March 8, 2006
WordPress 2.0 Themes Competition Website got hacked - HOW?? Is there a security vulnerability in WordPress? Was the theme competition itself a hoax?
Update: It now appears that the kcyap theme competition was a complete hoax and the site owner made off with 188 WordPress 2.0 specific themes! The site itself has disappeared, the owner doesn’t respond to any questions nor does he make any attempt to restore the posts, etc. You can read up on some of the discussion in the Wordpress Support Forums. I have removed the links to the hoax site so-as to not generate any additional traffic or inbound links for the jerk.
There is a new WP 2.0 theme competition that is taking it’s place and being run by respected members of the WP community over at WordPress Arena.
I ask that all theme designers who applied to the scam competition now enter the new, legit one — and also would be extremely grateful if you would submit your themes to me, as well. While I’ve nothing to offer in the way of prizes (wish I could, but hopefully some fame and the knowledge that you’re helping the community will be inspiration enough), I am extremely eager to create a Comprehensive List of WordPress 2.0 specific themes (and have plans to create a blog specifically about themes to make it much easier for folks to find the theme of their dreams). Please email all theme info to howtoblog @ gmail.com with a subject of WP 2.0 theme — thanks! 
On March 5th, the WordPress 2.0 Theme Design Competition that was being hosted by kcyap.com claimed that it got hacked (and that his entire database was erased):
“Very regret to announced that this competition blog website had been hacked. I have no backup for all this data and not sure if the server admin did have a backup on it or not. I am very sorry for this incident.
The prizes will still be the same and i will upload once again all the submitted themes on by one from now. This may takes quite some time, please be patient.
The result for this competition will still be announce don the 10th March 2006.”
This should be a reminder to everyone to BACKUP YOUR DATABASE ON A REGULAR BASIS (I’ll write a how-to post on this shortly).
And as many commenters pointed out, it was unacceptable for a site hosting a theme competition of this level to not have backups. Other commenters suggested the site owner use the Google cache to try to retrieve the old posts.
However, the big question that’s on my mind - and which was brought up by CountZero is how did this happen??
“But the really more important task than assigning any guilt to anyone on this case, I suppose, is to find out how the hacker could compromise the machine. Did he use some undiscovered WordPress vulnerability, did he make use of those being published just about a week ago, or did he make use of other security issues on your server? Is it sure that these loophole(s) are closed now, and can you make sure there is no backdoor/rootkit left on the machine now?”
I hope the WordPress team is taking a good look at this to ensure that it wasn’t the result of some previously unknown security vulnerability in WordPress. Was the kycap Theme Competition Blog running on WP 2.0 or WP 2.0.1? And if he was running the latest version (WP 2.0.1), did the hackers get in through a WordPress security flaw, or through some other method related to his specific hosting situation? Or perhaps he had spyware on his PC and they had a keylogger which gave them access to his password so they could just easily log into his account. (Which reminds me that everyone should have Microsoft’s free Anti-Spyware software installed on their Window’s PCs)
Additionally, there has also been speculation that the whole Theme Competition was a hoax (to gain google pagerank?). Many commenters have found it rather suspicious that even if the database was wiped that there still wouldn’t be backups of all of the themes that designers had submitted - after all, they sent them in through email. And what of all the ‘unnamed judges’ (which I always thought was a little shady..) - shouldn’t they have copies of the themes and their descriptions, as well?
IMHO, the Theme Competition site owner (Justin) owes it to the WP community to work with both his webhost and the WordPress team to discover just how that site got hacked, and then reveal that information to everyone - both to restore his credibility and so that we can all know whether we need to be worried about the same thing happening to us - and learn from his situation about how to protect ourselves. Specifically, we need to know whether the hack stemmed from a problem with WordPress security. I’ll rest easier once this information is known, especially since I’m still entrenched in hoards of hours in porting How to Blog over to WP from TypePad (it was easy to import the posts, but there’s all this minutiae that’s taking hoards of hours to deal with as part of the transition).
Related posts
Track this entry:
Terms2tags:
Comments
March 11, 2006
CountZero said:
well, I was hesitant to believe the competition page was a hoax for quite a long time, but I must admit that Justin obviously lacked of any courage to try anything to recover the lost posts, so those who pointed to the hoax direction may have had a point.
but, here are some facts I can’t understand regarding this case:
- there wasn’t any advertising on the competition blog, at least none that slipped through my adblock configuration, and adwords would have slipped through - so Justin didn’t seem to earn any money on this blog.
