Hacked through Wordpress

[Bigdawg]

Our company site was hacked through Wordpress. Just want to STRESS the importance of keeping wordpress updated!!! We didn't have an operational blog yet, but wordpress was installed in anticipation of getting one up and going by the end of the year. It was not the current version - it was installed the end of last year. A trojan horse virus was inserted on every index page on the site (I have index pages in all my directories to keep people from listing the contents).

So this is your Public Service Announcement for the day

 

[mark in tx]

Wordpress has always had issues like that, and it requires constant vigilance. Sorry I don't have a better suggestion.

 

[signswi]

You weren't really hacked, you were exploited. Hacking is something you do to an intentional target, this was likely (99.9%) chance a drive by exploit.

If you're on shared hosting it may not have been your account that was the initial breach, but this is a good reminder to always keep your CMS software updated. There was a major TimThumb exploit this month that has been causing grief across the majority of CMS solutions and required immediate security updates a couple weeks back.

WordPress isn't any less secure than any other CMS but like everything it's in your host configuration and how on top of your game you are at keeping your software up to date. Exploit spiders crawl around looking for old versions with known exploits to auto-hack, that's just how life is and has been for the past decade.

There's a bunch of really easy things you can do to obfuscate your install from crawl spiders (which are very simplistic) but this is also a good lesson on why you should use specialists.

Here are some very basic tips:

1) Don't install WordPress into the root directory. Install into a subdirectory. Exploit spiders look for your files in root, not in root/subdirectory.
2) Hide your WordPress version, there's no reason to broadcast what version you're on.
3) Harden your login page.
4) Set up automatic database and file backups.
5) If you are using shared hosting, be sure you're using a shared host who knows what they're doing and has a history of working with WordPress.
6) Stay up to date, if there's a notification that an update is available -- update. Updates don't get pushed out because the devs are bored, there's a reason.

If you can't handle these things on your own you should hire someone . This tips are somewhat universal I just happen to prefer WordPress to all other CMS.

 

[TyrantDesigner]

Anything open source you throw on the web to make your websites is suspect to hacking ... they have the base code to do so. Updating regularly helps, but the only way to get a mostly secure site is to pay for custom coding of a back end. One of the reasons why I sort of dislike web design. I also got kicked off a host because I was testing some open source and in that 3 or 4 days of testing it got hacked, they threw up a phishing back end, and flooded the net with that domain. Not fun, but you have my sympathy.

 

[Bigdawg]

I deleted it all together - we didn't need it yet and that's one less headache to have to worry about.

Just feel for those people that build full wordpress sites (or have them done for their company so they can update) that don't know enough to keep the base program upgraded. At least I knew what to look for!

 

[signswi]

Make sure you also wipe out your database, not just the physical files.

 

[Mike F]

This is why I always keep my WP and plug-ins up to date, use a security plug-in, have another plug-in set to backup to my dropbox every day at 3AM, and every day once I've checked the site and made sure everything is ok, I sync with my dropbox and then copy those files to my hard drive in another folder so I have 2 copies. Really saved my arse a few weeks ago when I screwed up the database tinkering around with stuff and had to do a re-install.

 

[signswi]

Anything open source you throw on the web to make your websites is suspect to hacking.

This is a radically false notion.

 

[VinylLabs.com]

It was probably an exploit, not a hack.

you probably chmodded a few files or directories you shouldn't have.

or a script vulnerability (the latest big one was timthumb.php)

and yes, you need to keep current on you versions of software, it's a given when dealing with open source applications.

 

[Jim Doggett]

Our company site was hacked through Wordpress. Just want to STRESS the importance of keeping wordpress updated!!! We didn't have an operational blog yet, but wordpress was installed in anticipation of getting one up and going by the end of the year. It was not the current version - it was installed the end of last year. A trojan horse virus was inserted on every index page on the site (I have index pages in all my directories to keep people from listing the contents).

So this is your Public Service Announcement for the day

The "Timthumb" plug-in has some security risks. Make sure it's up-to-date, if it's installed and activated.

Ahhhhhh!!! Redundant. Sorry

 

[Bigdawg]

Pretty sure I can handle it signswi since most of it what you listed was already done. The problem - and I should have known better - was that I didn't bother to keep it updated since we weren't using it. It was in a no-crawl directory so not even sure how they knew where to find it :-(

And yes - it was exploited. Not hacked. Note to self: use correct terminology

I posted - not for help since I knew what the problem was - but to remind everybody to UPDATE WORDPRESS... regularly...

and the pisser to the whole thing? McAfee and AVG did NOT pick up the exploit... but Avast did. So what the heck am I paying McAfee for?????

 

[signswi]

Use Microsoft Security Essentials not McAfee/AVG/Avast. Though Avast is pretty good.

Don't use more than one of the above on the same machine, ever. Get rid of McAfee as quickly as possible it's bloaty crap that slows your system down.

I assume you mean "caught it" as in it gave you a warning when you browsed to the website? I sure hope you aren't using any of the above server side.

 

[Techman]

McAfee and AVG did NOT pick up the exploit.

Is exactly why Myself and other geeks refuse to use either one any more. Both are resource hogs and both are so bloated they are ineffective.