Cleaning Up the Aftermath of a Hacker Attack

The same project that led to the post Loading WordPress From index.php involved cleaning up after a hacking incident. In fact, that’s what the initial work order was for.

This blog was hit recently by the same attack that has been in the news for the last few days. Lorelle on WordPress wrote some things about it:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

This blog was different in that there were no other admin accounts created. The same code was appearing in permalinks ( and was, indeed, shown in Settings -> Permalinks ).

Another symptom of this type of general attack are posts that are filled with spam links enclosed within HTML comment tags. You’ll not see them, but Google does.

Looking a little deeper, I found evidence of another previous hack job. The server error log contained hundreds of these entries: Read more

Loading WordPress From index.php

One of WordPress’ strengths is its attention to SEO-related issues in its core files. One of those issues is the problem of having the home page of the blog indexed twice in the search engines; once under the actual address,, and the other as the plain domain name: Note that this is a different problem than the trailing slash problem ( vs. ) which WordPress also takes care of.

WordPress handles the index.php problem by rewriting requests for to All well and good, and beneficial for most sites.

But that rewriting/redirecting caused some problems on a site I was working on yesterday, and once I figured out how, it was a relatively easy fix. Read more

Using PHP Short Tags in Plugins Is a No-No

I had a client call up over the weekend in a panic because her blog disappeared.

“Help! All I see is a blank screen!”

“What’s the last thing you did?” says I.

“Updated my theme files,” says she.

So after an hour’s worth of troubleshooting, I found the problem:

Plugin and theme developers: please do us all a favor and do NOT use the short PHP opening tag (<?) instead of the full length tag: <?php.

Just because you have your development server set up to recognize short tags doesn’t mean that production servers do. In fact, many if not most of them don’t.

Just a request. Yeah, I suppose I make some money fixing this stuff when you do that. But I’d rather not.

Bloggers: if you upload a plugin or theme and you get a fatal error saying “Unexpected $end in filename.php at line xx”, this is one of the first things to check.

Unfortunately, if your web server isn’t set up to allow short PHP tags and also doesn’t display errors (production servers shouldn’t display PHP errors or notices) you might just get the dreaded blank white “I’m dead” screen.

Just something to be aware of.

How Does WordPress Work?

WordPress is, at its most basic, very simple. It is a PHP script that displays a blog entry, or series of entries based on information contained in the URL. The display is controlled by PHP files that collectively make up a theme.

A Basic Theme

WordPress themes contain at least two files: index.php and style.css. The file index.php controls what goes on the final web page, and style.css controls what the page content looks like. The only reason a style.css file is essential in WordPress themes (you don’t really NEED styles for a bare-bones XHTML web page) is that it contains information in a certain format that WordPress uses to gather theme details like the name, the author of the theme, and so on.

The Index File

The index file is where the magic happens. How much magic depends on the theme designer. The following code placed in an index.php file will generate a series of WordPress posts:

if (have_posts()) :
while (have_posts()) :

In English, what the above code says is, “first, get the header. Then, if the have_posts() function gets some posts, while there are posts in that list, display the content. Then, get the footer.”

Pretty simple, eh? Try it for yourself and see what it looks like. You can get more information on the WordPress Loop or see The Loop in action.