CATEGORIES
- WEB STARTUPS
- CONFERENCES
- WEB JOBS
- MICROSOFT
- INTERVIEWS
- VIDEO
- AMAZON
- ALL TOPICS
CONTRIBUTORS
Follow-Up To The WordPress Exploit and Tips to Protect Your Blog
This weekend CN’s WordPress core was exploited and spammy hidden links were added to the footer. We’ve had this happen several times since moving to WordPress back in April. I’d like to share the details of what I’ve learned since the attack happened and some links and tips on how to make sure you don’t fall victim to the same issue as we did.
It appears that a person logged into the CN admin panel and manually edited the footer file to add all the link goodness. The only reason I caught the links so quickly (24 hrs later) is because I manually do a view source on all of the CN blogs every day or two since the exploits began. I cleaned out the links immediately but they had already made their way into Google.
Hats off to Rackspace for calling me at 11pm on a Friday night to try to help with the cleanup and also start an investigation into what happened. I pay Rackspace full price currently for my sites and it’s awesome that Rackspace has helped considering how small my sites and bill are in the grand scheme of their overall customer base. Over the weekend I spoke with several “Rackers” about the issue and finally they figured out what they believe happened.
I don’t want to publicly share all of the edits I’ve made to try to make sure someone can’t deface CN again but if you want more details, send me an email. I am not really sure why there aren’t more settings while installing and/or upgrading WordPress to help prevent more of these attacks. For example, why not allow an admin to completely disable the theme editor? I’ve never used it as I edit my themes locally and then upload them.
Here are a few posts that are worth checking out related to WordPress security:
- Tips to protect a WordPress blog by Googler Matt Cutts – Matt explains how to lock down the wp-admin folder to make sure only you can access it. Another option that should be an administrator setting on the install/upgrade
- How to check if you have any backdoors that the exploiters can use to get into your blog – Otto
- Ten tips to make your WordPress blog hack-proof – BlogCritics
It’s been a long time since I was a server admin but locking down your theme files might be one of the best options. While it will take a moment longer to unlock the files when you want to make changes to your theme, it also means that the files can’t be edited via the WordPress theme editor.
Lastly, if you run a WordPress blog, take a minute right now and verify that your blog hasn’t been exploited.
Just a note: Locking down your theme files won’t help you. Not really. If somebody gets access to your site as an admin, then you’re already pwned. Admins can execute arbitrary code, even with the theme “locked”.
Example: Say I’m an admin on your site, and you have it fully locked down. How do I hack you?
Answer: I go to the Media section, and upload a file. That file contains PHP code. I then access that code via a direct request to it at example.com/wp-content/uploads/whatever.php . Voila, I have written PHP code to your site and run it in the server context. The theme editor lets you do nothing more than that, really. And my PHP code can do more or less anything, including unlocking your theme and inserting spam links, etc, etc.
It’s not any more complicated to script this process, and I have indeed seen it done this way a lot. So making the theme read-only, while it makes sense from a certain perspective, doesn’t actually protect you from an attack that happens via the WP administration screens. If they have access to the theme editor, then they have admin rights already and don’t need it.
On the other hand, making files read-only will indeed protect against a direct attack from other users on a shared hosting environment. But that attack vector doesn’t involve WordPress at all.
damn otto you are good :)
i dont use the media uploads either – maybe i need to delete those files – i store everything on s3
If the uploads folder is not writable, then the media uploads won’t work.
so that would prevent what you suggested right?
Thanks for following up on the exploit — all sound advice for WP. Hadn’t seen Otto’s tutorial yet.
So how were the links hidden in your footer CSS-wise? And what kind of link “goodness” did they leave for you? :)