Has Your WordPress Blog Been Hacked?

If you own a WordPress blog, you may have been hacked, but what’s worse, you may not even know that you have been exploited.

This happened to me recently, and today I want to ensure that every WordPress reader not only knows how to detect this problem, but how to fix the problem & how to protect your site from future attacks.

Ok, here is the thing… like most marketers, my technical skills are not very good, but like most marketers, I have a lot of very useful contacts. So I contacted a good friend of mine (Paul from SEOidiot)

Paul takes up the story below:

What Happened To DeanHunt.com – By Paul

Here’s the technical side of what they did and what we did to get around it, plus a brief explanation of what I coded to try and give people the chance to check for themselves: -

WordPress uses calls to wp_head and wp_footer to allow plugins to alter the content being returned as the page loads, a good example of this working well would be the SEO Title Tags plugin. However this is the functionality that the spammers used to insert a whole raft of links into the footer.

This article [http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/] explains the technique for anyone who likes headaches, but in basic terms they are using compromised theme files or adding in new files to your compromised server which act on the wp_footer call to insert their links.

They have been even smarter than that though as they have cloaked the links, so if you pop over to your own hacked site and view the source code you wont see the inserted links. Only when Googlebot comes along are the links shown, which is obviously a bad thing as Google suddenly thinks you’re linking out to a bunch of parasite hosted pills sites and will give you a penalty or remove you as a result.

Note: Dean’s rankings were virtually wiped out in Google

The Solution

So how to solve this? On a dedicated box you can trawl through searching for the files known to be compromised but a simpler and easier method is to remove the wp_footer call from the footer.php file in your current theme.

There are very few plugins that do anything useful in the footer so this made sense for Dean. If it had been the WP_head that was inserting links we would have needed to get the host to find the dodgy files or perhaps to have moved to a clean install somewhere else.

Because it isn’t easy for people to detect when they have been hacked this way I wrote a little tool to show people what their Google cache thinks are links out from your page, you can find this free tool at http://www.seoidiot.co.uk/cachecheker/

Back to Dean….

So in a nutshell, your WordPress blog may have been hacked, and the usual checks won’t show anything wrong. You may only realise something is wrong once you have been booted out of Google.

I am happy to announce that my Google rankings returned within 4 days of the offending spam being removed, which just shows once more why Google are by far the king of the search world.

So how can you prevent this happening to your WordPress site?

Firstly, and perhaps most importantly, make sure your WordPress is up to date. If you remain with the latest version at all times, you stand a much better chance of never having these issues.

For the more technically minded amongst you, i got some great tips from Matt Cutts, and this post I hope that considering the circumstances, Matt won’t mind me posting his tips below:

  1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Access Control”
    AuthType Basic
    order deny,allow
    deny from all
    # whitelist home IP address
    allow from 64.233.169.99
    # whitelist work IP address
    allow from 69.147.114.210
    allow from 199.239.136.200
    # IP while in Kentucky; delete when back
    allow from 128.163.2.27

    I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

  2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
  3. Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->

I’d just go ahead and delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

Credit to Matt, Reuben and my buddy ShoeMoney I also got a lot of assistance from David Geere from the awesome EatingBritain. Oh, and David Naylor was incredibly helpful as well. Thanks David.

What’s Next For My WordPress Site’s Security?

Myself and Dave are looking to do a fresh install of WordPress, and we will also be looking into any plugins that can further assist us.

If you have any advice or tips based on the above, please leave them in the comments box. Also, send this post to any friends who have a WordPress site, I would hate for them to go through the hell that I had to suffer.

A wise man once told me: “what doesn’t kill you, only makes you stronger”, together we can ensure we are all strong enough to avoid this sort of issue in future.

Dean

  • http://www.itep.edu.pe ITEP

    nice !!! hacked by team :O {=

    Current score: 0
  • http://deanhunt.com/has-your-wordpress-blog-been-hacked/?& Brice

    This is useful, You’re an excessively professional writer. I’ve registered your rss and turn up for looking for more of your good publish. Also, I’ve shared your site within my social networking sites!

    Current score: 0
  • Oakland Stairlifts

    What I don’t understand is.. why can’t wordpress automatically update? Why do we have to keep paying developers to do the same task on hundreds of thousands of websites. Seems pointless but perhaps i just don’t understand it enough.

    Current score: 0
    • joe neck

      if you had an IQ over 60 you would be able to run the updates yourself……

      Current score: 0
  • Nick the Geek

    wp_footer() is a required hook. Plugins may not call to it directly, but if they are loading script correctly they will be using the hook indirectly. This solution is not smart. It might work in the short term but leaving exploited files only opens yourself to further hacks. Additionally, it will prevent your plugins from working correctly despite claims here to the contrary.

    Please see the code comment in the example on WordPress.org to see that this is required.
    http://codex.wordpress.org/Function_Reference/wp_footer

    Current score: 0
  • http://twitter.com/RudyOVasquez Rudy Vasquez

    Thank You, I’m currently going through the same thing and links have appeared on my header to parked domains.

    From a marketing stand point, this could be devastating to your business.

    Great to see that Google takes care of their end very well,

    Success and Freedom!

    Current score: 0
  • Ken

    If you need a professional hand… http://www.wpishacked.com

    Current score: 0
  • DIGCMS

    This information is really helpful. I found another articles which talks about fixing the worpdress hacking issue.

    http://wordpressapi.com/2013/05/22/if-wordpress-site-is-hacked-then-how-to-fix-issue/

    Current score: 0
  • Jessie

    OMG- My website got hacked last year, and it was such a
    mess. I had 2 other websites hosted on my same FTP server, and they were all
    being redirected to some weird website selling pharmaceuticals or something. I
    worked on it for probably 2 days before I gave in and started looking for
    professional help. I found a website called eSecurityPros.com and worked with
    their technicians. They had my sites completely fixed, up and running in a day.
    The whole thing costs about $200, but definitely worth it. I’d recommend them
    to anyone.

    Current score: 0
  • aleka

    Happened to me. Since I’m not very skilled I hired some help from these guys: http://10sides.com/wordpress-security/

    In any case.. it turned out to be a plugin, which was already at the latest version(timthumb). They told me even if I upgraded my wp, the source of the problem would still not be fixed, so they patched the plugin themselfs, for me.

    Right now… considering on using something other than wordpress. I heard a lot of horror stories.

    Current score: 0