WordPress under attack: how to protect your blog when you don’t know MySQL from My Little Pony

  • Posted By:
  • 2 Comments... What do you have to say?

At the time of writing, an attack on WordPress is in progress. Unfortunately a security chink in older versions of the blogging application has been located and exploited by hackers. Blogs and Twitter are abuzz, as news of the attack spreads.

For the uninitiated: WordPress is an extremely popular blogging application, with good reason: it is free to use, easy to customise, jam-packed with great features and is at the centre of an enthusiastic and helpful  blog community.WordPress is regularly updated and the latest version, WordPress 2.8.4, went live in August 2009.

Official advice has been issued: WordPress has advised all users to upgrade to its latest version. Bloggers are posting  about ways in which hacked blogs can be identified and remedied. However if you are fairly new to blogging, or if your blog was set up for you by a third party, you may be left scratching your head. Perhaps you haven’t upgraded your WordPress before now, or perhaps you aren’t that familiar with the nuts and bolts of your web hosting control panel. MySQL? Database backups? If this is the case, this quick guide is for you. All you need is Firefox and a “can do” attitude.

What happens to your blog if it is attacked?

Two things. Firstly, your blog suddenly gains one or more new “Administrators”. These are users with powers to write, edit and publish posts, add/delete new features and change settings. For obvious reasons, you don’t want strangers to have this kind of access…

Secondly, your permalinks change. Permalinks are the URLs for your posts. For example, the permalink for the post that you are reading now is as follows:

WordPress users affected by an attack are reporting that their permalinks are altered to something like this:

http://corporateblogger.co.uk/2009/09/05/wordpress-under-attack-how-to-protect-your-blog-when-you-dont-know-mysql-from-my-little-pony/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929

Or something like this, when it wasn’t the permalinks structure previously:

http://corporateblogger.co.uk/2009/09/05/p=22?

A hobby blog of mine was attacked in the early hours of this morning: two mysterious new Administrators were added, and the permalinks were changed to the latter format. When site visitors tried to click through to other posts on the blog – via links to “Featured Posts” in the sidebar, for example – they were taken to blank pages. The same applied to would-be visitors who attempted to click through to the blog via links on other websites.

How can you tell if your blog has been affected?

1. What version of WordPress are you using? If you aren’t sure where to look, you will find the version noted on your WordPress blog’s dashboard. The “safe” version is 2.8.4; any previous version is considered vulnerable. However don’t presume that you are out of the woods if you have 2.8.4 already, especially if this version has been installing during the past few days.

2. The obvious one: click around on your blog and take note of the permalinks. Is all as it should be?

3. Go into your WordPress dashboard. Go to the Users page. (The link is top right on WordPress 2.5 and in the left sidebar on later versions.) The users will be listed and categorised as Subscribers, Editors, Administrators etc.,with a number in brackets next to each category at the top of the page/. The Administrators are the ones to look out for. Does the number of Administrators cited in brackets exceed the number of named Administrators on the page? If so, your blog has been attacked.

What should you do next?

There are two schools of thought here. The first is that you should upgrade to 2.8.4 before you do anything else; however, if you upgrade while your blog is affected, you aren’t going to rinse out the hack – you will simply carry it over to the new version.

So you can upgrade + rinse, or rinse + upgrade. Your call!

This is what I did with my affected hobby blog:

1. Deleted all unfamiliar Subscribers.

2. With that Users page open in Firefox, I followed the advice given in this excellent Nachotech post: I went to the View tab at the top of the page and selected Page Source, which pops up all the page’s HTML code.  If the cited number of Administrators is mysteriously high, it is because new Administrators have been added to your blog, alongside a clever piece of Javascript that ensures that the new Administrators do not show up on the Users page. You’ll be able to see them on the HTML though.

Scroll down until you find an unfamiliar username. It will appear in a block like this:

</script></div> </td>

<td><a href=’mailto:’ title=’e-mail: ‘></a></td>

<td>Administrator</td>

<td class=’num’>0</td>

</tr>

<tr id=’user-27′ class=”alternate”>

<th scope=’row’ class=’check-column’><input type=’checkbox’ name=’users[]‘ id=’user_27′ class=’administrator’ value=’27′ /></th>

<td><strong><a href=”user-edit.php?user_id=27&#038;wp_http_referer=%2Fwp-admin%2Fusers.php%3Frole%3Dadministrator“>KeithDick77</a></strong></td>

<td>…

KeithDick77? Who he?

