Removing wp-stats-php Infection From WordPress

Starting Tuesday, I had 2 bad lucks(minor and major). Bad luck 1 I went to deposit a check(affiliate) at the bank and my car did not want to start again when I left the bank. To cut it short, it cost me more at the auto shop than the check I deposited. That's not counting the time waisted by waiting for the work to be done. Bad luck 2 When I finally got home, I went to check my emails. I had left a few comments in a few posts. But I had also received an email from Google concerning one of my blog. Google had detected "badware" on it. Was it the same blog as last time? No it was not and was not about my software giving a false positive. So, I went to check the blog in question and I could not even load the main page at all. Note: I must mentioned that the blog was not upgraded to WordPress 2.5.1 yet. I think it still had v2.2.x on it. When I had installed 2.3 on another blog, one plugin was not working correctly thus I put the upgrades on hold. I had planned of upgrading them later once my project was released. In my case, all I got was a blank page with a redirection(?) to a badware site. That was written on the status bar of Firefox but it look like it was in a loop or the site was too busy(many infected besides me). Now, I had to find a way of removing wp-stats-php from the blog. Note: It's not the same thing as wp-stats.php. That's a real known plugin. After a few minutes of searching, I found others had the same "infection" performed on their blogs too. You will find code starting like this in a post: <!-- Traffic Statistics --> bad code here <!-- End Traffic Statistics --> or a javascript with function count(str){var res.... (some code did not belong there) The trouble was I could not even login the admin section blog. Checking the last backup(SQL file), I was able to find the post in question. Some code was inserted in one of my older post from November 2007. I tried a few ways to patch things like renaming the plugin folder or using the default theme. I did not have any success. So, I decided to do an upgrade on the current blog to WordPress v2.5.1. At one time, I was able to make it work until I selected the current theme. The site was "infected" again even if I edited the post in question to removed the offending code. I then lost the admin privilege again. I also lost part of the last post I had written and found some weird code in it before the cut off. Of course, I had to edit the database directly(MySQL) to do this in phpAdmin. The drastic solution I took I had already waisted far too many hours on this so I took one drastic solution: I deleted the current content of my domain. The database still existed and I made a backup(uploaded) of some of the folders not related to WordPress like my pictures, php redirections.... I also kept the wp-config.php and .htaccess. Note 1: Even files not related to WordPress like php redirection or html were infected on a second look. Note 2: Since I had once been able to upgrade to v2.5.1, I still needed to perform the upgrade steps even with an almost clean install. In version 2.5+, you need to had a new key in your wp-config.php file. That's in the upgrade instructions. All was working okay now. Since I suspected the theme had bad code somewhere too, I used a new SEO optimized theme instead. But when I clicked on any of the posts, I got a 404 error. Only the frontpage was working. Don't forget to check if a .htaccess was recreated during the upgrade. Since I deleted everything and WordPress thought I already upgraded because of the first upgrade, it did not create the .htaccess again in that case. Unfortunately, I lost the list of the plugins I was using(activated or not). I would advise you to just write them down before starting. But since, I had to move from v2.2.x version to v2.5, I took the time to download an all new set of updated plugins and see if the plugin was compatible or not with v2.5. This will be important when I will tackle my other blogs. WordPress v2.5.1 safer? Some had success in just removing the nasty code in the infected post. But some like me, we had to take a longer road. Now, is version 2.5.1 safer against this kind of infection? I don't know but I suspect that because I was using an older version, I opened the door so that it was too late when I upgraded to v2.5.1 the first time. Doing a fresh installation with new plugins and a new theme must have closed the door. At least, I hope so. ;) Lesson 1 If you have niche blogs that are not updated very often, do verify them. It's important because some are doing blogs that might bring them $5-10 a click. It would be a shame to lose that income. That blog in question was updated on Sunday but the automatic backup plugin did not have the last post in it's entirety. I suspect it was infected between Sunday and Monday morning. Lesson 2 I lost time and money on this and yes, it was my fault by not WordPress upgrading sooner. Because most of the traffic was coming from Google, my traffic drop to zero from Google. Why? Because Google writes a warning under the URL. When a person click on it, they are redirected to a Google page about the risk. The few visitors since were from MSN, Yahoo or other sites(directories). When I went in Google Webmasters Tools, I was able ask for a review but it could take time. Lesson 3 Recently, someone suggested of using phpBay for Wordpress instead of using BANS. But this whole experience let me wonder if it would had been a good thing after all. WordPress might offer greater flexibility but it comes at this kind of cost. Plus, It's more profitable for a badware to find a weakness in WordPress(Millions) versus BANS(Thousands). A few blogs is manageable but what if you had 100s of WordPress/phpBay sites. You must think of upgrading WordPress more often than BANS. With BANS, you don't have the plugins, comments, trackbacks issues to deal with thus less security issues. If you use phpBay within you own main blog, then it would be okay since you are going to update it more often that a static blog anyway. Conclusion Now, I will be busy upgrading my other blogs but I decided to post this first to warned my fellow bloggers that might not have updated their blogs yet.