There have been a number of reports about a WordPress hack affecting self-hosted WordPress blogs. The hack seems to affect WordPress 2.9.2, the latest version of the blogging platform.
The attack leads into an infection chain that leads to various Malware, including a rogue antivirus which we written many articles about here.
Facts about the recent hack
- Several WordPress blogs running the latest official version are currently successfully compromised.
- Attackers either manipulate the blog to spread Malware (more recently) or to cloak links that are only visible to search engines.
- It is currently not clear how the attacks are carried out.
- Some pointers are given on how to disinfect a blog.
WordPress webmasters should check their blogs immediately to make sure that it has not been compromised yet. A WordPress plugin like Antivirus might also help in preventing a successful attack.
How to protect your self hosted WordPress blog
You can download the Antivirus plugin here.
AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections.
Features
- WordPress 2.9.x ready
- Detect the current WordPress permalink back door
- Quick & Dirty: activate, check, done!
- Manual testing with immediate result of the infected files
- Daily automatic check with email notification
- Whitelist: Mark the suspicion as “No virus”
- English, German, Italian, Persian
In addition to the Antivirus plugin, you should also install the Login Lockdown plugin here.
Login LockDown records the IP address and time stamp of every failed log in attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the log in function is disabled for all requests from that range.
Thanks Frank, I installed the recommended plugins.
Jonathan,
Good job!
Already using login lockdown, but also installed the antivirus. Thank you so much!
Andrew,
Way to go!
Thanks Frank! Working on getting all this in place!
Susie,
It’s easy to do and it’s good for you and your self hosted blog. :)
WordPress said that it was Network Solutions fault for not preventing users sharing the same server from accessing the other users content.
Brad,
The source was NetSol, but that doesn’t mean hackers won’t try to compromise other WP 2.9.X blogs. I seen this too many times. It is best to be safe than sorry.
I have had Login Lockdown installed from the second week I had my blog. Time to get the Antivirus plugin. Thanks for the tips!
Brian,
I am glad to help!
Thanks for sharing this information, I’m going to check my 2 WP blogs with Antivirus plugin.
You may want to check your web site as it is marked as suspicious by mywot.com.
It’s under attack like seriously? The only attack I am getting is the thousands of spam comments. Thank goodness for moderation.
Tini,
A friend of mine just got attacked yesterday, so yes, there are WP Blogs being compromised.
Getting my site hacked is one of my biggest fears. Didn’t even think about looking for a Word-press anti-virus plugin! Cheers mate.
You are welcome and I am glad I could help.
Thank you for the information and for mentioning the quick solution to it. Apart from Antivirus and Login Lockdown plugins, you might want to consider changing permissions for various important folders and files in your WordPress installation.
I have a done a post for changing the permissions of some important wordpress folder which might help: Secure WordPress blog in 5 minutes
Jal,
Thank you for sharing the folder permissions.
Thanks so much Frank! And – this is a good time for me to get rid of the WordPress installations in the sites I started and abandoned last year. :)
Christie,
How are you? I am glad to make others aware and hopefully everyone will be careful and install the plug-ins I recommended.
Doing fine, thanks! Work’s been busy, so I don’t get to make the rounds of blogs as often as I like. :)
How interesting. I didn’t upgrade to 2.9.2 because it wasn’t an upgrade for an exploit, and now I’m glad I decided against it.
Mitch,
Older versions are suspect and I would recommend you get the latest version.
My wordpress blog was hacked just a few days ago (4th April), I wish I had installed the anti virus before my blog had got hacked.
Anyways, I am installing it right now to prevent from any future attacks. Thanks
Raj,
Sorry to hear about your attack and hopefully you back up your WP daily and save the last 10 back ups.
Thanks Frank for the advice and the plugins. I’ll try those.
I just got one of those attacks on a blog few days ago : massive injection of malicious javascript code in almost all the standard WordPress .js files. The threat is real !
I’m still searching about the entry point on this attack, and I have two leads : a virus on the PC which could have used my ftp client, or a weak file system security from my hosting provider (as Matt wrote about http://wordpress.org/development/2010/04/file-permissions/).
I have cleaned up the site, and posted an article (in French :-)) about it. http://fanta78.lasnespace.com/2010/wordpress-attaque-mon-blog/
Fanta,
Thank you for sharing. I would also recommend that you back up your WP daily. You should also keep at least the last 10 days so you can go back to the last working back up in the event you may have been unaware when the malicious attack took place.
You are right about the daily backup.
For those I use a plug-in named Automatic WordPress Backup (http://www.webdesigncompany.net/automatic-wordpress-backup/) which stores the files on Amazon S3. I recommend it !
I have implemented this on many of the sites, but one in particular Trade Show Improvement dot com continues to state danger in several places. If someone doesn’t know php all that well, what are their options?
Scan shows – there is no virus but has several lines that say see line..such and such
<?php require(WEBTREATS_INCLUDES . "/sitemap-content.php");
Any thoughts?