Stopping WordPress XXX-Hacker

Many of my WordPress sites have been attacked by this xxx-hacker. The first thing this hacker does is try to login as admin using multiple tries. Once it succeeds, the user name is changed to xxx-hacker and the password is also changed. So, now you cannot login to your site and you can’t even reset your password.

If by chance you are still able to login as admin then you are in luck, as the attack hasn’t happened yet. But, prevention is better than cure. So, immediately (as in NOW), update your WordPress installation, and install/enable the Limit Login Attempts plugin. This is the most important thing you need to do to stop this hacker, because this is somehow related to the hacker gaining access to your server files. Also, immediately after this change your server passwords – especially, ftp and mysql.

At this stage I don’t know if the ftp password is being deciphered, but I have seen strange folders and files turning up in the sites’ public/html documents area. There are at least 3 different type of actions performed by these files. (1) Phish for email passwords (2) Phish for financial passwords (3) run a script that logs in to some site(s) using series of passwords. One common thing I have noticed is that the plugins folder in all hacked installations has one new folder – helo – which contains script to send the phished data to the hacker’s mother computer. Change permissions of this “helo” folder to 777 and then delete it.

Things to do in your MySql database

If not yet attacked: stop user registration or updation using triggers. This is like a chastity belt. The filthy sucker of a hacker can tear your WP-clothes, but can’t penetrate your DB-bastion, thereby preventing spawning of further filth. Contact me for modus operandi.

If attacked: rename admin user to a word other than “admin” and change password to a 16 character word in MD5 format, then stop user registration or updation as above using triggers. Contact me for help.

If your site needs user registrations, handle them yourself, manually. If you don’t have time for that and are a very big site, then you should enlist service of someone who can provide proper security.

To be cont’d…

I used a template to develop my web page on Google Sites. However when I search “visitsforkoustabh” on Google it shows the body of the template even though I have already changed the body. What should I do?

Google does not index your site as soon as you update it. The update frequency is unknown generally. However, frequently updated sites like news blogs etc., get indexed within hours or minutes and some reputed sites even get indexed instantaneously. You should wait a few days like 2 or 3 weeks and check again. If your site has facility to submit sitemap (via google webmaster tools), you should do so, which will hasten the next google crawl of your site.

How to Repair the Global Brute Force Attack on WordPress Self Hosted Sites?

This global brute force attack on self hosted WordPress sites has been going on for past few days. I am going to address different cases and attempted solutions here. Please bookmark this Q&A and check back for new case studies.


One site came to my notice today, where the users could not login because the login or admin page got redirected to a page that output “not acceptable“. I checked the .htaccess file and it seemed to have non-standard statements, which neither the developer nor the site-admin remember putting in. So, we removed the extra statements and retained only the default WordPress generated htaccess statements and the site was back to normal.

…to be cont’d…

My facebook recommendations just vanished. It was there earlier. How to get it back?

Ah there! Did you by any chance turn off the “Show Map” option in your page info?

According to facebook garden logic you should recommend others around you (your location!) – so your page should show the map (of your location), then only your recommendations will show.

Go to Edit Page > Update Info > Check “Show Map” option below your physical address – obviously, a physical address is required too!

How to Remove HTML Allowed Tags Text in WordPress Comment Form?

Find where the comment_form() function is called. Usually it will be in the comments.php file of your WordPress theme.

It might be displayed like:

<?php comment_form(); ?>

Pass an argument to the function as below:

<?php comment_form(array('comment_notes_after' => '')); ?>

The array can have other arguments as well to mod the comment form to your liking. Refer to WordPress comment form codex for all possibilities.

Which came first? The egg or the chicken?

Testing my Guru factor, eh! Every guru worth the salt & pepper outgrowth on the chin, is asked this.

Well, I do have an opinion on this – it’s the egg!


Presumption being that “egg” represents the seed and the “chicken” represents a living being. Religious theories say something like “God created man” etc., but scientific reasoning can’t/doesn’t accept that.

There is no discernible understanding yet, of the vast extents of the universe that we know, and how it has come about. In the god-like experiments that man has done in creating (cloning) a living being, the base is a cell or what you can think of as the “seed” from which grows the full organism. So, the “egg” or the “seed” is the precursor. Q.E.D.