Given the increase in recently “hacked” WordPress sites, and the confusion often encountered as to how this could have happened, and how to fix it, I felt this post is in order. For those of you that have a good handle on this stuff, you can quit reading now - this post is for those who don’t.
First, it is important to understand that the very popularity and wide-spread use of WordPress makes it an attractive target for miscreants. If they can find a vulnerability in WordPress, and exploit that vulnerability, the number of potential targets they can attack is orders of magnitude greater than it would be with less widely used software.
Secondly, far too many users install WordPress and go merrily on their way blogging without regularly upgrading their WordPress software installation(s). Even though the DreamHost one-click installer makes upgrading very easy to do, many (most?) users are not diligent about upgrading.
You should view the process of upgrading web applications as an “arms race” between you and the forces of evil. Every time a new, more secure, version of WordPress (or any other popular web application) is released, the bad guys attack it furiously looking for new ways to exploit it. If they are successful, they go right back to destroying sites until the developers can identify how they got in and release new code to mitigate the newly identified vulnerability.
This is the nature of the modern web, and dealing with it is the price you have to “pay to play” and run the applications on the web. While the premise that “there is no such thing as a completely secure web application” is debatable, I find it is a useful assumption to make when deciding how much attention to pay to upgrading popular software, particularly when that software has been exploited.
The end result of all this is that a great many WordPress sites are routinely exploited. When this happens, if you are fortunate, your site’s display will be changed, or it will not work properly and you will know something has happened. However, this is not always the case because many exploits embed hidden code in your blog that damages your site, destroys your Google indexing, and subjects your blogs visitors to all kinds of unpleasantness (including redirects to phishing, porn, pharma, gambling sites, and other nefarious stuff), and this is not always readily apparent to you.
You should not just ignore the risk of your site being exploited and optimistically hope that you will not be a victim. Being a good internet citizen requires you make an effort not to subject others to the effects of your hacked site(s).
Once you realize what has happened, the standard response is to upgrade WordPress in hopes of correcting the problem and becoming secure once again. The fact is that all too often the upgraded site is just exploited again, and that’s what this post is all about.
[color=#CC0000]If your WordPress site has been exploited, it is not sufficient to just upgrade your site![/color]
Upgrading your site will, for a least a time, provide you with a copy of the latest and most secure WordPress code. At this time, that is WordPress 2.5.1 and there are (at least for now) no known exploits for that code. It is important to realize that this upgraded code will not necessarily make your site secure again once it has been exploited. There are several possible reasons for this, depending upon how your site was attacked:
Your WordPress database connection credentials may have been (probably were!) compromised. If you do not change your MySQL database user password, you newly upgraded WordPress site can still be open to exploitation. Change at least your database user’s password (I recommend actually changing the user as well!). This is particularly bad if you used the same user/password for your WordPress MySQL database as you did for your FTP or your shell user (if you did this, change everything).
Your WordPress Administrative user (admin, by default) password may have been compromised or additional admin users may have been created.
The vermin that did this to your site (I won’t use the word “hacker” here, though others do) may well have left trojan software, or other corrupted files, in your WordPress directories that will allow them to return and take over your site again.
Your WordPress database itself may have had content, users, comments, etc. added by the trespasser, and updating your WordPress code alone will not repair this damage.
In order to really undo the damage they have done, you need to deal with each of the items just discussed, and this can be less than trivial for many “one-click” WordPress" users. This post will not address each of them (it’s too long already!), but this thread might be a good place for discussions of these issues for those who are interested.
I’ll start that discussion off by pointing to a post made about this subject by one of the WordPress developers, which has some very helpful and useful information:
–DreamHost Tech Support