Due to its popularity as a blogging platform, Wordpress has become a prime target for hackers looking to take over blogs for search-engine optimization (SEO) of other sites they control, traffic-redirection and other purposes. Recently there have been a spate of automated attacks which take advantage of recently discovered security vulnerabilities in Wordpress.
To date, Wordpress has been keeping up with the security holes by releasing updates within a few days of new exploits being found, but in the past few days new exploits have appeared that nobody seems to have answers for.
One such attack actually happened to me back in January, when I noticed that a blog I was hosting had been littered with tens of thousands of pages relating to pharmaceuticals and adult material. Someone had gotten access to the blog and literally created new pages, such as this one:
The blog was running the most recent version of Wordpress available at the time, and I traced the entry-point back to a simple flaw in a script that was not adequately filtering user input. To its credit, Wordpress released a new version that patched the vulnerability (among others) and asked its users to upgrade.
That was six months ago, but in May it happened again, this time with a new security hole and again it occurred a few days before Wordpress was able to respond with an update. The problem is that most blog owners aren’t aware of the threat posed by hackers targeting blogs, as a successful attack may not tip off the blog owner in any way. The security vulnerabilities in Wordpress have led to automated attacks across a very large number of blogs, often without site owners realizing what is happening.
If you are currently not running the latest version of Wordpress then there is a very high chance that your site has already been compromised.
The common results of a successful attack are that a backdoor is installed (meaning the hacker can go back in and enter your blog at a later date), passwords for all users are downloaded, or spam pages are generated. At that point, you are no longer in complete control of your blog, including all the content and anything else in the same database that the Wordpress install has access to.
Hackers are taking advantage of the open-source nature of the software to analyze the source code and test it for potential vulnerabilities. It is then left up to developers and users to detect, track down, and then close off the vulnerabilities in the code that attackers are using. The pattern seems to be that when a new hole is found, it is broadly exploited, then developers rush out a patch and a new release. Thankfully most of the damage inflicted by the automated exploits can be reversed with an upgrade, though in some cases you can be left with thousands of pages and images to clean up (and they are usually well hidden).
For users of Wordpress, backups are essential, as are frequent updates, monitoring your blog usage and tracking the official Wordpress blog and other blogs for news of any new security holes. There are also plenty of guides and applications available that can assist a site owner in further securing their blog.
It is unknown just how many Wordpress blogs are infected (I have seen instances of double infection, where a previously hacked host had been hacked again), but as an indicator, across the ten or more Wordpress blogs that TechCrunch and I have access to, we can see over 100 requests daily for these various security holes. Stories about hacked blogs are becoming more and more and the ongoing concern is that the newest security hole could be found and exploited at any moment.
Update: In the comments, Anil Dash from Six Apart has linked to a post on their blog about MovableType vs Wordpress in terms of security.
Guys like WordPress need to do a better job of investing in auto-upgrade systems. Any responsible self-hosted software really should do this. It is the only good way to ensure critical security issues are addressed immediately.
Say what you say about MS and Apple, but they have both done a good job investing in this and have certainly kept exploitations much lower than they would have been without easy/automatic upgrade notifications and procedures.
This is why I built my own blogging software from scratch. That and whatever level of control you have in wordpress is absolutely dwarfed by the abilities of programming it from the ground up.
Go hosted. Patches *are* the problem: http://blogs.salesforce.com/hi.....es-ar.html .
Also, one of the best things you can do to protect your sites is to delete the meta tag that displays your wordpress version and hide you wp-content/plugins directory. Most hacks are specific to one version of Wordpress and if they don’t know what version of WP you’re running it can help.
Also, some hacks use faulty plugins and by hiding what you’re using it can make it much harder for hackers to exploit them.
Just some basic tips, there are also plugins that help test your security too.
I heard that if you open a blog on http://www.sitespaces.net like mine, that it, unlike word press will not be hacked. I hear that they manage your blog for you, host it for you, and even promote it for you on Google and other search engines, and that they give you a free subdomain with no extra charge.
Yes, I heard all of this, from a little birdy.
So about the GPL word press blog. Obviously. When software is open source, you MUST update your software regularly. This can be done with a cron job with yum update, ect.. if you have an RPM, or there can be a manual updater integrated in the software. I believe word press has an update notifier.
