WordPress Self Hosted Blogs Under Attack

by on 04/12/2010 in Security, WordPress

WordPress Under AttackThere have been a number of reports about a WordPress hack affecting self-hosted WordPress blogs. The hack seems to affect WordPress 2.9.2, the latest version of the blogging platform.

The attack leads into an infection chain that leads to various Malware, including a rogue antivirus which we written many articles about here.

Facts about the recent hack

  • Several WordPress blogs running the latest official version are currently successfully compromised.
  • Attackers either manipulate the blog to spread Malware (more recently) or to cloak links that are only visible to search engines.
  • It is currently not clear how the attacks are carried out.
  • Some pointers are given on how to disinfect a blog.

WordPress webmasters should check their blogs immediately to make sure that it has not been compromised yet. A WordPress plugin like Antivirus might also help in preventing a successful attack.

How to protect your self hosted WordPress blog

You can download the Antivirus plugin here.

AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections.

Features

  • WordPress 2.9.x ready
  • Detect the current WordPress permalink back door
  • Quick & Dirty: activate, check, done!
  • Manual testing with immediate result of the infected files
  • Daily automatic check with email notification
  • Whitelist: Mark the suspicion as “No virus”
  • English, German, Italian, Persian

In addition to the Antivirus plugin, you should also install the Login Lockdown plugin here.

Login LockDown records the IP address and time stamp of every failed log in attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the log in function is disabled for all requests from that range.

29 Responses to “WordPress Self Hosted Blogs Under Attack”

  1. Thanks Frank, I installed the recommended plugins.

  2. Andrew@BloggingGuide

    Apr 13th, 2010

    Already using login lockdown, but also installed the antivirus. Thank you so much!

  3. Susie

    Apr 13th, 2010

    Thanks Frank! Working on getting all this in place!

    • Frank Jovine

      Apr 13th, 2010

      Susie,

      It’s easy to do and it’s good for you and your self hosted blog. :)

  4. Brad

    Apr 14th, 2010

    WordPress said that it was Network Solutions fault for not preventing users sharing the same server from accessing the other users content.

    • Frank Jovine

      Apr 14th, 2010

      Brad,

      The source was NetSol, but that doesn’t mean hackers won’t try to compromise other WP 2.9.X blogs. I seen this too many times. It is best to be safe than sorry.

  5. Brian

    Apr 15th, 2010

    I have had Login Lockdown installed from the second week I had my blog. Time to get the Antivirus plugin. Thanks for the tips!

  6. Aleksey

    Apr 16th, 2010

    Thanks for sharing this information, I’m going to check my 2 WP blogs with Antivirus plugin.

    • Frank Jovine

      Apr 16th, 2010

      You may want to check your web site as it is marked as suspicious by mywot.com.

  7. Tini | SEO and Blogging

    Apr 16th, 2010

    It’s under attack like seriously? The only attack I am getting is the thousands of spam comments. Thank goodness for moderation.

    • Frank Jovine

      Apr 16th, 2010

      Tini,

      A friend of mine just got attacked yesterday, so yes, there are WP Blogs being compromised.

  8. Chattaranga

    Apr 16th, 2010

    Getting my site hacked is one of my biggest fears. Didn’t even think about looking for a Word-press anti-virus plugin! Cheers mate.

    • Frank Jovine

      Apr 17th, 2010

      You are welcome and I am glad I could help.

  9. Jal

    Apr 17th, 2010

    Thank you for the information and for mentioning the quick solution to it. Apart from Antivirus and Login Lockdown plugins, you might want to consider changing permissions for various important folders and files in your WordPress installation.

    I have a done a post for changing the permissions of some important wordpress folder which might help: Secure WordPress blog in 5 minutes

    • Frank Jovine

      Apr 17th, 2010

      Jal,

      Thank you for sharing the folder permissions.

  10. Christie

    Apr 17th, 2010

    Thanks so much Frank! And – this is a good time for me to get rid of the WordPress installations in the sites I started and abandoned last year. :)

    • Frank Jovine

      Apr 17th, 2010

      Christie,

      How are you? I am glad to make others aware and hopefully everyone will be careful and install the plug-ins I recommended.

      • Christie

        Apr 17th, 2010

        Doing fine, thanks! Work’s been busy, so I don’t get to make the rounds of blogs as often as I like. :)

  11. Mitch

    Apr 17th, 2010

    How interesting. I didn’t upgrade to 2.9.2 because it wasn’t an upgrade for an exploit, and now I’m glad I decided against it.

    • Frank Jovine

      Apr 17th, 2010

      Mitch,

      Older versions are suspect and I would recommend you get the latest version.

  12. Raj@ The Positive Life

    Apr 19th, 2010

    My wordpress blog was hacked just a few days ago (4th April), I wish I had installed the anti virus before my blog had got hacked.

    Anyways, I am installing it right now to prevent from any future attacks. Thanks

    • Frank Jovine

      Apr 19th, 2010

      Raj,

      Sorry to hear about your attack and hopefully you back up your WP daily and save the last 10 back ups.

  13. fanta78

    Apr 19th, 2010

    Thanks Frank for the advice and the plugins. I’ll try those.

    I just got one of those attacks on a blog few days ago : massive injection of malicious javascript code in almost all the standard WordPress .js files. The threat is real !

    I’m still searching about the entry point on this attack, and I have two leads : a virus on the PC which could have used my ftp client, or a weak file system security from my hosting provider (as Matt wrote about http://wordpress.org/development/2010/04/file-permissions/).

    I have cleaned up the site, and posted an article (in French :-)) about it. http://fanta78.lasnespace.com/2010/wordpress-attaque-mon-blog/

    • Frank Jovine

      Apr 19th, 2010

      Fanta,

      Thank you for sharing. I would also recommend that you back up your WP daily. You should also keep at least the last 10 days so you can go back to the last working back up in the event you may have been unaware when the malicious attack took place.

  14. Susie

    May 6th, 2010

    I have implemented this on many of the sites, but one in particular Trade Show Improvement dot com continues to state danger in several places. If someone doesn’t know php all that well, what are their options?

    Scan shows – there is no virus but has several lines that say see line..such and such

    <?php require(WEBTREATS_INCLUDES . "/sitemap-content.php");

    Any thoughts?