Probably Unhacked

Update: I’ve done a mass hardening (that sounds gross) on everything here at the ThemeShaper ranch and—and it looks like we’re cool now. Let’s hope things stay that way. Hey!—at least I learned something about WordPress security, right?

I’m not sure when but some time ago was hacked. I’m fairly sure it wasn’t a random sort of script-based bot attack but targeted directly at this site. I know this because the idiot that did this uploaded a hacked version of Thematic to a downloads folder on my site and altered the links on the Thematic landing page to point to it. Crap.

You’ll know you have a hacked version if you’ve got an sv_ss.php file in thematic/library/languages/.

If you’ve recently downloaded Thematic or are worried at all there’s a simple fix. Download Thematic again from the Themes directory and thank God there’s a free central repository for these sort of things.

Again, crap. And my apologies. I like making ‘the WordPress news’ but not for something like this. But I would like to assure you this is not a hack resulting from anything wrong with Thematic. Just one of those things that tends to happen to popular WordPress-based sites. It could happen to anyone.

I just wish it didn’t happen to me. Or you guys.

Now, as for the hack. I don’t know how it happened. It’s been suggested to me that it came through a weak plugin. I usually keep everything up to date here on ThemeShaper so, well, I don’t know. We’ll see, I guess. I do know that last night I discovered my wp-admin and wp-includes directories were 2 megabytes larger than they should be. I deleted them and replaced them. Here’s hoping that put an end to this.

If it doesn’t, and my site disappears suddenly, well, crap, it didn’t work.

Hey, at least the front page isn’t ThemeShaper recommended hosting right? Right?

Sigh. And it’s my birthday today too. What a day.

38 thoughts on “ Probably Unhacked”

  1. Ouch, that really sucks man. I guess this means that it happens to the best of us. Now I’m worried about WPTavern and having something happening to it.

  2. Ian this is terrible news. Hope you figure it out quick.

    Anyway, not the best timing, but I’ll take the chance and wish you a Happy Birthday!

  3. [expletives deleted] Sorry to hear that Ian, hope you can forget about it for a while to enjoy your birthday!

  4. People with nothing better to do than break things should be… insert dirty words. I was hacked on one of my sites last summer. What a bummer that was.
    Sorry to hear it.

  5. Ouch, that hurts. Better safe: delete every file and get clean copies of WP and plugins from the repo. Might want to check every post/page in the DB too.

  6. Ian,

    At least you caught the hack. Think how bad it would have been if you didn’t uncover it for weeks or longer. Hackers suck. Happy Birthday.

  7. sorry to hear it.

    it must have been after nov 24 or nov 27? b/c i downloaded from thematic on one or maybe both of those dates and the file you noted sv_ss.php is not in the library. is that the only file that would have been different?

    my download: was 205 kb and i show it dated Nov 24/09 7:43 pm
    and those files in /library/ are dated June 21/09 1:09PM

    so happy b-day and hope the holes get plugged

  8. It is unfortunate when things like this happen. However, it is good you caught it. Although for one way, it might look bad, but another… you caught it and posted about it. Things happen. You do not expect numbnuts to hack your hard work.

    1. I’m not so concerned about looking bad … that’s … that’s just life. I’m more concerned about letting people down. Within 3 minutes of finding out my site was suddenly linking to a compromised version of Thematic this post was published. Pretty much as fast as I could type it. It’s worth looking like a fool to make sure I’m not making others look like fools.

  9. Sorry to hear about the hack Ian. I’ve been the victim of the automated stuff, but never directly targeted. And on your birthday, no less. Not the best way to spend the day.

    If you go to my profile at delicious (vangogh99) and search wordpress security I have quite a few posts bookmarked. You’ve likely seen most, but maybe there’s one or two with a few things you haven’t seen.

    Sounds like you caught this sooner rather than later so at least that’s something good.

    I know it wasn’t the greatest day, by Happy Birthday anyway.

  10. Bummer to hear about your birthday ordeal. I remember when something similar happened to me. Fortunately I managed to find someone willing to help who knew quite a bit more about WordPress than me. The breach was traced to a caching plugin that was out of date by about a week.

    But hey, at least you caught it. Happy Birthday!

  11. DOH! I feel for you, thanks for all the WP magic you do, though. Sucks that one rotten apple can sour the whole barrel. Just wanted to give you some move positive feedback so you know the community loves you! that and say Happy Birthday!!! Hope this sorts out and you can enjoy some of it.

  12. Comments subscribers: I’ve updated this post with the following note.

    Update: I’ve done a mass hardening (that sounds gross) on everything here at the ThemeShaper ranch and—and it looks like we’re cool now. Let’s hope things stay that way. Hey!—at least I learned something about WordPress security, right?”

    1. Good way to look at it. Sucks to have been hacked, but if you came away from it with more knowledge of how to secure a WordPress site the end result is positive.

  13. Hi Ian,

    Really sorry you had this unfortunate thing happen on your birthday. How lame is that? But I’m sure the outpouring of appreciation is helping.

    In any event, Happy Birthday to you!

  14. Ian, thanks so much for your efforts on this. Sometimes, junk happens. We trust you and thank you! I hope this didn’t sour your birthday!

Comments are closed.