WordPress Security Vulnerabilities
A few weeks ago, we noticed that someone had managed to insert a bunch of spam links into our WordPress header and footer. We quickly updated to the latest version (2.3.3 at the time), thinking it would fix the security hole. However, this happened again, and seems to be happening on WordPress blogs all across the Internet.
The hack in itself is very interesting. First, it attempts to be undiscovered by any human observer, but fully indexable and followable by search engines. The spam links are inserted into a block with the style: "position: absolute;overflow: hidden;height: 0;width: 0". Second, the links point to legitimate blogs that have been compromised. These blogs not only have link spam inserted into their pages, but entire pages that are created within their WordPress themes directory as landing pages to host the spam-targeted content.
We have now upgraded to the newest WordPress 2.5 (which was released the very next day after we upgraded to 2.3.3). I haven't seen any in-depth documentation of this security vulnerability. We hope this has been fixed in 2.5. To take extra precaution, we recommend that anyone running WordPress disable the online theme and plugin editor by removing the web server's write permissions to the appropriate directories:
chmod -R -w wp-content/themes
chmod -R -w wp-content/plugins
This is just an example, and may vary depending on your specific installation and server setup. Also, be sure to check your directories for rogue files, and of course, fix your header and footer templates.
thanks for the tip. its sad though that security issues stemming from such simple style issues continue to plague the web. how is the hack itself getting in before it hides?
ian
04/08/08
04:48 pm
jesus this was very helpful. i am going to fix those security holes. thanks, barnes.
barnes
04/08/08
04:49 pm
Thank you for this information. I have read about this happening to a few other people through out a couple forums. Hope you will let us know if that upgrade took care of this issue.
Kara
04/08/08
04:53 pm
Thanks for the information. I'm going to fix this.
Mika
04/09/08
09:56 am
[...] scale than just my site (PsionMark writes about his attack, GoogleLady writes about her attack and Jason Tan writes about his attack). But as others have pointed out this hasn’t been making any [...]
I’ve Been Hacked » Small Farm Design
04/27/08
08:00 pm
[...] before it happens to you, upgrade to WordPress 2.5 and follow these extra guidelines. Precaution is never [...]
hervalicio.us/blog » I just got pwn3d!
05/11/08
10:27 am
Thanks for the useful information Jason. As another victim of this stuff, was helpful to see some solutions. Out of curiosity, if the search engines were crawling through this could it negatively impact a sites SEO/reputation/status ....and if so, how do we correct that after the fact.
Seth
05/13/08
02:43 pm
Seth, yes it will negatively affect your search engine performance. However, once it's fixed, it should go back to normal within a few weeks.
Jon Henshaw
05/13/08
02:48 pm
Three things: First: This is still messed up for 2.5.1. Second: You can use lynx to view your website in a text-only version to check on a regular basis if you've been hi-jacked. The junk will show up at the top or bottom of your site. SO ANNOYING!!! Third: How can I disable the theme editor in my dashboard???
E.D. Kain
06/05/08
12:20 pm
[...] which showed no indication of linking to me. Only when looking inside their HTML source I saw its hidden links to me. I’ve realized that I’m part of a zombie network of hacked blogs and splogs all [...]
GUYA.NET » Blog Archive » My blog has been hacked
06/16/08
12:15 pm
