It Happens
Sensational title? You hear about it on other blogs, it happens to government sites, It happens to Al Gore and to Bill O’Reilly… But you never dream it will happen to you. I recently found out that my WordPress site had been hacked into by a dirty, stinking, filthy spammer. It wasn’t even flattering, since I was not specifically targeted in the hack, but only one of hundreds more that were used by a script made to crawl and automatically find vulnerable sites and exploit them. The hacker didn’t even have to exert any effort. This was truly insulting.
Traffic and rankings drop off the map
It all started when I logged into my Google Analytics to check on my stats. I wanted to see if I had broken another traffic record, instead I found that my search engine traffic had dropped by about 80%. I frantically checked Google for a keyword I know I rank for, and found that I was completely absent from the results. I checked another term, and I was nowhere to be found. I had been dropped from the search results.
Since I had no idea why, I started to think that I might have built links too fast, or that maybe I had been sandboxed or something due to climbing too high too quickly. There was nothing I did that could have fallen outside of Google’s guidelines. I was stumped until I searched and found that there was a possibility that I was hacked and might have hidden links on my site. I checked my source code on a few pages and didn’t see anything fishy. After scouring for more information online I ran across an obscure post describing the exact problem I was having.
They will take advantage of you
Since I hosted my sites on an inexpensive shared server, it is possible that my site was sharing the same server with many other websites. Hackers with malicious intent can scan for vulnerable sites, and break into the site using SQL Injections and/or other methods. They don’t do it for sport, they do it to ad hundreds of outbound links from your site to another for SEO reasons. They hope to make a quick buck by inflating their rankings overnight. My hacker was placing hundreds of links to a .edu website that had a vulnerability they exploited causing it to redirect back the their Canadian pharmacy site. It was a double-layered scheme that helped them protect their site from being de-indexed by putting the heat on the school website. I’m still confused, but here is the bottom line: If you use open source platforms… secure your site!
Securing WordPress
There are a few steps you can take to help minimize the chance of attack by “security through obscurity”.
- Upgrade! Keep your WordPress install up to date at all times. Apply any patches released by the WordPress development team ASAP when they are released. They often will seal up any security holes that may have been found.
- Use a dedicated server: The cheap hosts like Dreamhost and Bluehost (and many more) use shared server environments. This allows hackers to sign up for cheap accounts and get access to a sever box that could be hosting a lot of vulnerable sites. Even more expensive cloud hosts like Mosso or MediaTemple share servers, but the high price of an account increases the barrier to entry purely for malicious intent, so it’s less likely. A dedicated server is the best way to go. (Not to mention the fact that your site loads a lot faster, so your visitors and Google bots will like that). If you don’t want to drop that kind of money, skip this step.
- Remove “WordPress” and “version” references where possible in your theme. Any mention of “Powered by WordPress” should be removed from the footer. If your theme includes a “generator” meta reference in the header, remove it. This allows for easy scanning by a hacker by letting them know that: A: You are running WordPress. B: What version you are running. This is a beacon for them that can be easily turned off without any issues.
- Remove any unused plugins, they can have holes you may not know about. It’s best to delete them from your wp-plugins folder if they are doing nothing. While you are in the plugins folder, add a blank page title “index.html” or “index.php” this will prevent others from being able to see what plugins you have installed simply by going to “www.yoursite.com/wp-content/plugins”.
- Try to limit access to your wp-admin directory using a .htaccess file. Lock down the directory so that only certain IP addresses (your own) can access it. Use the method described here. Or try this plugin. (I have not tried the plugin personally)
- Re-name your “admin” default user to something else. For details, look here.
- Back up your site! This will not prevent an attack of course, but you can recover quicker if you are messed with, and you can refer back to the original file to see if anything fishy was added. It’s hard to see funky changes in your database if you don’t have a reference point. Make sure to back up your entire directory by dragging your wordpress install onto your local machine, and then back up your MySQL database.
- This is only the beginning: Check out this post for more. It seems like a headache, and it really is.
You may not know until it is too late
The fact that I had been hacked had gone undetected for so long due to the fact that it was virtually invisible, even in my source code. The added code was only showing the filthy links it added if the browser was determined to be the Googlebot. One way I found the links was to impersonate the Googlebot with Firefox. Another way to see if you were hacked is by typing “site:https://www.yoursite.com buy” without the quotes of course. The “buy” added on the end was meant to catch the most common word the hackers would use in a dirty link. You can replace it with other common spammy words if you would like. Try this out, and if you see what I saw, you may start to cry.
The steps I mentioned above are only a few ways to begin your security measures.. there are many more. If you have been hacked, I encourage you to find out what was done and clean it up.
