Earlier this week, I upgraded our blog to WordPress 2.5.1, the latest version of the WordPress blogging software. Although the upgrade was successful and complete, the Admin Dashboard still showed a strip saying “WordPress 2.5.1 is available! Please update now.”
At first, I dismissed it as an annoying bug that will probably go away upon the next release. But after searching the net for more information, this may actually be a symptom of a WordPress vulnerability and the site may have been hacked or SQL injected.
Fortunately, a few online sources have already detailed a solution. I tried it in our blog and after a few hours of 404 Not Found Errors and Database Connection Problems, the problem seems to have been solved.
A WordPress support topic and a post in WordPressPhilippines.org were the most helpful with regard to this problem. The info below shows what I did with our blog.
* Before you do anything, back up your WordPress database and files! Don’t proceed without doing this first. This ensures that you can restore your database from backup should something go wrong with the process. Click here for info on how to back up a WP database.
** To access your WordPress database, use a program such as PhpMyAdmin. If you have cPanel, go to “Databases” and launch PhpMyAdmin.
Delete phantom “WordPress” user
Access your WordPress database and browse the wp_users table. Check if it contains a row with the user_login “WordPress.” Skip this for a while and go to your blog’s Administration Panel > Users. If you don’t see this user in the Manage Users section, it most likely is a phantom user. Go back to your database and delete this “WordPress” user.
Edit “active_plugins” and “deactivated_plugins” under wp_options
Browse the wp_options table in your database. Under the option_name column, look for two entries: “active_plugins” and “deactivated_plugins”. Click the “Edit” button (the pencil icon in phpMyAdmin) for each of those two entries. If you see a weird-looking, long line such as the following (values may differ), delete it and save the new entry.
i:0;s:117:”../../../../../../../../../../../../../../../../../../../../../../tmp/tmpe9aXBg/sess_7eb20536ff5ff4f0a0ba6d2321df5957″;
Make sure you remove only that line. I made the mistake of deleting the entire contents of the “deactivated_plugin” entry and it caused 404 Not Found errors. Fortunately, I have the database backup so I just restored it and started the process again.
Upload WP 2.5.1 files again
The blog was still getting errors after doing the two steps above so I decided to re-upload the WP 2.5.1 files and overwrite the ones in the server. Here’s a nifty guide on how to replace your WordPress files.
Voila! After doing those three things, the annoying “Please update now” reminder disappeared in the Dashboard.
In some cases, that strip still won’t go away. Try the following other suggested solutions and see if they will work for you.
Remove wp-info.txt file
Using any FTP program, access you blog’s directories and see if you can find a wp-info.txt file. This is not a valid WordPress file and, in fact, is said to contain your database usernames, passwords, emails, etc. which can be used to hack your system. If you found it, remove it immediately and change all your passwords.
Delete files ending _new, _old, .pngg, .jpgg, .giff
Scan your folders again and if you see files with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff, delete them. These files are said to be executables that will display a fake “404 Not Found” error when called from a browser, but will display your server information if called from a script with the matching hash from one of the hacked PHP scripts.
Remove extra codes added on PHP files
Check your WordPress php files and see if an extra code was added to the first line.
Here’s a sample malicious code although the values may differ in your case.
Remove these lines if you see them in your php files.
Upload WP 2.5.1 files again
Upload WP 2.5.1 files again just to make sure you are using the new (and hopefully) uninfected WordPress files.
Hope this tip works for you and that annoying Dashboard reminder will be gone.
