On Monday morning, I received an email from Google Webmaster Tools letting me know that my WordPress blog had been hacked and was temporarily blacklisted. Users accessing my blog using Google Chrome or Firefox were advised to stay away for safety. I appreciate Google’s notification of this problem as well as their concern (and Mozilla’s) to protect my visitors.
Why was my WordPress blog hacked ? I don’t believe it was individually targeted, I believe it was hacked because it was vulnerable. Two reasons :
1. I hadn’t updated my blog to the latest version of WordPress. As a matter of fact, I was not even running WordPress 3.0 yet.
2. Also, I believe the file permissions I was required to use on the server by my host provider were not safe enough thought I could not change them without breaking the whole blog (Access Denied error). I largely blame my hosting provider architecture for that.
So, what did the malware look like ? It was a php code which was added to every .php file in my main wordpress folder and read something like eval(base64_decode(XXXXXXXXXXX)). Once this was decoded and evaluated, it would check whether the referrer was Bing, Yahoo or Google and if so, redirect my visitor to a malware sharing site of some kind (I didn’t go to it…). This hack has been used recently on several GoDaddy hosted wordpress blogs and other CMS. With some help from @fdevillamil and Google, I found information about the problem and started working on it.
Finally, I finally got the problem sorted thanks to several blogs posts I’d like to point to here.
1. Here is a detailed explanation of the attack
2. I downloaded and modified Peter’s fixfiles.php script in order to clean my PHP code of the malicious PHP script.
3. Sucuri Research offers a console command (requires SSH access to your server) to clean your WordPress, too. They also detailed how to fix a hacked blog intended for GoDaddy users.
4. Before resubmitting my blog for validation by Google, I made sure everything was okay using Sucuri’s malware scanner service (free for limited use) . A very useful tool.
5. I quickly searched for similar tools I could use in the future and found the following articles though I didn’t test these services yet.
6. I moved my blog to another host where I was able to set the permission more restrictively
7. I disabled several of my plugins and updated my WordPress hoping to secure my blog from too many security flaws that could lay in third party code
8. Next, I read up about a few ways to fix security holes in WordPress in these posts :
- Monitor Malicious File Changes in WordPress Blog
- Secure a WordPress Blog
- The best way to handle file permissions for Apache www-data (ServerFault discussion)
- Avoid users uploading malware
9. Finally, I updated my blog which was no luxury. It can quickly be done in a few steps which are detailed right here
Hope this helps out someone else in a similar situation and that Google reconsiders my website soon.