Update 081509: The “Magic” hack had a sleeper cell. See comments below from Xavier and Nichele. I think I fixed the residual problem, and I will write a detailed post documenting what I did. For now, if you’re curious, leave a comment below, and I’ll let you know when documentation is posted.
Update 073109 at 4:30 p.m.: After breathing into a paper bag and learning about the vars.php file, I’m halfway back after my “Magic” hack attack. See the WordPress support forum for details. Yokima rocks!
Original post 073109I have a problem with authentication in one of my WordPress sites. I can log into the dashboard. I can save a post once. But when I try to save the post again or publish it, I get the authentication window seen in the screenshot below. My admin username and password do not work in this window. When I cancel the window, I get a page that says “Access Denied.” So now I cannot publish posts on this WordPress site.
This is the first time I’ve encountered this authentication window in 2 years of managing the site with WordPress. I have not encountered it yet on my other WordPress sites on the same web host.
Is this an issue with WordPress or with the web host, Bluehost?
The authentication window below states: The site says: “Magic” — What does that mean?
Any solutions or suggestions?
![Shepard Fairey’s “Barack Obama/Hope” image went viral during the 2008 election. Then controversy about the image’s source transformed it into the poster child for fair use in the public debate over copyright and free culture. Now FULAB takes “Hope” as its icon [Image source: Wikipedia]](http://fairuselab.net/wp-content/uploads/2009/03/shepard_fairey_hope_2008.jpg "shepard_fairey_hope_2008")
![Promotional artwork for "The Grey Album" by Justin Hampton. This was not used for the actual cover, but appeared on the Danger Mouse website in 2004. [Source: Wikipedia]](http://fairuselab.net/wp-content/uploads/2009/03/danger_mouse_grey_album_cover_200.jpg "danger_mouse_grey_album_cover_200")
![President George H.W. Bush signs into law the Americans with Disabilities Act (ADA) on July 26, 1990 as Justin Dart looks on. [Source: ucp.org]](http://fairuselab.net/wp-content/uploads/2010/07/ada_signing_072690_ucp_2.jpg "ada_signing_072690_ucp_2")
on Aug 1st, 2009 at 4:06 am
It looks like you’re running an older version of WordPress (2.6 or so, judging from the screenshot). To prevent this sort of thing in the future, you should upgrade to the latest version (2.8.2 as of this writing).
on Aug 1st, 2009 at 9:36 am
Thanks, Mark. Updating WP is in my future across all my sites. Has anyone identified the point of entry for this hack? A plugin?
on Aug 2nd, 2009 at 12:56 pm
[...] Use Lab Testing NPR’s Embedded Audio PlayerMarketplace What a Patent for Podcasts MeansWordPress Authentication Issue – Or Magic Hack?Berkman Will Webcast Open Workshop on Google Books SettlementHow Do I Access 1 Million Free Books [...]
on Aug 8th, 2009 at 12:42 am
(Mark)^2,
I was on version 2.8.2 and that the injection as well. Looks like it may have come through spam. Luckily, I was paranoid enough to NOT give my username password. I upgraded (which purged all the infected code) and everything is fine. Still need a solution to make it NOT happen again. In the mean time we’ve got to get the word out.
on Aug 8th, 2009 at 9:06 am
Thanks, Rob. Any idea how widespread this attack is among WP sites?
on Aug 11th, 2009 at 12:42 am
I encountered this issue and updated to v2.82, the blog seems fine but actually not, there are 500+ outgoing links added at the end of my page, they are invisible but googlebot can see them.
on Aug 11th, 2009 at 10:25 am
Thanks for the heads-up, Xavier. I’ll check out Googlebot tools
http://en.wikipedia.org/wiki/Googlebot
on Aug 12th, 2009 at 11:49 pm
I encountered the issue and all seemed fine after upgrading and removing code from my plugins. However, I discovered additional code added to my footer, deleted it, and more was inserted later. I believe that this is perhaps what Xavier is mentioning?? The added code seems like additional spam-type links. Is this going to affect my google ranking somehow? If you find out how to get rid of this problem, I’d love to know.
By the way, my vars.php file seemed okay. I also use bluehost. And, I encountered a similar authentication box (which I managed to cancel without entering anything) when using their webmail program. Coincidence? Unsure. Anyway, thanks for posting on this issue!!
on Aug 13th, 2009 at 6:49 am
Nichelle,
I had the same problem with invisible links inserted into the footer. I deleted them from footer.php, and with your warning, I’ll watch to see if they return. I haven’t read the WordPress support forum referenced above in about a week, so I need to get back to it to see what folks are doing now. It’s been the best source of trouble-shooting ideas that I’ve found on this problem.
Thanks for the tip[ about Bluehost webmail. I don’t use it, butt need to. You might try calling Bluehost support about it, although I;ve had mixed results trying to talk to them.
I visited your site briefly. Looks great! What is the theme?
Fight the good fight,
Mark
on Aug 14th, 2009 at 12:47 am
Thanks Mark! I did check with Bluehost and was initially told it may be spyware on my computer (but I have a Mac and did a MacScan – nope!) When I responded, I was told that the first technician was incorrect, that the authentication from WebMail was valid – not sure why I could cancel and still reset my password then, however… But anyway, that’s the story. I have been following the thread on wp.org and I think you’ll find my desperate pleas
are the last comments at the moment.
Anyway, thanks for the kind words on the site. The theme is StudioPress’s Church theme (with only cosmetic changes, really) — highly recommend!
Cheers!
Nichelle
on Oct 10th, 2009 at 10:47 pm
Hi I just got this issues I can’t upgrade at this point does anyone know how to solve this also how do I check for hidden links?
If some can email it would really help out.
Thanks
Almog
on Oct 30th, 2009 at 2:09 am
I noticed my URL structure has changed also from long file names to page numbers which is crap for SEO.
on Dec 6th, 2009 at 3:45 pm
[...] in recent months. My posting has become erratic, too. This happened as the result of a site security problem that began last July, which I have been fighting ever since. The hacking shows up as hidden code [...]
on Dec 8th, 2009 at 2:03 am
This is a great post. I just enjoyed reading it a lot. Its really interesting and contains a lot of information. Thank you for posting.Please keep up the good work.
on Feb 23rd, 2010 at 11:20 am
thank you very much…