The next step: to copy and paste the line of code that I have highlighted in bold, into a URL that begins http://wp-admin/. So in this case , with the mysterious KeithDick77, the url would be as follows:

http://wp-admin/user-edit.php?user_id=27&#038;wp_http_referer=%2Fwp-admin%2Fusers.php%3Frole%3Dadministrator

When you do this, the unwanted Administrator’s settings page will pop up. You can then change their role from Administrator to Subscriber, thus removing of their powers. Also delete the gobbledygook in the “First Name” field; this is what removed the Administrator’s name from view in the first instance.

Before saving these changes, you’ll have to enter an e-mail address and a new password; any old rubbish will do. Once this page has been saved, you’ll be taken back to the Users page. You will be able to see your new user now. Select that user, and delete the profile.

Repeat as necessary, until your numbers of Administrators tally with one another.

One last, but important point here: “wpnonce” may sound like it’s a hacker’s nickname. It’s not; leave it be.

All done. Now what?

Two further steps, as suggested in the comments section of this post by Andrew Wee, are to rename a couple of your WordPress files in the hope that these actions minimise the chances of a repeat attack.

You will be able to access your WordPress file via your site’s web hosting control panel (usually cPanel). You will need a separate username and password to get into the control panel; if you do not appear to have these and your blog was set up for you by a third party, that third party will be in possession of these details.

Once in, open up File Manager and scroll down to two entries: wp-register.php and xmlrpc.php. Rename both of these.

Okay. So this upgrading malarkey..?

The WordPress guide is here. If you are using an older version of WordPress, you won’t have the automatic upgrade button that appears on the dashboards of newer versions. This means that you have to do a manual upgrade which, if you aren’t aren’t literate with the language of databases, backups and directories, can come across as a daunting prospect.

The solution is deliciously simple: it’s a plugin called WordPress Automatic Upgrade. Download it here. Install it on your blog.

(If you do not know how to install plugins: it’s easy if you are using WordPress 2.6 or above. An option to add plugins can be found in the sidebar. With older versions, you’ll need to install the plugins manually: here are some instructions.)

The great thing about this plugin is that it does all of the hard work for you, step by step. It makes backups of your database and files and downloads them to your hard drive. It deactivates all your plugins, and reactivates them once the newest version of WordPress has been installed.

Activate this plugin, begin the upgrade – and please note that as you go along, it will provide you with various instructions. Download this; click here – that sort of thing. Follow these instructions to the letter.

Voila! You are upgraded. I used this plugin on that hobby blog earlier today, to go from 2.5 to 2.8.4. It worked a treat, with no problems whatsoever.

You should always make backups before upgrading your WordPress. For this reason I’d recommend using this plugin even with later versions of WordPress; it does the backups and the downloads for you.

Moving on

If your site has been affected, read the WordPress hacking FAQ and consider implementing other recommended measures.

Please note that the guidelines outlined above describe what has worked for me. They may not be complete. As further details of the attack and its solutions emerge, I may well be updating this post. If this post does not solve your blog problems, do check out some of the other posts to which I have linked; these may help. Who knows? We may not have seen the last of this one.

Don’t forget to change your permalinks back to your preferred format! You can do this via the Settings option in your dashboard.

From now on, upgradeupgradeupgrade! Always make sure that your version of WordPress is up to date; the latest version is usually the most secure.

Further reading: WordPress’ head honcho Matt has produced a detailed post about the worm and the importance of upgrading.

I hope that this post has been useful.

Related Posts with Thumbnails

  1. Cloak Url said on September 6th, 2009 at 2:26 pm

    The reason that WordPress is recommended is that it is the best blogging software online if you have your own website.

  2. Sally said on September 17th, 2009 at 12:18 am

    Very interesting blog post thanks.

What do you think? Join the discussion...

How do I change my avatar?

Go to gravatar.com and upload your preferred avatar.

CommentLuv Enabled

Your Hosts




Hello! We are Karyn Fleeting and Joel Turner . We are both directors at Tinderbox Media: a digital PR agency specialising in business blogs, which is based in North Yorkshire, UK. On Corporate Blogger we write about our observations, experiences and ideas drawn from working with our corporate clients on various web-based projects.

del.icio.us

  • No bookmarks avaliable.

Translator

English flagItalian flagKorean flagChinese (Simplified) flagPortuguese flagGerman flagFrench flagSpanish flag
Japanese flagArabic flagRussian flagGreek flagCzech flagHindi flagPolish flagIndonesian flag