Proactivity is important
If you run wordpress or other open source CMS’s, you need to take the steps to make sure you are upgraded and secure. Risking a plugin conflict is not as important as ensuring you are not dropped from Google. After I cleaned out my site by removing the added lines of code from my theme, removing the added user from the database, and removed the new hidden plugins that were added, I was able to request a reconsideration from Google. I didn’t get an actual response, but I think they got the message because my site seems to be ranking better again.
Follow the rabbit holes below to learn more:
TechCrunch: WordPress Security Issues Lead to Mass Hacking
Matthew Rathbun
October 26, 2008 at 3:41 pm
Carson,
Thanks for this post. I’ve just been totally abused by spammers over the past two weeks and have gone down one PR. I’ve spent the weekend, updating plugins, and removing those I don’t use.
Why these idiots feel that attacking other people’s blogs is “impressive” or adds value to their lives, I’ll never understand. I can only hope that they spend eternity in hell, having to read and delete their own spam e-mails and nothing else, for the rest of their miserable existence! What a bunch of losers!
Stephanie Edwards-Musa
October 26, 2008 at 4:16 pm
Hey Carson, the number of visits to my site has dropped quite a bit in the past few weeks, but I have not figured out why. Since it is so specific to certain information, it could just be a decline in interest right now….who knows.
I’ll try your tips. Thanks a lot. 🙂
PS- It was nice finally meeting you the other day. We need to get together again soon and roll some ideas.
Carson
October 26, 2008 at 4:42 pm
Stephanie – I did a site check for turninghoustongreen.com and I didn’t really see any spammy stuff. The stats drop I saw was huge, and it happened overnight. If you ever see a huge drop because of this, you will know.
Matthew – I think the hackers main goal is to plant outbound links to their sites… Maybe the 9th circle is just an eternal flow of bogus spam wordpress comment approval emails that never end… if that is the case I might already be there.
Nat
October 26, 2008 at 6:52 pm
I’m just a newbie in doing my own blog on wordpress. In fact, I’ve been fighting so hard to get started, I haven’t gotten started. However, I did get suckered into paying for 2yrs up front for bluehost. I’ll have it up and running soon enough, and I’m bookmarking this to come back to. I’m sorry you went through what you did, but thankful you took the time to create this how to for the rest of us.
Carson
October 26, 2008 at 8:21 pm
Nat – I didn’t really mean to demonize all shared servers, sometimes it is just not financially feasible to get a dedicated server. There are alternatives such as a virtual private server that can add a level of security that is less costly. Keeping your install upgraded is the most important step, and when combined with the other measures you can take to secure wordpress, can increase the security against hacks. A firewalled private dedicated server is just an added layer that can protect against a third party trying to break in. I don’t want to scare anyone too much.
Jay McGillicuddy
October 26, 2008 at 9:13 pm
Hi Carson, we were hacked about a year ago and it was a mess. Thanks for the tips I will implement a few of the tips here and I do use a few also.
I agree with Matt we have been spammed like crazy this past month. I don’t understand the reasoning either.
James Stein
October 26, 2008 at 9:39 pm
Great post … Problem is just making backups and updating will not stop the hackers..
While WordPress does what they can to offer updates that will allow the owner of a hacked WordPress Blog to start to put things back together, if you had a security and safety net that would keep you ahead of hackers, your risk of loss and damage would be eliminated.
WordPress Secured Slams The Door On WordPress Blog Hackers
WordPress Secured is the only solution that will help protect you ..
James
Ben Goheen
October 26, 2008 at 11:58 pm
Great post Carson – I didn’t know about some of these security issues. I’ve already implemented a few fixes and will work on more this week.
Just my 2 cents for an excellent web hosting company, check out Media Layer. Their uptime and support are far superior to the cheapo companies, yet the price isn’t outrageous.
Elaine Reese
October 27, 2008 at 7:05 am
I use WP.com … the free version. Does that lessen the opportunity for hackers? I’m assuming your post is referring to the WP.org version where users must decide on a company to host the blog. I also use Akismet and have all comments held until I approve them unless I’ve approved the person previously. Does that help?
Akismet catches a lot of spammers that try to put up their links on my pages. I just delete.
Jim Gatos
October 27, 2008 at 7:09 am
A hacker or spammer infiltrated my shared server Self Hosted WordPress Blog (HostGator) and I didn’t even know until I saw my site was labeled a “phishing” site by many places, including McAfee. I went with Typepad and all my headaches went away..
