Did your WordPress Website get hacked?

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.

Unfortunately for some who did upgrade, it was too late. The hacker may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.

wordpress-attack

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?

define(‘SECRET_KEY’, ’1234567890 );

 

How to Hackers hide their hacks?

The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the web server then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the

Eval () command, or base64_decode()

They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:

  1. Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
  2. Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
  3. Check your uploads directory for that jpg file and delete it.
  4. This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.
Advertisements

3 thoughts on “Did your WordPress Website get hacked?

  1. Your style is unique compared to other people I have read stuff from.
    Many thanks for posting when you have the opportunity, Guess I will
    just bookmark this web site.

  2. Do you mind if I quote a few of your posts as long as I provide
    credit and sources back to your site? My blog site is in the very same niche as yours and my users would truly benefit from some of the information you provide
    here. Please let me know if this alright with you.
    Appreciate it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s