Again, I’ve been hacked. Well, not me personally… I wear the most up to date tinfoil attire, I assure you, and no one is getting into my head… but my blog was. This time I was running WordPress 2.6.5 when it happened.
Those who know me know that I always prefer to do manual upgrades, wiping everything out and starting over completely fresh each time, whether I have been hacked or not. This way if there was an intrusion it should still clean the hack out completely, even if I don’t know it’s there. As it happens, when I upgraded to 2.6.5 from 2.6.2 I did not do this. I merely upgraded the 2 files involved in the security portion of the WP 2.6.5 upgrade (which were wp-includes/feed.php and wp-includes/version.php). However, to date those are still the only two files from that version with a security risk according to WordPress, and I upgraded them well before I was hacked.
I noticed something was wrong earlier this week, after I wrote the post on how to easily find free photo downloads for your blog posts. I was checking to see if the post had any rankings a couple of days later, when I noticed that it wasn’t showing in Google. I don’t mean that it wasn’t ranking, either… I mean it wasn’t showing at all. I checked, and sure enough Google had definitely cached the post shortly after I had published it. It was showing when I did a site: command too. I realized that somethings was weird, however, when I saw that the description for my homepage still showed my post from November as being the snippet in the serps:
I checked that as well, and just as I thought they had already re-cached the homepage too, which means that showing the old snippet made no sense:
Neither the post itself nor the homepage were showing in the serps at all, even for exact phrases unique to those pages, phrases that were showing in Google’s cache, and therefore should have been searchable. My first thought was that I had been penalized for some reason (the conspiracy theorist in me even considered it might be the “PageRank for Sale” alt text on an image from Novembers post 😛 ), so I sent off a couple of Tweets asking people if they saw anything I might have missed.
Luckily, one of the people listening who was kind enough to respond was John Mueller. After telling me that I need to upgrade my tinfoil hat to Mu-metal one (heh, thanks John! 😀 ), he found the issue fairly quickly:
The link he gave me pointed to the text-only version of Google’s cache of my homepage, and when I scrolled down, sure enough there it was:
I upgraded last night (complete wipe and reinstall this time), but I’m a little concerned still. Since there has still been no word from WordPress about 2.6.5 being vulnerable, that may mean that it is something that they are completely unaware of, and therefore was carried over into WordPress 2.7. I did some research on other hacked blogs, and while I did find one other 2.6.5 blog and one 2.7, comparing their caches against other older cached pages on the same site it looks like both of those were hacked prior to them upgrading. If anyone else find more information about blogs that have gotten hacked after upgrading to WP 2.6.5 or above, please let me know.