If you do not update it’s your fault. This happened with PHPbb hundreds of times where a virus would hit google for viewtopic.php or another file. It happened to Joomla on several revisions ect..
If you can’t take the heat, get out of the kitchen. Do not host your own PHP files if you won’t bother to update, period.
How much is your time worth? Yes, I would like more control over my site, but what I would like even more is not upgrading my blog all the time. That is why I don’t host my own.
http://www.google.com/search?q.....nerability
This is probably the worst vulnerability to hit a single PHP script. It happened a couple years ago and the bots spidered google for PHPbb installs. It doesn’t mean phpbb isn’t good software though.
I just upgraded to 2.5.1 ..hope fully its safe ?
You should point out that there are two releases of WP being updated, the 2.0.x line and the 2.5.x line.
2.0.x (the link you reference at wordpress.org is for 2.0.7, latest version is 2.0.11) is the Legacy branch, whereas the current branch with all the new stuff is 2.5.x
I bring this up because I know a lot of people (including myself) updated to 2.5.x a while back to make use of the new features.
http://www.techcrunch.com/2008.....rotection/ Comes to mind
I don’t understand why Wordpress has such widespread usage. I personally have never liked it for many reasons, this being one of them.
Just to reiterate on the past post-
http://www.firewallscript.com <– Seriously. Install it.
My WP install has been a checkout of their SVN repository for quite awhile, and though upgrades aren’t automatic, it’s very easy to just ssh in, and then run
$ svn updateand it’s done
If a WP user can’t install and administer their blog on their own, they can instead use a wordpress.com, blogger, etc. account, and then not have to be so concerned about their backend and security.
I use wordpress and have for a long time. Sure it might have some flaws - but by in large it gets the job done. wordpress certainly isn’t the first CMS to have security holes and it won’t be the last.
This is scary news for lot of people. I just upgraded mine. Hopefully no issues there.
It’s a shame wordpress isn’t based on Rails so we’d have some easy finger pointing to do!
http://www.wordpressfirewall.com seems to look like it would stop this.
trek lmao
Mine was too: http://hervalicio.us/blog/2008.....got-pwn3d/
@Trek - Elaborate on your Rails comment.
Any widespread open source system is going to be exploited. Besides, the *latest* version of WP is not affected.
As @Ben Evans already pointed out.
1) Turn off open registration. Unless you try to use WP as a membership site “hack”, there is no need for this at all. Solves a lot of issues right there.
2) WP versions before 2.5 have issues with unencrypted password storage (they were only obscured with MD5 hashes) in both the user database table and in authentication cookies.
This is the likely cause for many of the password breaches. 2.5.x fixes this, BUT, then there are reasons why people might not want to upgrade yet (many power-users have complained of the admin interface changes).
I tested back-porting the most urgent security fixes from 2.5.x to 2.3.3 (in part to show that WP could/should separate out security fixes from new feature releases), read about it here:
http://businessmindhacks.com/p.....-retro-fit
@20: Translation: “Amateur hour at Automattic?”
QED.
So what are the benefits of hosting a blog yourself exactly. Not that fact that you can use your own domain name, because you can do that with the various blogging host services.
Total control of how it works, sure. What kind of things can you do and is it really worth the hassles? Did it seem like it was worth it when you began and is the benefit still clear?
What else?
Are there services that canlet you know when a blog has changed, so you know its your own activity or someone commented and not some total invasion?
A lot of people feel that there should have been security updates for 2.3.x - WP2.5.x was quite a jump for plugin compatibility
Other CMS systems separate major feature updates from vital security updates.
I’ve found my name on hundreds of blogspot blogs full of gibberish…anyone know why? Is this related?
You can never truly eliminate danger when hackers know your:
- database schema
- class and function names
- file names
- folder names
Open source has this curse in exchange for the gift of free.
@22 (EH)
A Rails versus PHP argument is irrelevant for this topic. It’s just a piggyback on an issue completely irrelevant to the technology. It more of a question around how the technology of choice was implemented.
re: why you should own your own blog (as opposed to free/hosted)
Yaro Starak just sent out an Email newsletter yesterday giving the following example:
“… After a few months he did really well and built up
his income. None of his blogs had a lot of
traffic, but they got enough from search engines
that each blog earned between $1 and $10 per day.
In total he earned over $2,000 per month from his
blogs - not a bad effort.
