WordPress Hacking

This site runs on a lovely piece of software called WordPress. It is Open Source (meaning available to anyone for free) and used on millions of websites around the planet. It has a commercial arm as well, so the company is able to employ software programmers to make sure WordPress is stable and secure.

I am also a little, well the only word is paranoid (yes I can tap for that!), about my computer’s security. In 1995 when Larry and I got our first computer, we swapped a disk with a tech who was repairing some other equipment, and that infected our system and effectively shut down our business for three weeks as we struggled to deal with. We’ve happily spent good amounts of money on anti-virus software since then. I did get infected through an msn message late last year, and spent some time cleaning up and putting in a couple of layers of anti-Trojan infection.

So imagine my surprise when I went to log in to my WordPress yesterday to add a blog post, and my site came up with a red screen telling me that my site was unsafe!unsafe

And I spent the rest of the day and half of the next trying to find out what was going on and sorting it out. And then another six of so hours in between other stuff tidying up. Effectively wasting two entire working days. This is devastating when you’re in a two-person startup business, because there’s more work to do than time available.

What I found out was that an old script I’d installed on my server, to try it out, about 12 months ago, had a security vulnerability. WordPress is exceptionally good at communicating with its millions of installs, and when it notified me of the new version a couple of weeks ago, I upgraded immediately. I also upgraded plugins as they became available, and so on. I was confident my WordPress was secure.

But I’d really forgotten about this old script, and hadn’t upgraded it. Somehow it allowed someone into the site, who was able to install some hidden html code onto a bunch of my pages – 178 as it turned out. Thanks to a tech at my webhost, I had a starting point. The only way I could get into my site at all was through FTP, so I downloaded my entire site and while I was waiting I went agoogling, starting with the error message. After a lengthy trail I had an action list:

  • Scan the files – NOD32 was doing a scan as the files came down, and picked up a couple of Trojans. I rescanned with another scanner after the download.
  • Search the files for hidden iframe tags
  • Clean them up
  • Check file permissions on every file and folder, ensuring no folders were more than 755 and no files more than 644
  • Clean up or upgrade older scripts
  • Change passwords
  • Reupload
  • Scan the site with online malware scanners
  • Do any further cleanups
  • Install wordpress security – several steps I won’t go into here
  • Install an index.html file into the plugins directory
  • Protect the admin directory
  • Check the FTP access and secure as necessary

Now I’m a geeky girl, but not a geek girl – the difference is in the level of technical competence (a geek girl is likely an IT professional or very dedicated hobbyist). This is what I did, with help from the Google webmaster forum and the stopbadware.com websites. This may or may not help you at all.

I hope you can take some comfort though from knowing that a geeky girl can get this nonsense sorted, with some time and support.

Now, back to what I was doing before all this started…

Leave a Comment