Special Note: This Alert is for self-hosted WordPress installations.WordPress.com blogs are not impacted as they are up-to-date.

Lorelle Writes:

***Update your WordPress blog before you continue reading this post. That’s how critical this issue is.

There are two clues that your WordPress site has been attacked.

• There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
• The 2nd clue is that a “back door” has been created by a “hidden Administrator”. Check site users for an “Administrator (2)” listing or some other name you don’t recognize. If one has been created, it is highly unlikely that you will be able to access the account.

For those already affected, it is being reported that you will need to:

1. Export all your content with the built-in XML WordPress exporter.
2. Remove your WordPress installation completely (saving only images and general files)
3. DO NOT EXPORT YOUR DATABASE! Exporting the database will result in exporting and transfer of the hacked code.
4. Reinstall WordPress adding the “clean” backup of your WordPress Theme
5. Re-import your content using the XML export file.

And again, take care to keep your export limited to the post content, comments and Pages, not the entire database. Sincethe hack goes all the way into the database, exporting your DB will result in exporting the hacked code as well.

If you have further questions or concerns, check WordPress.com, the community is there to help.