Battlefield WordPress: Fighting malware

It’s an ugly situation. You wake up one day to find one of your WordPress site(s) infected with malware even though all your plug-ins and themes are updated.

In recent weeks WordPress themes across the web have been hit by malware intrusions, which, if left unchecked, results in Google blocking websites in search results and informing owners they need to take action to remove hacked pages before being re-instated.

Even if you remove the malware yourself (or with the help of your web host) you remain vulnerable. It is not uncommon for WordPress site owners to get another infection within weeks of the first. Hackers find ways to leave backdoors into your site and lie in wait for an apt time to strike. And, they generally do.

Hackers gained the upper hand around the beginning of August 2011, by exploiting one of the most widely used WP plug-ins on the web, the image resizing utility called TimThumb.php.  How widely used is scary:  Nearly 39 million Google search results show up for this utility. 

The results included redirects to “scare sites” based in Russia and Eastern Europe and a general deterioration in the presentation and working of a WordPress blog or CMS.

Within hours other free and premium WordPress themes on the same server risked infection forcing website owners and developers to scramble to rectify the problem. This could take anywhere from 3-9 hours depending on the route they chose.

Some specific actions performed by hackers involved uploading PHP shell scripts to perform remote file intrusions using vulnerabilities in the TimThumb component.  They would then maliciously alter .htaccess files to perform URL redirects and other hacks. They may have also have used your site to deliver ads and other spam practices.

According to Mark Maunder, who originally detected the vulnerability, the TimThumb.php file is insecure because it allows hackers the ability to write files into directory that is accessible by people visiting your site.

He remarked that the only way to be truly secure, is to delete the file using the “rm TimThumb.php” and make sure it does not break the rest of the WordPress Theme.

By the way, he revealed that even his blog got hacked.  He was alerted to this when one of pages loaded a message saying “Congratulations, you’re a winner“.

If you are interested in reading what he did next check out his blog post.

Ben Gillbanks and Mark Maunder eventually teamed up to fix TimThumb, including a line-by-line rewrite of the original code.  They called the intrusion the “Zero Day Vulnerability” and released version 2.0 of TimThumb, which will find its way into updated plug-ins across the web, including premium themes offered by e.g. Elegant Themes.

While the community spirit in battling and defeating the TimThumb hack is great to see, it reminds us of the dangers of becoming complacent using the WordPress blogging platform to drive our sites. This is especially true as WP evolves into a true Content Management System (CMS).  Regular updates to the core theme and plug-ins is not only advisable, it is CRITICAL.

It also imperative to select a web host, that acts quickly to help you correct these issues. You may typically detect the malware BEFORE the web host, especially if you are housed on a shared hosting platform.   Some web hosts also offer regular scans of your Virtual Private Servers (VPS), which may help you limit the outbreak. But, most of the time the scans are done only after a breach is discovered.

You can take additional steps to lock down your WordPress themes.  Review these posts, which offer key actions to take:

11 ways to secure your WordPress Blog

WordPress Security Tips and Hacks

WordPress.Org Plugin Directory: Secure WordpresS

Further, there are some third party services, which offer monthly and annual plans to scan your domain(s) on a regular basis. Sucuri, for instance, offer detection services for unauthorized changes to your websites, DNS, WhoIs and SSL certificates. (In the interests of full disclosure, I am an affiliate of the service).

Finally, you may find this post useful on the Google Enterprise Blog offering some basic security tips and background information on hacking.

We would be interested to hear your thoughts on malware intrusions and some of your experiences and advice in tackling this growing problem.

 

Guest Blogger: Jason Stevens from jason-stevens.com / Freelance web developer, tech writer and follower of cloud computing trends. Follow him on Twitter @_jason_stevens_

*UK2.net reserve the right to agree or disagree with our guest bloggers. Call it freedom of speech, but our guest bloggers are entitled to have an opinion. If you wish to agree or  disagree, then feel free to leave a comment. Thanks for visiting our blog! If you wish to become a Guest Blogger for UK2, please contact our marketing department.

Posted on by Guest Blogger
2 Comments

2 Responses to Battlefield WordPress: Fighting malware

  1. My blog has been hacked recently and I was using WordPress as my blogging platform and UK2 as a host. It was showing a message saying that my site has been hacked. I could log in to the administration page but the front page was gone. I do use shared hosting and all blogs I had using WordPress were hacked as well. I’m now consulting an expert on how to fix it. Fortunately i did not have a lot of entries and I could access the database and save the posts. Any advice you got for me to harden my blogs other than those mentioned above?

  2. Hi Mohammed,

    Sorry to hear about that hack, not pleasant. Here are a few more links that may help you, including some for Joomla:

    WORDPRESS

    WordPress.org – How to Keep WordPress Secure
    http://wordpress.org/development/2009/09/keep-wordpress-secure/

    WordPress.org – Hardening WordPress
    http://codex.wordpress.org/Hardening_WordPress

    WordPress.org – Upgrading WordPress
    http://codex.wordpress.org/Upgrading_WordPress

    JOOMLA

    Joomla.org – Joomla Security Center
    http://developer.joomla.org/security.html

    The Joomla Security Center includes information about their latest security news, their latest security articles, and more information in general about the Joomla Security Strike Team.

    Joomla.org – Upgrade Instructions
    http://docs.joomla.org/Upgrade_Instructions

    Regards
    Jason

Leave a Reply

Your email address will not be published