The UK2 Blog

Aug18

Battlefield WordPress: Fighting malware

It’s an ugly situation. You wake up one day to find one of your WordPress site(s) infected with malware even though all your plug-ins and themes are updated.

In recent weeks WordPress themes across the web have been hit by malware intrusions, which, if left unchecked, results in Google blocking websites in search results and informing owners they need to take action to remove hacked pages before being re-instated.

Even if you remove the malware yourself (or with the help of your web host) you remain vulnerable. It is not uncommon for WordPress site owners to get another infection within weeks of the first. Hackers find ways to leave backdoors into your site and lie in wait for an apt time to strike. And, they generally do.

Hackers gained the upper hand around the beginning of August 2011, by exploiting one of the most widely used WP plug-ins on the web, the image resizing utility called TimThumb.php.  How widely used is scary:  Nearly 39 million Google search results show up for this utility. 

The results included redirects to “scare sites” based in Russia and Eastern Europe and a general deterioration in the presentation and working of a WordPress blog or CMS.

Within hours other free and premium WordPress themes on the same server risked infection forcing website owners and developers to scramble to rectify the problem. This could take anywhere from 3-9 hours depending on the route they chose.

Some specific actions performed by hackers involved uploading PHP shell scripts to perform remote file intrusions using vulnerabilities in the TimThumb component.  They would then maliciously alter .htaccess files to perform URL redirects and other hacks. They may have also have used your site to deliver ads and other spam practices.

According to Mark Maunder, who originally detected the vulnerability, the TimThumb.php file is insecure because it allows hackers the ability to write files into directory that is accessible by people visiting your site.

He remarked that the only way to be truly secure, is to delete the file using the “rm TimThumb.php” and make sure it does not break the rest of the WordPress Theme.

By the way, he revealed that even his blog got hacked.  He was alerted to this when one of pages loaded a message saying “Congratulations, you’re a winner“.

If you are interested in reading what he did next check out his blog post.

Ben Gillbanks and Mark Maunder eventually teamed up to fix TimThumb, including a line-by-line rewrite of the original code.  They called the intrusion the “Zero Day Vulnerability” and released version 2.0 of TimThumb, which will find its way into updated plug-ins across the web, including premium themes offered by e.g. Elegant Themes.

While the community spirit in battling and defeating the TimThumb hack is great to see, it reminds us of the dangers of becoming complacent using the WordPress blogging platform to drive our sites. This is especially true as WP evolves into a true Content Management System (CMS).  Regular updates to the core theme and plug-ins is not only advisable, it is CRITICAL.

It also imperative to select a web host, that acts quickly to help you correct these issues. You may typically detect the malware BEFORE the web host, especially if you are housed on a shared hosting platform.   Some web hosts also offer regular scans of your Virtual Private Servers (VPS), which may help you limit the outbreak. But, most of the time the scans are done only after a breach is discovered.

You can take additional steps to lock down your WordPress themes.  Review these posts, which offer key actions to take:

11 ways to secure your WordPress Blog

WordPress Security Tips and Hacks

WordPress.Org Plugin Directory: Secure WordpresS

Further, there are some third party services, which offer monthly and annual plans to scan your domain(s) on a regular basis. Sucuri, for instance, offer detection services for unauthorized changes to your websites, DNS, WhoIs and SSL certificates. (In the interests of full disclosure, I am an affiliate of the service).

Finally, you may find this post useful on the Google Enterprise Blog offering some basic security tips and background information on hacking.

We would be interested to hear your thoughts on malware intrusions and some of your experiences and advice in tackling this growing problem.

 

Guest Blogger: Jason Stevens from jason-stevens.com / Freelance web developer, tech writer and follower of cloud computing trends. Follow him on Twitter @_jason_stevens_

*UK2.net reserve the right to agree or disagree with our guest bloggers. Call it freedom of speech, but our guest bloggers are entitled to have an opinion. If you wish to agree or  disagree, then feel free to leave a comment. Thanks for visiting our blog! If you wish to become a Guest Blogger for UK2, please contact our marketing department.

2 Comments

Leave a Reply

2 Responses to “Battlefield WordPress: Fighting malware”

  • Muhammad AyadAugust 19th, 2011 at 12:23 am

    My blog has been hacked recently and I was using WordPress as my blogging platform and UK2 as a host. It was showing a message saying that my site has been hacked. I could log in to the administration page but the front page was gone. I do use shared hosting and all blogs I had using WordPress were hacked as well. I’m now consulting an expert on how to fix it. Fortunately i did not have a lot of entries and I could access the database and save the posts. Any advice you got for me to harden my blogs other than those mentioned above?

Stop blending in with the rest of the crowd and start leaving your mark on the web

“I've been a faithful customer of UK2.net for about 12 years, regularly registering new domains on behalf of clients. The costs are superb value, and the service - online or over the phone - is fantastic. I'd highly recommend them to anyone - and regularly do.“

Jay Commins - Pyper York Ltd

“We would like to thank the support team for easily answering our website problem. They turned my day around with just a simple, understandable resolution with a friendly Service so a big thank you from me and all the elves here at the wicked chilli company“

- www.thewickedchilli.co.uk

“Great experience with UK2 support. We've been with them since they started up way back. Always good responses and the tech guy today who helped me out after I wiped my .htaccess file was brilliant. I'd recommend without reservation.!!“

Julian Jones - Hursley emc services Ltd

“I have been a customer of UK2 for as long as I can remember. It never ceases to amaze me the speed in which you respond to problems or queries, usually of my own making. The live chat for tech support is so efficient. I have nothing but praise for you guys and gals. The level of service is second to none. Nothing ever seems to be too much hassle. Well done, you all deserve a medal.“

- Yvonne Armitage Computer Services

“9pm on Sunday evening, realised that I hadn't renewed my hosting service. 10 minutes of help from your live chat support and my websites are up and running again. As a company offering 24 hour emergency electrical/locksmith services most of our work comes from the websites, so getting this fixed without having to wait for Monday morning was very important.“

Nick Lane - Kent Security and Electrical