WordPress Vulnerability Permalink hack

There is a very sophisticated attack that exploits the security holes in older versions of wordpress installation and redirects all the links in Google to another website. Mine was redirected to http://yes.mefound.com/?said=3333g&q=

Today when my friend Bhavin noticed the links going to another site, I started to dig at usual places for redirects but couldn’t find anything. WordPress blog says that an upgarde could prevent the attack, but won’t help if the site is already compromised.

The easiest fix for this is to clean up entire installation. Even if you find the code in one file and fix it , there is no guarantee that there is no other recursive script somewhere else in your installation.

1. Export your entire database ( posts, comments) in XML format by going to Tools > Export  in admin panel

2. Backup any media files you have ( images, Pictures)
3. Delete the installation and all the files in wordpress directory via FTP ( I used bluehost file mamager for a single click delete)
4. Reinstall latest wordpres ( Again bluehost simplescript made it very easy)
5. Import you XML by going to Tools > Import.  You will have to install the importer by clicking on wordpress
6. Now restore your media.

The whole process took about 4-5 minutes.  For someone who has a larger and complex installation it might take longer.