James Stein
October 27, 2008 at 8:33 am
No the only thing that will stop the hackers is if you modify how wordpress itself functions. I have a full detailed step by step system that will show you with screenshots exactly how to secure your wordpress blog. Nothing else on the market can help you .. I am a website developer of over 15 years so I fully understand and now how scripts work.
See the link on my name…
James
Carson
October 27, 2008 at 8:49 am
James – Ever heard of the “soft sell” approach? Who am I kidding, you didn’t actually read the post.
Carson
October 27, 2008 at 9:10 am
You know what, no.
James’ comments are a perfect example of how not to market yourself on a blog. First of all, the original comment he left ignored all steps but #1 and #7. So you ignored pieces of the post to serve his own point. Second, he speaks in absolutes: Nothing else but HIS solution and product can help you. Third: He uses marketese in his comment: “Slams the Door on WordPress Hackers”. Fourth: He did not add anything to the conversation… just a harsh claim attempting to de-value the solution originally offered and sell his own. Fifth: He uses one of those “sales” pages that scream out “scam” to sell his product. Sixth: He did not know his audience. The title of this blog is AgentGenius, Not AgentDumbass. I’m sure everyone knows that but I wanted to deconstruct the method and make it offer some value here.
James – If your product solves the problem let us know how it works. Many readers here would be very interested in a single miracle step that would solve security issues, so you have the right audience. Don’t squander a good opportunity to sell it.
James Stein
October 27, 2008 at 9:31 am
I did not ignore them at all .. The fact that backing up and updating will not keep you safe should mean something.. This is a serious problem that has cost business income, traffic, revenue and more…
1. Rename your admin username, ok fine that does not stop hackers from accessing the admin
2. Using a dedicated server has NOTHING to do with it, even dedicated and unsecured can still be hacked.
3. Keeping up to date means nothing, the hackers also have access to these updates and remember the code is not encrypted.
4. Limit access to your admin by IP .. Any hacker can fake your IP and the fact that most have changing IP’s this means nothing.. What you going to do block yourself from your own admin ?
5. WordPress version means nothing, it still has the same coding style as older wordpress.
6. remove unused plug-ins .. I agree
7. backup.. I agree but this should be done with any site not just wordpress
I fully read the post, fact still remains unless you take action yourself and changethe functionality of wordpress you will never ever stop the hacks. The hackers know exactly how wordpress is coded.. Unless you change how it functions, then they have no idea how to hack it as they will not have any knowledge of what you changed.
James
James Stein
October 27, 2008 at 9:38 am
From customers.. since you asked.. Just a few testimonials…
———————–
Thanks James, just what I was looking for.
I had one of my blogs hacked a couple of weeks ago. Luckily, it was one that I hadn’t spent a lot of time on so I just deleted and started it over.
It is a small price to pay to protect your business.
Again, thanks.
Lewis
——————-
Ok well I just purchased WordPressSecured and I have to say it is detailed. I have been using WordPress for years and have read and implemented the majority of the security tips out there.
But, I have never seen anything like this. I can see that I have some work ahead of me this week updating my blogs.
James I have to say thanks for a great product that delivers what it promises.
——————
I have to say, I’ve benefited James’ tips on this thread pasted right below were immensely beneficial in helping me secure my WordPress:
My wordpress blog hacked – again!
Several of my WordPress sites were hacked (as well as non-WordPress scripts, a directory script, and membership scripts I paid for). Some of the hacks were truly scary like one that used one of my sites as a launch pad to send out fraudulent Bank of America emails to extract innocent victims’ financial information. Crap like that could land the wrong person in jail!
The most common hacks were ones based out of Turkey, who took their grievances and disputes out online on such sites as one I set up to help pets in shelters get adopted. They’d deface my sites with images of soldiers, curses against Israel and Norway (what homeless dogs and ferrets have to do with these hackers’ grievances is beyond my understanding)
Anyway, after implementing James’ suggestions to secure WordPress, hackers were no longer able to penetrate my WordPress sites, though my server did report that hackers were still targeting them, sometimes slowing my sites down.
WordPress Secure would definitely be a wise investement. I say this, having already benefited from James’ /The RichJerksNet expertise in this area, without having it yet. Getting it all in one resource would be very nice.
AskApache
November 5, 2008 at 11:39 pm
Nice post Carson,
happened to find it from a trackback I received and just now got to it in the moderation stack. (cant find the link?).
The AskApache Password Protection plugin tries to automate the task of securing your blog (not just wp-admin) by using .htaccess to configure your site. You can always download the plugin at WP, but if you are interested in the actual explanations of what the code does, check this post out, it shows the code.
I’ve been working on the new version for a month, so stay tuned.
