WordPress Injection Attack

By Dan Nedelko

March 3, 2009

Last Updated on July 30, 2017 by Dan Nedelko

<p><em><strong>March 4 2009 Update<strong><em> My plan has worked out very well and everything is back to normal without too much of an interruption My request for Google site review took a total of 12 hours and it was completely handled through Google Webmaster Tools Google spidered the entire site for about 6 hours checking every existing page on the site from Mountain View California Around 6pm EST I was given a new notice in my Webmaster Control panel that the notice would be removed with the next update which took place about 90 minutes later<p> <p>Id like to thanks a few people who gave me some good advice If this does happen to you make sure that you<p> <ol> <li>Remove any old plugins may have or update them<li> <li>Ensure the source of the plugin is using best practices for PHP coding If the plugin is not listed In the <a href=httpwordpressorgextendplugins>Official WordPress Plugins Directory<a> then be careful<li> <li>Add the following plugins <a href=httpwordpressorgextendpluginswp security scan>WP Security Scan<a> and <a href=httpwwwseoeggheadcomsoftwarewordpress firewallseo>Wordpress Firewall<a> Thanks to <a href=httpwwwruudheincom>Ruud Hein<a> for the suggestion<li> <li>Backup your content themes and plugins on a regular basis so a roll back is easy in the event that you are attacked again<li> <li>Be careful of who you send your site to on Twitter See the end of the post for the official Twitter email I received and this was the source of the attack<li> <li>This one is obivious but make sure you WordPress version is current as many security fixes are implement in point releases ie 271<li> <li>Secure you Web Server or have your System Administrator or Web Host ensure that everything is in order<li> <ol> <p><em><strong>Update<strong><em><p> <p>I woke up this morning ready to get to work and as per usual I check my sites indexes in Google Yahoo and MSN Even though its a beautiful sunny day outside I was shocked to see the following<p> <p><img class=size medium wp image 54 alignleft src=httpsdannedelkocomwp contentblogsdir1files200903screen capture 318 300x160jpg alt=Bad News for Tuesday Morning width=300 height=160 >Bad News for Tuesday Morning to be sure So the question is what do I do and how do I get this bad message off my Search Listing<p> <p>Im not too concerned to be honest except for the fact that my site is vulnerable to this injection attack I would love to smack the hacker that instituted this attack<p> <p>So first things first<p> <p>What is this message all about Well when I viewed the source of my site I saw what is called an obsfucated injection attack on the footer of every single one of my pages This is a bit of a pain since I am using <a href=httpmuwordpressorg>Wordpress MU<a> with a number of plugins<p> <p>That means that the hackers could have injected their little code block into my theme my plugins into the core WordPress MU files Not a pretty thought to have to go through all of those areas to remove these individual code blocks Bottom line my site got hacked What steps do I take to repair the damage thats been done<p> <div style=floatleftpadding5px>poll id=3<div> <p>My plan to remove the PHP injection attack<p> <ol> <li> Identify which files on the web server are compromised<li> <li>Identify if the compromised files are plugins comments themes or WordPress Core files<li> <li>If the compromised file is a plugin then determine if the plugin should be removed completely is it the source of weakness or simply a victim and should be reuploaded and reactivated<li> <li>Upload a clean version of <a href=httpmuwordpressorg>Wordpress MU<a> core files This prevents me from having to wade through all of the compromised files<li> <li>Go through comments and identify any potentially malicious links to malware sites I am very lucky since I have recently moved the domain to a new server since my previous horrible host disabled access to the phpMySQL instance through the cPanel yes <a href=httpwwwemcwebhostingcom target= blank>EMC Web Hosting Sucks NEVER use them<a> This will not be a huge issue<li> <li>Go through my theme which is a customized version of Revolution Theme by Brian Gardner I frequently backup this theme since it is a a simple matter of uploading the theme to the web server<li> <li>Visit <a href=httpswwwgooglecomwebmasterstools>Google Webmaster Tools<a> and submit a request for Google to audit my site to remove the malicious tagging on my site<li> <li>Audit the entire site to ensure the malicious code in completely removed<li> <li>Back up the theme again ensuring I have the ability to restore clean code in the event that I am on someones hacking list<li> <li>Harden WordPress MU to ensure that this does not happen again<li> <ol> <p>Thats my plan I am about half way through it but there are some serious issues at play here since it is not only Google which is tagging my site as malicious bad for business Check out the number of blocks which exist<p> <p>Google Malicious Message<p> <p style=text align center><img class=size medium wp image 55 aligncenter src=httpsdannedelkocomwp contentblogsdir1files200903screen capture 3181 300x160jpg alt=Im not Malicious but Google thinks I am width=300 height=160 ><p> <p>Im not Malicious but Google thinks I am so next step is to click on the SERP thats when Firefox jumps in<p> <p style=text align left><img class=size medium wp image 56 aligncenter src=httpsdannedelkocomwp contentblogsdir1files200903screen capture 319 300x171jpg alt=After clicking the SERP Firefox jumps in and says I am bad too width=300 height=171 ><p> <p style=text align left>After clicking the SERP Firefox jumps in and says I am an attack site How fascinating but just wait Its not over yet when I get to the site<p> <p style=text align center><img class=size medium wp image 57 aligncenter src=httpsdannedelkocomwp contentblogsdir1files200903screen capture 320 300x133jpg alt=Firefox toolbar warning width=300 height=133 >Firefox toolbar warning<p> <p style=text align left>So clearly the powers that be and the tools on my computer are working hard to identify malicious sites It is very clear that this site could be malicious and even though it was through no intent on my part the bottom line is that my site was hacked and turned into an attack site This is a good line of warnings to any user and in the time frame that I am repairing the site and hardening my WordPress to ensure this does not happen again I dont really mind having these messages there<p> <p style=text align left>They are good for users<p> <p style=text align left><strong>Update Twitter just sent me the source of this injection attack<strong><p> <blockquote> <p style=text align left><em>Uh oh We found a bad apple in your Twitter feed<em><p> <p><em>We detected a link in your account pointing to a phishing site or other harmful material that we identified as malware Heres the troublesome post<em><p> <p><em>BlogDuJour hey there try out my blog your unsafe link was here I am in the process of redesigning now but should be back to normal soon<br > March 02 2009 2207<em><p> <p><em>We removed this update from Twitter Please be mindful of others in the Twitter community and post only safe links on Twittercom<em><p> <p><em>Thanks Twitter Support<em><p><blockquote> <p><em><br > <em><p> <p style=text align left> <h6 class=zemanta related title style=font size 1em>Related articles<h6> <ul class=zemanta article ul> <li class=zemanta article ul li><a href=httpwwwlist your blogcomhow to upgrade to wordpress 27 safely and ensure compatibility>How to Upgrade to WordPress 27 Safely and Ensure Compatibility<a> list your blogcom<li> <li class=zemanta article ul li><a href=httpwwwlabnolorginternetgoogle search conference notes7721>Notes from the Search Masters Conference at Google<a> labnolorg<li> <li class=zemanta article ul li><a href=httpwwwkisasocomsearch engine tips for your wordpress blog wordpress seo>Search Engine Tips For Your WordPress Blog WordPress SEO<a> kisasocom<li> <li class=zemanta article ul li><a href=httpwwwmasternewmediaorghow to make my site findable and visible inside google serps>How To Make My Site Findable And Visible Inside Google SERPs Here Is The Google SEO Formula And Visibility Toolkit<a> masternewmediaorg<li> <ul> <div class=zemanta pixie style=margin top 10pxheight 15px><a class=zemanta pixie a title=Zemified by Zemanta href=httpreblogzemantacomzemified03685b8f 3bd1 4e5a 9c24 871452e26dd3><img class=zemanta pixie img style=border medium nonefloat right src=httpimgzemantacomreblog epngx id=03685b8f 3bd1 4e5a 9c24 871452e26dd3 alt=Reblog this post with Zemanta ><a><span class=zem script more related><span><div> <p>

