Battlefield WordPress: Fighting malware

August 18th, 2011 by

It’s an ugly situation. You wake up one day to find one of your WordPress site(s) infected with malware even though all your plug-ins and themes are updated.

In recent weeks WordPress themes across the web have been hit by malware intrusions, which, if left unchecked, results in Google blocking websites in search results and informing owners they need to take action to remove hacked pages before being re-instated.

Even if you remove the malware yourself (or with the help of your web host) you remain vulnerable. It is not uncommon for WordPress site owners to get another infection within weeks of the first. Hackers find ways to leave backdoors into your site and lie in wait for an apt time to strike. And, they generally do.

Hackers gained the upper hand around the beginning of August 2011, by exploiting one of the most widely used WP plug-ins on the web, the image resizing utility called TimThumb.php.  How widely used is scary:  Nearly 39 million Google search results show up for this utility. 

The results included redirects to “scare sites” based in Russia and Eastern Europe and a general deterioration in the presentation and working of a WordPress blog or CMS.

Within hours other free and premium WordPress themes on the same server risked infection forcing website owners and developers to scramble to rectify the problem. This could take anywhere from 3-9 hours depending on the route they chose.

Some specific actions performed by hackers involved uploading PHP shell scripts to perform remote file intrusions using vulnerabilities in the TimThumb component.  They would then maliciously alter .htaccess files to perform URL redirects and other hacks. They may have also have used your site to deliver ads and other spam practices.

According to Mark Maunder, who originally detected the vulnerability, the TimThumb.php file is insecure because it allows hackers the ability to write files into directory that is accessible by people visiting your site.

He remarked that the only way to be truly secure, is to delete the file using the “rm TimThumb.php” and make sure it does not break the rest of the WordPress Theme.

By the way, he revealed that even his blog got hacked.  He was alerted to this when one of pages loaded a message saying “Congratulations, you’re a winner“.

If you are interested in reading what he did next check out his blog post.

Ben Gillbanks and Mark Maunder eventually teamed up to fix TimThumb, including a line-by-line rewrite of the original code.  They called the intrusion the “Zero Day Vulnerability” and released version 2.0 of TimThumb, which will find its way into updated plug-ins across the web, including premium themes offered by e.g. Elegant Themes.

While the community spirit in battling and defeating the TimThumb hack is great to see, it reminds us of the dangers of becoming complacent using the WordPress blogging platform to drive our sites. This is especially true as WP evolves into a true Content Management System (CMS).  Regular updates to the core theme and plug-ins is not only advisable, it is CRITICAL.

It also imperative to select a web host, that acts quickly to help you correct these issues. You may typically detect the malware BEFORE the web host, especially if you are housed on a shared hosting platform.   Some web hosts also offer regular scans of your Virtual Private Servers (VPS), which may help you limit the outbreak. But, most of the time the scans are done only after a breach is discovered.

You can take additional steps to lock down your WordPress themes.  Review these posts, which offer key actions to take:

11 ways to secure your WordPress Blog

WordPress Security Tips and Hacks

WordPress.Org Plugin Directory: Secure WordpresS

Further, there are some third party services, which offer monthly and annual plans to scan your domain(s) on a regular basis. Sucuri, for instance, offer detection services for unauthorized changes to your websites, DNS, WhoIs and SSL certificates. (In the interests of full disclosure, I am an affiliate of the service).

Finally, you may find this post useful on the Google Enterprise Blog offering some basic security tips and background information on hacking.

We would be interested to hear your thoughts on malware intrusions and some of your experiences and advice in tackling this growing problem.


Guest Blogger: Jason Stevens from / Freelance web developer, tech writer and follower of cloud computing trends. Follow him on Twitter @_jason_stevens_

* reserve the right to agree or disagree with our guest bloggers. Call it freedom of speech, but our guest bloggers are entitled to have an opinion. If you wish to agree or  disagree, then feel free to leave a comment. Thanks for visiting our blog! If you wish to become a Guest Blogger for UK2, please contact our marketing department.

  • Share this post

A Post of Hosts

World Wide Web Creator is Top Over-50


Muhammad Ayad
# 19th August, 2011

My blog has been hacked recently and I was using WordPress as my blogging platform and UK2 as a host. It was showing a message saying that my site has been hacked. I could log in to the administration page but the front page was gone. I do use shared hosting and all blogs I had using WordPress were hacked as well. I’m now consulting an expert on how to fix it. Fortunately i did not have a lot of entries and I could access the database and save the posts. Any advice you got for me to harden my blogs other than those mentioned above?

jason stevens
# 22nd August, 2011

Hi Mohammed,

Sorry to hear about that hack, not pleasant. Here are a few more links that may help you, including some for Joomla:

WORDPRESS – How to Keep WordPress Secure – Hardening WordPress – Upgrading WordPress

JOOMLA – Joomla Security Center

The Joomla Security Center includes information about their latest security news, their latest security articles, and more information in general about the Joomla Security Strike Team. – Upgrade Instructions


Leave a Response