The most important tips (in my experience) for keeping your blog secure that you mention above are ( 1, 4, 2, 5 )..
If you keep WP upgraded you are safe, but keep in mind that almost all the exploits that are used to crack a WP blog are actually exploiting vulnerable PLUGINS and THEMES.
So if you only use vetted plugins and a custom theme (delete everything else/unused) then you should be good.. Also, you mentioned using a dedicated host, and that is probably the best way to limit the potential fallout from a cracked blog from spilling over to all your other online stuff. Nice blog!
AskApache
November 6, 2008 at 12:15 am
Oh and BTW, without flaming your blog.. James doesn’t have a clue what he’s talking about.
Clearly lacks any knowledge/experience of auditing code to find a vulnerability, then creating a custom exploit for that vulnerability, creating an agent to carry the exploit payload across Internet Protocols recognized by the target (blog on HTTP), and finally delivering and executing the payload.
It’s quite nearly impossible to “fake” an IP address, read anything about IP protocols and Kevin Mitnick to get a clue.
Updating your WP is the single best thing you can do… because exploits are custom built to exploit vulnerabilities in OLD versions. Once an exploit is made public, through honeypots, active logging, etc.. WP releases an update. See “Open Source” for basic background on how this works.
No offense James, you’ve put some effort and thought into your suggestions but without understanding what an exploit is and how a server/web app/system operates you’ll just be wasting your time.
I’d liken your ideas to this scenario.. A user spends a lot of time creating a custom password-login-prompt that is loaded every time a user wants to login to the admin panel.
Seems secure..
[ request admin ] => [ password prompt ]
But thats completely misleading. Here’s how the request really travels.
[ request admin ] ==> [ protocol setup OS-dependent ] ==> [ server finds requested file ] ==> [ server determines how to “handle” file (php) ] ==> [ server executes php binary or module ] ==> [ php opens file according to php config ] ==> [ requested file parsed by php ] ==> [ php includes wp-config.php to access database ] ==> [ php sends output/headers on tcp/ip connection established by server app ] ==> [ finally your password-protection is loaded and executed ]
Now that is entirely over-simplified, and you can see that there are around 15 different points in-between when the request is sent to the server and when the password-protection actually starts. All it would take is modifying file permissions, changing wp-config.php info, modifying how the server “handles” php, executing a OS-level/Server-level/Protocol-level/Application-level exploit and all that so-called “security” is completely circumvented.
James Stein
November 6, 2008 at 8:31 am
I fully understand what I talk about I have been developing websites for over 15 years and I have been online for over 23 years.
Well over 100 customers are very happy that they purchased my WP Secured solution..
Fact is updating means nothing, the code is not encrypted and hackers have access to the code just like you do..
If you change how wordpress functions then it is very obvious that hackers can not hack it as they will have no idea what changes you made.
The past five years has seen the popularity of blogs grow in their use and as a means of making money. That’s the meat that computer hackers look to sink their teeth into. A recent report by the Congressional Research Service stated that the financial impact of computer hackers amounts to $226 billion annually. Another report calculated that hackers could be taking up to six cents of every Internet dollar of revenue.
Hackers recently discovered that WordPress Blogs featured an easy path for them to cause their trouble. Many WordPress Blog owners have had their blogs hijacked in a variety of ways. They’ve found ads on their WordPress Blogs that they didn’t place there. Others have discovered that when someone clicks a search engine link to be taken to their WordPress Blog they’re instead taken to a totally different page full of ads that are often obscene and featuring computer viruses.
Think about it ….
James
Ben Goheen
November 6, 2008 at 8:35 am
@James Stein – you’ve been online since 1985?
James Stein
November 6, 2008 at 8:45 am
Actually it was 1984 if you want to get technical.. I was online before domain names and browsers even existed.
Unlike what most think.. The internet was not just created in 1995 or so .. The internet has existed since the early 60’s, it just was not in the general public then..
Even AOL has a copyright of 1986 and eWorld (Macintosh online service) was there before AOL and as a matter fact AOL bought it out in I think it was 1994.
James
SQL Tutorials
April 30, 2009 at 9:03 pm
Does anyone know if there is another language or set of commands beside SQL for talking with databases?
I’m working on a project and am doing some research thanks
Lani Rosales
April 30, 2009 at 9:49 pm
webmaster_ref said on Twitter: “In Perl there are other database structures that don’t require any SQL, the only caveat is they don’t work for big amounts of data.” Hope this helps!
Braxton Beyer
April 30, 2009 at 10:37 pm
@SQL Tutorials: you could try something like Amazon’s simpleDB