One day he turned on his computer and all his
blogs had gone. Disappeared. Vanished without a
trace…
What happened?
He was using one Blogger.com account to manage his
blogs and Blogger.com determined that what he was
doing was violating their terms of service.
They thought all his blogs were what are called
“splogs” or SPAM blogs.
Splogs are blogs set up to get traffic to other
sites. They are usually automatically generated and
the owners have no intention of producing a useful
website - they just want to get traffic. They are the
SPAM of the blogging world.
Steve contacted the support staff at Blogger.com to
explain that his sites were not SPAM sites but it
was difficult to convince them and he never got
his blogs reactivated. Overnight he lost his
regular $2,000 per month income in one hit.
OWN YOUR BLOG”
Food for thought. I would use hosted blogs only for quick SEO purposes, not for building long-term value/revenue.
Open source software is generally more secure over time because more people are looking at and contributing to the code. Security purely through obscurity doesn’t work, as numerous proprietary systems have demonstrated. It’s all about security through transparency:
http://articles.techrepublic.c.....64734.html
Good tips have been given already on upgrading, the one thing I would note is that if your blog was previously hacked make sure to update your login password to prevent them from getting back in. I wrote a longer post about keeping your WordPress secure here:
http://ma.tt/2008/04/securityf.....ion-bogus/
As for one-click upgrade a la Firefox - it’s planned!
Nik -
You mentioned that “in the past few days new exploits have appeared that nobody seems to have answers for.” but didn’t provide any further details. If you have specific information please make sure it gets sent to security@wordpress.org.
You mentioned that a blog you run was cracked 6 months ago, but you linked to the announcement of WordPress 2.0.7, which came out a year and a half ago. Did you really not update for that long?
One thing to note is if your blog was broken into, after upgrading make sure that you change your passwords. If they have your password, they’ll still be able to alter your site even after you upgrade.
You can never truly eliminate danger when the blog you are commenting on is running an out of date version of WordPress. WordPress 2.3.3 in fact, which is recommended by WordPress to be upgraded from for security fixes:
http://wordpress.org/developme.....5-brecker/
Joseph: I have linked to the wrong updates, yes. In January I did send an email out with details because it was unknown at the time, I didn’t have the POST data though and only worked out what caused it around a week later (Eg. specific exploit). I will go back and dig that info up. It was the exploit that eventually became the wp-content/1/ , wp-content/2/ hack (cant rememebr the name it was referred to as) and I got it very early (I was manually hacked, had a php web shell installed, and files uploaded etc.)
I was actually checking out of SVN at the time, and had been for a few years until recently.
I still haven’t found a cause to the latest hack, nor could I find a patch in Trac. I will dig this up myself as soon as I get a chance and will email it up to the WP guys (I have been logging POST’s requests for a few weeks now in the hope of capturing something interesting - the blogs I have that running on seem to be popular targets)
Oh btw, I agree with the argument of open source eventually being more secure than closed systems. Modern black box techniques tear apart a developers comfort in thinking that nobody can poke their internals in a proprietary system
(and on that last note, there is a post coming up here that all your Flash developers who store passwords or security logic in SWF thinking nobody can see it will love :))
@jason: we manually patched it, and we removed most of the WP stuff we don’t use a while ago anyway (and we upgrade manually).
My advice;
Cross your fingers and ride this wave of script kiddie retardedness out
Why is it that posts move back to the top of TC after new ones have been posted? Do you fix a typo and inadvertently change the timestamp or something?
I found a blog of mine with that wp-content/1/ business the other day =\
I believe this latest hack you talk about does this:
Inserts a code into your header.php that causes all traffic from a search engine (hard to notice from a blog-owners end) to be redirected to a site that they choose.
Which means, its hard to tell youve been hacked by just going to your blog because it will look just fine. Most webmasters dont enter their blog through SE results.
Nick,
It would be great to know how exactly would one know that there site has been hacked. You mentioned numerously, that man people with wordpress may not even know. How would a person find out? I think your post fails to explain this.
Actually, I had this problem on my http://www.bitsandbuzz.com blog (when it was running wordpress 1.5), I could not see it since the spammers hide the text with html styles, but Google did see it and downgraded my site.
I fixed my site a couple months ago, but Google still has not fully indexed the site back. Specific searches get RSS aggregator pages at best (works fine on Yahoo and Live, and used to work on Google before the attack).
