How Do I Know If My Site Has Already Been Attacked?
There are two clues that your WordPress site has been attacked.
There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account
it will works as long as you have PHP 4/5 & curl function.
This script however, will work only if you use the default prefix (wp_). Fyi, there is also the SQL Query, made by Dougal, that will show you all users who have the Administrator role. Your script is very nice by the way.
█ SYN Gadget (!) Synchronous Gadget █ It's All About Gadget, Gizmo, Hot Tech Stuff and So Many More! █SYN Gadget is Proudly Hosted by SYN Hosting