WordPress Anti-Hacker

4:00AM. I’ve deleted a line of obfuscated javascript from my client’s website probably 20 times now — once every 10 to 20 minutes. In between I’m staring at lines of information from the raw files, scanning through hundreds of WordPress files, and inspecting database entries to try and find why this line of code keeps coming back. The code is some seriously bad stuff: it creates a small iframe, loads in code from some crazy location (usually China or Russia) that causes the browser to download a .PDF file that’s infected with a trojan. It’s also attempting to set and modify existing cookies to siphon affiliate linking from places like Amazon.com.

It’s taken me hours to track this thing down. I’ve found bits of code in the database, a huge PHP file hidden in the images directory, another bit of code in a template file of an unused theme, and another bit of code inside the active theme’s functions.php file. It’s a freakin’ mess. I’d like to share some of what I’ve learned about how to bust this stuff and maybe even prevent it in the future, but I’m warning you — before we go any further — it’s going to take time.

Recovery!

There are some sites out there that can give you some pointers on telling if you’ve been hacked, but it seems that the big, in-your-face, method is getting a browser or search engine warning:

Firefox's example attack site warning
Firefox's example attack site warning

I think most people’s reactions fall into two categories: WTF!? and “not again…”

Unless you happen to be a system admin, I think the first step, really, should be to contact your web host provider for a few reasons:

  • They may be able to very quickly pin-point the vulnerability, so you can patch it. Or at least point you to the file that is causing issues.
  • If it’s their fault, they can start working on the problem
  • If it’s going to affect other people they can take action to mitigate that risk

Here’s a good example: The recent spate of hacked WordPress blogs was due to an incorrectly configured server at a major hosting company *cough* network solutions… *cough* I suggest opening up an urgent trouble ticket or sending an email to your hosting company that says something like this:

Dear web hosting provider,
My website has been compromised and is now displaying in Firefox|Chrome|Google as a malicious site. I’m currently taking steps to determine the issue and solve the problem. I wanted you to be aware in case the vulnerability is server-side, or the hack could effect other websites on our shared server or database. I am running WordPress 2.9 (and list any other web software you have installed such as osCommerce, etc — there is no need to list plugins or themes).

My website url: http://
My username:

Please let me know of anything you find during your investigation.

After that’s taken care of, here’s what I recommend you do.

  • Make a complete backup of your site, right now. Yes, with the bad code and everything. This includes the database. Whatever hack you got may be able to wipe your entire installation — or your web host might! I use wp-db-backup to backup my database, and FileZilla FTP to backup my files.
  • Download and install the WP-Exploit scanner — It’ll give you a list of files with hinky code inside them that you can then go edit. It will also scan your database for weird code that you can delete.
  • Manually scan through all, yes all, of your wp-uploads folder looking for anything strange. Specifically a .php file floating around in there (other than the very first index.php), or an image or other file that you never uploaded.
  • Download your raw access logs (this is something the server administrator sets up, usually through cpanel) and scan through those. Pay special attention to any POST requests to strange pages, or GET requests with very strange data in the request.
  • If you are using anything less than the current version of WordPress, upgrade now.
  • Cross your fingers and hope the hack doesn’t come back.

An apple a day, keeps hackers at bay

Once you’ve gotten past all the hack mess — or if you never got there in the first place — here are some ways to keep your WP installation a bit less hacker prone:

The #1 way to prevent your blog from getting screwed with is by keeping your WordPress installation updated with the latest version. A lot of times, the WordPress team will patch zero-day bugs and push out an incremental upgrade. A zero-day bug means it’s a vulnerability that has been known (published) for zero days. As soon as that new version of WP hits, the timer starts ticking.

The above bit of advice usually comes with a partner: backups! While they aren’t going to keep you from getting hacked, they can make recovery a lot less painful. At least keep regular backups of your content (database and wp-content folder).

If you haven’t ever seen your wp-config.php file, download it and make sure that your authentication keys are set to something. This is not okay:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

If they look like that, go to the authentication key generator at wordpress.org and get yourself some new ones.

Now, if you’re a power user, you’re probably rolling your eyes a bit. Perhaps you should head on over to the codex article on hardening WordPress. Everyone else should probably do a search for “security” in the WordPress Plugins repository. There’s a lot of duplicated functionality, so pick a plugin that is easy to use and scans your configuration for weaknesses. There’s a lot there, so just remember that the #1 way to keep your site safe is by keeping it updated.

Leave a Reply

Your email address will not be published. Required fields are marked *