The consequences of such attacks (for small bloggers) could be severe, not only as a temporary disruptions, but also as a long term SEO penalties. Especially with Google which seems to keep record of your bad content for a long time.
I did many reconsideration requests, but did not get any answers or saw any significant changes.
Anyway, my next step might be to change the domain URL (blog.bistandbuzz.com) and/or change the permalinks. Wordpress seems to be smart about redirecting to the right post.
Anyway, to any (small) bloggers, do a view source on your page once in a while, and search for spam keywords… you might be surprised.
Speaking of Canadian pharmacies, there’s a great article today in the LA Times about the supply chain of these hackers, spammers, and drug dealers.
You can see it here:
http://latimesblogs.latimes.co.....ers-a.html
@Nick/36 As mentioned in my response (#37), one way is to do a view source of your posts and home page, and search for spam keywords. Spammers hide their links with some css style attributes.
Darrin: The way I found out was by looking at traffic logs. I saw many many hits to pages that I hadn’t created (viagra etc.). So keep a close eye on whichever analytics package you have installed. Lots of these exploits have the end goal of using your blog for spam/SEO purposes, so you can pick it up there
If you are compromised by a hack that does something simple like change your adsense banner ID, you will notice your adsense revenue dry out
If your blog is being used for spam links, you just need to find them yourself
In short, just be vigilant and if something seems out of the ordinary, second guess it. Use common tools like log analyzers. The hack will usually change something that you will notice somewhere else - cause and effect.
One day this will be as easy as anti-virus is on the desktop today, we are just far away from that point. So for now its up to users (as it was with desktop viruses back in the day)
If you can’t figure out how to view your RSS content, you aren’t backing up your blog every night, and you can’t check your blog with an FTP site, then you probably shouldn’t be hosting a WordPress blog on your own server.
@nik - Did you not see the previous post I made?
A product exists that does what you ask- And techcrunch has covered it before.
see: http://www.techcrunch.com/2008.....rotection/
I dont want to upgrade to 2.5 yet though
Its FAR from perfect
Magento support one click upgrades. As a PHP5 application, it is by far the easiest update process I’ve seen from any open source or commercial eCommerce application.
I am sure Wordpress will have such functionality in the future.
-john
Just to be clear on the current issue of recent hacks, many non-WordPress blogs and websites are impacted by the current Google/Search Engine Redirect hacks, so this might not be a WordPress specific issue. Upgrading, especially for security issues, has been around as long as software has been around, so blasting away at WordPress isn’t helping anyone, especially as many of the recent attacks are not WordPress-specific.
which blog software is used on omnidrive? is it updated?
Am I the only one that finds keeping up with the never ending flow of WordPress updates about as much fun as getting a root canal?
Who has the time and patience to keep WordPress constantly updated? What….maybe 1% of their users?
I’d rather roll the dice and deal with hackers than try and upgrade WordPress everytime they come out with a new patch. Maybe this latest batch of problems will be enough for them to come up with a simpler way of keeping up to date.
Before I knew how to upgrade my WordPress blog I had no idea that a hacking could happen to one of the blogs I was in charge of administering. It was a small blog that had only been up a few weeks yet it was hacked and the front page was hijacked. My hosting company could not do a thing and told me that I would have to restore the backup files for the blog. Of course I didn’t have a backup so I had to pay for my host to restore the last backup they saved.
I now know how to update my WordPress blog myself and have helped a few do that same. One person I have to give a lot of credit to in helping me learn more on how to protect my blog was a post I read from Anita Campbell that gives a detailed breakdown of what you should do to keep your blog from being hacked.
http://www.smallbiztrends.com/.....site.html/
I am still a big fan of WordPress. I have converted almost all my blogs to its platform. I am looking forward to the next update because I heard a rumor that the next release will have an automatic updating feature.
Hope this helps
All the best
JB
http://www.2thenextlevel.com
Not sure is anyone else has mentioned it, but this site has steps you can take to clean the cruft out of your database and site if you are hit by the AnyResults.net attack (the most recent, I think).
http://www.getrichslowly.org/b.....snet-hack/
There you go- drive the traffic to your site with fear. Read this article or the internet terrorists will win!
“using a certain website will make your computer blow up, we’ll tell you which site tomorrow here on TechCrunch.com”