Do you like my tutorials?

Then consider supporting me on Ko-fi

Talking about WordPress.

As you should know if you are an old time reader, this blog has been hacked several times with malicious script injection.

I tried to secure the blog in every possible way without any luck.

Finally, I think I figured out what allowed hackers to exploit the blog. I use a custom theme built on an old version of Silhouette theme by Brian Gardner.

As you can see from the link, the theme is not longer available for download, but I believe the file comments.php contains a vulnerability.

Here it is:

post_password)) { // if there's a password
		if ($_COOKIE['wp-postpass_' . COOKIEHASH] != $post->post_password) {  // and it doesn't match the cookie
			?>

			

This post is password protected. Enter the password to view comments.

to “

  1. on comment_approved == '0') : ?> Your comment is awaiting moderation.
comment_status) : ?>

Comments are closed.

comment_status) : ?>

Leave a Reply

You must be logged in to post a comment.

Logged in as . Logout »




ID); ?>

Since I changed it, I am not having injections for a month.

Moreover, I found a couple of sites using the same theme reporting an hack attack.

Any security hero willing to tell us if I am right? Of if it’s just a coincidence and hackers simply decided to leave me alone?

Never miss an update! Subscribe, and I will bother you by email only when a new game or full source code comes out.