Dan Nedelko

About Dan Nedelko

A human being spinning around on this big blue marble with the rest of you, interested in Digital Marketing // Music // Art // Family // Business // Founder of http://hny.pt

  • Hi Dan,

    This has happened quite a few times to us, as we have over 70 sites around the internet.

    What a pain…You can always tell because your tags are missing when looking at the posts dashboard.

    I like to call it “rogue code”…Uhhh!

    We have done all the things you’ve suggested except installing WordPress Firewall.

    Also, I had never heard about the bad Twitter sharing before…Hmmm

    Thanks for this article!

    Kimberly 🙂

    • Hi Kimberly,

      Thanks for the tip about the tags. I’ve also narrowed down the plugins as well and am much more careful about adding a plugin which I have not looked at in depth. Hope to see you back here soon and thanks for your input.

      – Dan

    • Hey Kimberly,

      Since you run quite a few WordPress blog maybe it would be useful for you to subscribe to my RSS feed. I have a series of useful articles coming up that might interest you.


  • RaiulBaztepo says:

    Very Interesting post! Thank you for such interesting resource!
    PS: Sorry for my bad english, I’v just started to learn this language 😉
    See you!
    Your, Raiul Baztepo

  • Good article. Hope it works!!

    I have a client’s site that has been getting filled up hidden injected links in the footer for months. I am at my wits end with it. I have been through the code with a fine tooth-comb (I’m not a hard-core code monkey, but I know my way around), I have deleted any number of plugins, installed as many preventative plugins, I have changed every username and password, done a complete reinstall of WP …and guess what – the hidden links keep coming back. Hopefully these plugins will finally see them off.

    • Hey Dave,

      These should help alot – I’m also going to email you directly but you’ll want to look at the server config. Years ago I had an account with Neureal, whose servers were hopelessly out of date. No matter what I did injections kept happening. You might want to try out a new host or have them lock some things down.

      Especially openbasedir restrictions – add them – locking that down removes some functionality but helps alot.

  • Hi Dan

    Thanks for this and for the email. I am onto the server config advice now. Hosrting could be an issue – I use Heart in the UK. They are a bit ‘pile it high sell it cheap’, but the support is good and they know what they are doing – I tend to think the problem was of my own making. For those wanting to learn, read on…

    Historically, the site was first put up some years ago when I was still merrily creating several sites a day, full of enthusiasm for the ease and power of WordPress. Whereas, these days I tend to change everything including the WP-admin folder name, most of the file names and always delete the admin user name straight away and otherwise alter a lot of the out-of-the-box defaults, back then I did not.

    It is not so feasible to retro-fit some of those practices unfortunately and once some nasty little germ has blown a hole in your installation, prevention doesn’t work any more and a cure cannot always be easily found.

    Cautionary advice for everyone out there:

    1. Consider adding .htpasswd and .htaccess protection to the wp-admin directory.
    2. Try changing the wp-admin folder name. See: http://wp123.info/modifications/change-wp-admin-folder-name/
    3. I would add the login lockdown plugin to Dan’s two excellent suggestions: http://wordpress.org/extend/plugins/login-lockdown/

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    Want a FREE Membership to Marketer Knows?