How I fixed the WP 2.5.1 upgrade issue

When I updated this blog to WordPress 2.5.1 five days ago, a problem propped up. That “Please upgrade” strip wouldn’t go away and has become an annoyance. Blogged about it and posted a support question in the WordPress support forums and soon enough possible explanations and solutions to this issue were given by other friendly WP users.

A user who goes by the name Rosie M Banks pointed me to a post by Ultrasonic who had the same problem after upgrading his blog to WP 2.5.1. As it turns out, this is caused by a vulnerability in WordPress 2.5.x where hackers can wreak havoc in a WP blog by inserting PHP scripts or files that could further exploit your WordPress-powered blog.

ia has written a good overview and guide to check whether your blog has been hacked or not over at WordPress Philippines. Gave it a good read and used it like a checklist in my investigation to root out and solve this issue.

Luckily for me, my blog’s internal folders and directories were not littered with new files ending in _new, _old, .pngg, .jpgg, .giff. As ia wrote:

These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

The solution of course, is to delete these files.

A phantom WP user

But when I checked my blog’s database using phpMyAdmin, I found out that there is a phantom “WordPress” user in my blog. Again ia sheds light on this phantom WordPress user:

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

the phantom WP user

Again, the solution is to delete this user using phpMyAdmin which can be accessed from your site’s CPanel.

A plugin that’s not supposed to be there

Continuing with my investigation, I followed Ultrasonic’s advice and checked out my ‘wp_options’ table and looked at these VALUES ‘active_plugins’ and ‘deactivated_plugins’. In it I also found a plugin entry about a plugin that is not supposed to be there. The suspicious entry looked like this:

i:0;s:117:”../../../../../../../../../../../../../../../../../../../../../../tmp/tmpon81ev/
sess_197dd29a88afb90e3a9d82b3227c3369″;

I simply deleted that section of line entry. Of course you must BACKUP your database before fiddling with it using phpMyAdmin as Ultrasonic warns that this solution has not been verified to work for everyone.

It worked on my blog and I simply had to re-activate all of the plugins I regularly use once back inside the dashboard. Since applying this fix, my blog has returned to normal and that annoying update reminder strip has gone away my dashboard tells me that I am indeed running WP 2.5.1

Right now, I’m still in the process of checking my blog for other vulnerabilities. I hope the solutions I shared here would be useful to others who are experiencing the same problems. If not, I strongly recommend posting a support question in the WordPress forums, the wonderful folks from the WP community will always lend a helping hand.

4 Comments

    1. No I did not had that problem and the phantom WP user never returned after I deleted it from my database.

      Double-check your plugins and your internal directories. Also double-check your WP files for those code inserts. If all else fails, post a topic about in the WP community forums, help usually comes within 24 hours. 🙂

      Reply

Leave a Reply