- granted, the prices were really pretty and this was one of the main eyecatchers for me to contribute my theme to that competition at all, but presumably never anybody checked the sponsors Justin has mentioned whether it was true that they sponsored the competition, when we assume the page was a scam, otherwise that would have been brought to daylight, right? Here we’d now have to ask “why didn’t anybody check back?” I can’t imagine that nobody would’ve checked back on a competition worth plenty of dollars.
- It is now for several hours that the competition blog is completely wiped out and delivers 404s only - if that competition had been a scam with the purpose of gathering PR - a) the highest PR laid on distinct posts, not on the main page, b) an empty page returning only 404s doesn’t earn any money, and c) Justin’s personal blog has been killed as well, seemingly.
So where is the point that I am missing, when this competition should really have been an extraordinary scam? I can’t see any true and durable advantages Justin would have been able to achieve with it. The submitted themes are each and every open source under GPL, MIT, CC and so on, so he can’t even sell them!
Okay, enough for the rant. Just my two cents, and I apologize for my bad english; it’s late after midnight (about 0215) here in Germany now
March 12, 2006
Scott said:
This whole WordPress theme fiasco is beyond my comprehension. I just can’t rationalize why someone would “con” people this way. I see opportunity, sure, but not motive. What’s the benefit?
Anyhow, I see that there’s another competition over at wordpressarena.com, but just not sure if I should bother. Sigh.
March 13, 2006
Emily from How to Blog said:
Yes, it is sickening and absurd — perhaps Justin thought the community would buy his explanation of the site being hacked and not ask questions — allowing him to leave the site up and use the pagerank to later change the site to something monetized, and once exposed eventually took the site down. There’s no real way to know.
At this point, we have to focus on the positive — that competition inspired many theme designers to create what I image are some pretty amazing new WordPress 2.0 specific themes — now we just have to get those themes into the WordPress Arena competition and have them made available to the WP community so that their efforts were not for nothing.
Those who submitted their themes to this hoax competition, I understand how frustrated and violated you must feel — what Justin did is beyond unacceptable. Make sure he doesn’t have the chance to now try and sell your themes — get them out there to the wordpress community under the open source licenses they were created with so that if anyone spots him trying to pass of one of your themes as his own he can be held accountable for it.
And get them out there to the community so that they can be lovingly applied to the many WordPress 2.0 blogs that are eager to admire your work
CountZero said:
Emily,
you are totally true. It’d be a shame if this coward would get away with it. Ah, just before I forget: you know, my Binary Blue theme is WP 2.0 only and reached (thanx to the hoax competition where I submitted it) v1.0.1 in the meantime. Just as info for your new WP 2.0 specific list (I love the current list with more than 600 entries - it was a great start when I started blogging the days ago)
March 14, 2006
Christine said:
I don’t understand how anyone could take the competition seriously when the person running the site couldn’t even write a coherent sentence. I suspected something right off the bat.
Just my 2 cents.
March 15, 2006
Emily from How to Blog said:
@Christine -Very good point. I had the same concerns myself, but thought it could be because he is not a native english speaker and was trying to give him the benefit of the doubt… So much for that!!
@CountZero - thanks for the heads-up (hey, at least something positive came out of the hoax competition — improvements to your theme!) I’ve updated the theme list to reflect that it is no longer in beta and requires WP 2.0+. The theme list is now up to 695 themes! Can’t wait to cross the 700 mark! (Will probably do so today - I’m sure I can find 5 more themes around the blogosphere if I dig hard enough..) Glad the list is of use to you! Keep up the great theme development!!!
May 9, 2006
nancy_hawkeye said:
Here’s a comment made by kcyap (justin) in this website:
http://www.mistyeiz.com/2006/04/16/i-want-to-pengsan-dying-of-hunger/
” 4. Hi Yvy, its been ages since i last chat with you keke. Now i work for www.i-phone.org and writes blog for them which is www.2dayblog.com. Im been appointed as tech blogger. hehehe so happy
Comment by kcyap — April 16, 2006 @ 12:26 pm”
…..So, kcyap is now working for www.i-phone.org. Those of you who were hoaxed by him can write to his current boss whose email address is sales@i-phonenetwork.org so that his boss may consider taking some action against him.