One of our friends site that we help setup on wordpress just got hacked this morning.
It was running wordpress 3.28.
The weird thing is the site gets like 10 visitors a day and has no backlinks.
The hack was one of those fire and forget ones. The hacker came from a Google search, targeted a file that he posted the payload to, then prepended every .php file with a base64 encode php script that looked for referrals from search engines.
It always cloaked so none of the search engine bots would see it.
So in essence to the owner of the website all would appear as normal unless you came from a search engine to the site. And to the search engine the content would look normal also so it would continue its ranks (until discovered).
So just some friendly reminders to mitigate your risk of being hacked:
- Keep up to date (DUH)
- If at all possible do not use Apache as a webserver. Instead use nginx that will not execute code like that.
- If you have to use apache run mod_security that will not allowed payloads like this to be distributed.
Because this site had such a low amount of traffic their was not many things to detect it. If your site has traffic though there are a few things that can show you instantly pretty much when you have been hacked:
Chartbeat will alert you if there is a sudden influx or drop in your traffic.
Google analytics will show a drop off instantly. Especially with time on your site.
I love wordpress, its fantastic software. The only issue is that because its opensource hackers have full access to the code. And when wordpress issues a upgrade they go in detail where the security issues are… which obviously is a hackers wet dream.
About the author...
Jeremy Schoemaker – who has written 2473 posts on ShoeMoney.com.
Hi I am Jeremy Schoemaker and ShoeMoney.com is my blog. 99% of the post here are done by me but you will see others occasionally make guest posts. This blog is fun to write but for my day job I run several online companies.
Images provided by bigstock
Obama’s whitehouse.gov Squeeze Pages 
Knowing When to STFU 
My Top 10 Worst Ideas To Make Money 
{ 9 comments… read them below or add one }
I’ll second that.. I deal with clients sites on a daily basis that have fallen victim to some form of malicious script or another. The whole timthumb deal will likely keep this flow coming for quite some time all by itself.
mod_security is fantastic (once you get the needed exclusions setup properly based on your needs) and for people that don’t mind spending a few bucks ($75 for a lifetime license) you can grab configserver exploit scanner that is a killer real-time scanner that monitors all the files on your sites as well as all uploads (done by script or ftp) and actively quarantines the bad files as they are uploaded (so a hacker will think they uploaded successfully but when they go looking for them they are not there)
While I’m not sure about that WordPress version you list I see this so frequently on sites with a ton of plugins installed. Even more than switching to NGINX (not feasible for many) don’t install plugins or themes you don’t absolutely need and make sure you uninstall anything you’re not actively using.
There is no version 3.28 of WordPress…
That said, 3.3 came out more than three months ago, so they really had fallen behind. WP updates are kind of a pain to keep up with, but it’s virtually impossible to hack if you keep it up to date.
Actually I think it might have ben tinythumb as one of the commentators made above
Unfortunately, this problem will not go away. Matt’s company Automattic even stands to gain from hackers preying on WordPress websites, since wordpress.com and vaultpress.com are products of theirs that promote security as a feature.
If a hacker really wants a website they will get it. but like Jeremy said just update your WP as soon as it comes out.
Sumbitches got me too. Same, almost identical thing. Except they nailed every WordPress site on one of my server’s and half on the other one. I’ve struggled for a consistency between them and found very little other than they were all WP 2.8 and above.
Staying up to date didn’t work either, as fully half of those sites were WP 3.3.1 (the latest as far as I know).
I also buttoned down security and went retarded on cutting off access for at least a week…
…during which those f*ckers came back and hit me again. I have NO answers.
But it’s good to read you again Shoey, I haven’t checked this blog out in about 3 years. Keep rockin’ mate.
seems like i’m not the only one having this issue … all my WP site is injected with these scripts and got blacklist by google.
seems like they have put some backdoors as well.
any good alternative to fixed it
The security can’t be perfect. Real hackers break into government websites that pays million of dollars for sites and who contract firms like Oracle or Bit Defender to ensure that the security is right. You can’t predict what every bit of data will do.
The problem is automated scripts that will let anyone to inject things into wordpress installation. Since the plugins are created by regular people they do not have time to update so often.