Recently, I started using Microsoft’s Windows Live Writer (WLW) to compose blog entries offline. It has made blogging much easier.
Earlier this morning, I encountered the following error message when I attempted to post a new blog entry from my notebook:
The last thing I’d done, aside from writing the entry, was adding a couple of new plugins to WLW. Standard troubleshooting techniques would suggest this as the first place to look, but when I uninstalled them I still encountered the same error.
Next step was to try to re-create the problem, so I switched to my desktop, which didn’t have the plugins, and attempted to use WLW to edit an entry. Same error.
Logging into the server my blog is hosted on didn’t immediately reveal any problems, so I dug deeper.
The first clue that something was wrong was the fact that the index.php file for my WordPress installation was slightly different than the one in my friend Rob’s WordPress.
It’s supposed to look like this:
As you can see, a chunk of code that does an @include of something at wordpress.net.in was added.
Googling wordpress.net.in revealed a number of pages, including a blog entry by Avice De’vereux that described the symptoms and said they were caused by a spam injection hijack by wordpress.net.in. I think the hijack was supposed to insert ads in the page footers, but I don’t recall seeing anything there.
Another tip-off was a slight difference in the xmlrpc.php file, which showed up like this when I compared mine to one known to be good:
Basically, the code in line 3 had been added to the top of the file, meaning whenever the xmlrpc.php file was used, it called that piece of code first.
So, I backed up my WordPress installation and then hunted down the half dozen or so files that had been compromised and replaced them with fresh copies from the WordPress distribution site. I also “hardened” my site following the suggestions in the WordPress Codex.
If you’re running a WordPress site, you should probably check to make sure you aren’t a victim of this, too.