"OMG My WordPress Site is Hacked!"


#1

Given the increase in recently “hacked” WordPress sites, and the confusion often encountered as to how this could have happened, and how to fix it, I felt this post is in order. For those of you that have a good handle on this stuff, you can quit reading now - this post is for those who don’t. :wink:

First, it is important to understand that the very popularity and wide-spread use of WordPress makes it an attractive target for miscreants. If they can find a vulnerability in WordPress, and exploit that vulnerability, the number of potential targets they can attack is orders of magnitude greater than it would be with less widely used software.

Secondly, far too many users install WordPress and go merrily on their way blogging without regularly upgrading their WordPress software installation(s). Even though the DreamHost one-click installer makes upgrading very easy to do, many (most?) users are not diligent about upgrading.

You should view the process of upgrading web applications as an “arms race” between you and the forces of evil. Every time a new, more secure, version of WordPress (or any other popular web application) is released, the bad guys attack it furiously looking for new ways to exploit it. If they are successful, they go right back to destroying sites until the developers can identify how they got in and release new code to mitigate the newly identified vulnerability.

This is the nature of the modern web, and dealing with it is the price you have to “pay to play” and run the applications on the web. While the premise that “there is no such thing as a completely secure web application” is debatable, I find it is a useful assumption to make when deciding how much attention to pay to upgrading popular software, particularly when that software has been exploited.

The end result of all this is that a great many WordPress sites are routinely exploited. When this happens, if you are fortunate, your site’s display will be changed, or it will not work properly and you will know something has happened. However, this is not always the case because many exploits embed hidden code in your blog that damages your site, destroys your Google indexing, and subjects your blogs visitors to all kinds of unpleasantness (including redirects to phishing, porn, pharma, gambling sites, and other nefarious stuff), and this is not always readily apparent to you.

You should not just ignore the risk of your site being exploited and optimistically hope that you will not be a victim. Being a good internet citizen requires you make an effort not to subject others to the effects of your hacked site(s).

Once you realize what has happened, the standard response is to upgrade WordPress in hopes of correcting the problem and becoming secure once again. The fact is that all too often the upgraded site is just exploited again, and that’s what this post is all about.

[color=#CC0000]If your WordPress site has been exploited, it is not sufficient to just upgrade your site![/color]

Upgrading your site will, for a least a time, provide you with a copy of the latest and most secure WordPress code. At this time, that is WordPress 2.5.1 and there are (at least for now) no known exploits for that code. It is important to realize that this upgraded code will not necessarily make your site secure again once it has been exploited. There are several possible reasons for this, depending upon how your site was attacked:

  1. Your WordPress database connection credentials may have been (probably were!) compromised. If you do not change your MySQL database user password, you newly upgraded WordPress site can still be open to exploitation. Change at least your database user’s password (I recommend actually changing the user as well!). This is particularly bad if you used the same user/password for your WordPress MySQL database as you did for your FTP or your shell user (if you did this, change everything).

  2. Your WordPress Administrative user (admin, by default) password may have been compromised or additional admin users may have been created.

  3. The vermin that did this to your site (I won’t use the word “hacker” here, though others do) may well have left trojan software, or other corrupted files, in your WordPress directories that will allow them to return and take over your site again.

  4. Your WordPress database itself may have had content, users, comments, etc. added by the trespasser, and updating your WordPress code alone will not repair this damage.

In order to really undo the damage they have done, you need to deal with each of the items just discussed, and this can be less than trivial for many “one-click” WordPress" users. This post will not address each of them (it’s too long already!), but this thread might be a good place for discussions of these issues for those who are interested.

I’ll start that discussion off by pointing to a post made about this subject by one of the WordPress developers, which has some very helpful and useful information:

http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

–rlparker
–DreamHost Tech Support


#2

What about a way of securing WP for those of us who can’t quickly update WP? For example, some plug-ins I use are not yet 2.5 compatible. What are some steps to securing WP above and beyond just updating it?


#3

you can also always ask the plug-in author to help upgrade the plug-in. or at least check their websites for the update. there are also other people to help at wordpress.

Robert…good post…i have always found, no matter what program i am using, hacked or not, to always look look for extra admin users. i remember the big problem with phpbb in the past and people never quite understood why they kept getting hacked.

movable type needs to be more proactive!


#4

In that situation, you are likely to truly find yourself between a rock and a hard place. The problem is that, while there are some things you can do to improve your security (see below), if you continue to run code that is known to have a vulnerability, and miscreants find your site and can identify that it is vulnerable you will remain at risk.

There are some things you can do to make it less likely that they can identify your vulnerable version, and things you can do to obfuscate the way your WordPress operates, but unless you patch the code yourself to eliminate the vulnerability, it will still exist.

This type of code patching/refactoring is difficult, and the “patching” is often the major part of an “updated WordPress” release.

It’s hard for all but the most savvy PHP programmers to do a better job of this than the WordPress dev team and, even if you succeed, your patching may actually break the very plugins you rely on (and that kept you from updating in the first place).

All that said, the definitive guide to things that you can do to make your WordPress more secure, including some steps short of upgrading your code, is the excellent article in the WordPress codex on “Hardening WordPress”.

This article discusses the subject very thoroughly and includes links to additional resources.

Upgrading regularly and quickly is still the best overall approach, and practically speaking may be the only viable approach for those with limited programming/system administration skills or those unfamiliar with *nix security concepts.

Even better security can be obtained by applying the concepts in the article to the latest version of WordPress (“hardening” the latest release is what the article is really about, and why it was written). :wink:

–rlparker
–DreamHost Tech Support