimes, junk happens. We trust you and thank you! I hope this didn’t sour your birthday!