The Great Wordpress Attack

Here's a curious thing. You probably wouldn't know it, unless you specifically went looking, but there appears to be a tremendous attack being made on self-hosted Wordpress powered blogs right now.

The curious part is that the news doesn't appear to be making it to many mainstream blogs or tech news sites.

This is potentially very serious to anyone running such a blog (I myself run many Wordpress installations, including this one). Your blogs reputation (especially with search engines) could be severely damaged if your site is hacked the way mine recently was. From the limited number of stories made public so far, it appears that many thousands of sites may already have been compromised.

I was recently the victim of such an attack and the only reason I got to find out about it was when one of my RSS subscribers kindly advised me that the feed was getting thousands of porn links injected into it. I think (hope) that I've now fully recovered and secured my installations against further attack, although I'm still getting significant hits from search engines from people looking for some very unpleasant stuff.

Technorati sent me an email yesterday saying they were going to stop indexing sites that exhibited signs of being hacked in the way my site was. Hopefully that won't now apply to me, as my sites are, as far as I can tell, now clean.

So, how do you know you've been hacked? When I was told about the link injection, I took a look at the source code for the site in question. The site itself looks fine when you view it in a browser, so you need to look deeper. In my case, I found a large amount of extra code at the end of the posts with the "invisible" attribute. So, they wouldn't appear on the page to the human eye, but the search engines were picking them up. In one day, I got over 20,000 hits from Google alone from people searching for stuff that, quite frankly, they should be locked up for. The only way I could get rid of these was to edit the database entry directly for the posts in question.

I dug a little deeper and found that there was a file in the root of my Wordpress installation named "more.php", which was an encrypted file containing thousands of very dodgy links.

Protect yourself

If you're running a Wordpress installtion, I would check the following:
  • UPDATE your installation to the latest version (2.5). Yes, I know everyone should do this all the time. But people forget. I forgot and look what happened to me.
  • Check the source of your own site, looking for anything that shouldn't be there.
  • Fire up your FTP software and check through ALL your directories, including the root, looking for anything that doesn't look right. If need be, download the latest version of Wordpress and compare what's in a new installation to what you've got installed. You'll likely have more than a vanilla install if you've got any plug-ins or modifications, but it'll give you an idea.
  • Once you've upgraded and checked your files, clear out any caches.
  • If you're site has been comprimised in any way, change all your passwords (Wordpress admin and database).
  • Again, if you have been comprimised, it may be worth letting Google know about it to hopefully stop them blacklisting you for all those bad links. You can do so via Google Webmaster Tools.
  • Protect your wp-config.php file. This contains the user name and password to your database. At the very least, set it's permissions to 644, but also try and use other methods to protect it. Again, do a Google for the details.
  • Check out the many sites available for securing your installation in general. Do a search for "secure wordpress" and you'll find tons of useful stuff.
I can't stress enough that you need to check at least the things I've mentioned above if you're currently using a self-hosted Wordpress blog.

I love Wordpress and will continue to use it. I can put all of the problems I had down to my own failure to check for and apply updates when they became available. Don't fall into the same trap I did.