Secure your WordPress, mine was attacked

Adobe AIR and Security

Photo by Rob

Web SecurityA must for anyone who have a web presence.

I woke up today morning to find that my site feed wasn’t validating and the XMLRPC was not responding when I tried to update MarsEdit. Upon doing a quick “View Source” I found a foreign code lodged on top of my site’s header. I knew instantly that it shouldn’t be there and that something is wrong. The code was <iframe src="http://xxxxxyyyyyzzzz.com/3332.htm" style="display:none">. Here is a list of malware sites.

The sane action was to look if it is infecting the whole site or just the WordPress Install (I’m on WordPress 2.5.1). After finding it in just the WordPress powered section of the site, I went ahead and did the following action to remove the code and to prevent further complications to my WordPress Installation.

PREPARE

  • Jot down the list of plugins I need
  • Back-up Theme
  • Back-up “config.php”
  • Back-up and downloaded the Database with WordPress Database Backup
  • You should back-up /wp-content/uploads/ if you use WordPress to upload your files. (see below how I manage my files)

REFRESH

Then, I re-did the whole WordPress Installation. However, I wasn’t worried because my “uploads” are elsewhere, Database was not infected and is back-up everyday by mailing it to myself and archived instantly with Gmail. Here is what I did

  1. Delete the whole “wp” folder. Yes, I always make it a point that the whole WordPress Install files are inside a separate folder.
  2. Upload a fresh set of WordPress files onto “w” (you can have any folder you like)
  3. Upload Plugins
  4. Upload Theme
  5. Upload “wp-config.php”

That’s it. With a fresh WordPress Install, the script/code injection is gone and my WordPress Installation is back to normal.

EXTRA PRECAUTION

I decided to take some extra precaution and secure my WordPress Installation henceforth. Here are few things I did in addition to installation a fresh new WordPress Installation.

Take care that none of your folders are public-writa-able

Make sure that none of your folders are Public-Write allowed (CHMOD 777). There are instances when you need to set your folders to Write mode with CHMOD 777 (everybody writes) but remember to set it back to 755 (only owner writes) when not needed or at least CHMOD 775 (owner and group writes).

Restrict access to “wp-admin” with .htaccess

It is pretty easy to drop a .htaccess to your “wp-admin” folder so only you or few of your editors/authors can access that folder. This way, you’ll need to use 2 passwords to login to your WordPress Admin. Anyway, I use Keychain to remember them, so I need to type just once. This is what I have in my .htaccess file;

You’ll need a file .htpasswd which should contain a Username:Password pair. Remember, the password is hashed here and is not what you see. There are lots of .htpasswd password generators. Use one of them;

Note: You can have multiple Username:Password pairs by having as many as you want in separate lines.

Now, drop this .htpasswd file in your “/path-to-file/outside-of-your-site-folder/”. See to it that this is not in your site folder (e.g. www, public_html) but outside of that which only you have access and not from the website.

Many WordPress advocates and experts alike have talked about securing your WordPress Installation and so I won’t go deeper than what I’ve already written above. It’s is your choice, how paranoid you can get. Nonetheless, as we’re already here, let me give you another bonus tip.

Prevent comment spam by denying access to no-referrer requests

Add this in your .htaccess Redirect section.

Note: Change that brajeshwar.com to your domain.

HOW I MANAGE MY FILES (MEDIA, IMAGES, DOWNLOADS)

As mentioned above, I have my own way of managing files which I felt is effective and easy to move around if I need to change host or any other eventuality may arise.

Separate sub-domain for media files (images, audio, video)

Having these files on a separate sub-domain allows me to move this anywhere I like and just do a DNS-IP Redirect or a CNAME change to have this located anywhere. So, my articles will always point to the sub-domain and thus always works wherever I move the media files (different location or servers). Currently, they are hosted on Amazon S3. Btw, I’m likely to write an article for Digital Inspiration, for non-geeks and common-users on how to use Amazon S3 the easy way.

What if you’ve used /wp-content/uploads/ throughout and you want to change it now?

Easy! In your .htaccess file, add a perma-redirect by adding this code

RewriteRule ^wp-content/uploads(.*)$ http://media.brajeshwar.com.s3.amazonaws.com$1 [L,R=301]

This should now perma-redirect all reference to /uploads/ to the corresponding new location.

Backup DB daily or Weekly

If your site is busy and you blog regularly, have a daily backup of your Database mailed to you or use weekly if your site is not that prolific. WordPress Database Backup can email you a back-up daily, weekly or monthly. I’ve it mailed to my Gmail Account and set a filter in Gmail to Archive it as it arrives.

WordPress Theme

Of course, as I always use my own theme, I’ve my local copy and another on my SVN server. So, always have a local copy of your theme.

WordPress Plugins

Don’t even worry about them unless you’ve written one yourself or have modified one. They’re all everywhere or at-least well preserved at WordPress Plugins.

Keepass

While on the topic of security, let me tell you that I’m a die-hard fan of Keepass and now KeepassX on the Mac. There is even a Linux version and the encrypted file which contains your passwords will work on all the Platforms. This makes it easy to have access to the plethora of passwords even when you’re away from your Mac and in the wild where Windows is pretty common. At the time of writing this article, I’ve harvested over 2000+ passwords used on various sites and applications and all have a different password. You can either use a Master Password or even a Key Disc to unlock KeepassX, making it rather secure.

That’s pretty much it. Feel free to comment, ask questions and I might be able to discuss further.

  • Your article was very informative. I guess we need to keep checking our source codes once in a while.

  • Your article was very informative. I guess we need to keep checking our source codes once in a while.

  • Nice article. 🙂 Stumbled!

  • Nice article. 🙂 Stumbled!

  • I recommend changing your WordPress password as well, just in case.

  • I recommend changing your WordPress password as well, just in case.

  • @Joseph
    Thanks for the tip. 🙂

  • @Joseph
    Thanks for the tip. 🙂

  • I think it should be noted that denying no-referrer comments prevents some legitimate posts as well. Norton (and perhaps some other security suites) strips out referrer information from requests, supposedly by default.

  • I think it should be noted that denying no-referrer comments prevents some legitimate posts as well. Norton (and perhaps some other security suites) strips out referrer information from requests, supposedly by default.

  • Michael Clark

    Did you investigate at all what the attacker did to make changes to your installation? This could either be a new, previously unpublicized vulnerability in WP. Or did you not entirely lock down your installation like you describe above?

    I'd suggest looking for POSTs in your web server's apache logs.

    You should also change all of your passwords, both ,htaccess ones, and your all of your WP user passwords.

  • Michael Clark

    Did you investigate at all what the attacker did to make changes to your installation? This could either be a new, previously unpublicized vulnerability in WP. Or did you not entirely lock down your installation like you describe above?

    I'd suggest looking for POSTs in your web server's apache logs.

    You should also change all of your passwords, both ,htaccess ones, and your all of your WP user passwords.

  • @Michael
    I looked around a bit but could not find anything relevant. I do not have access to Mosso's system and nor do they give us SSH.

    So, the best thing I thought was to secure everything and bring back to normalcy, and to later look around the internet for its relevant information. Unluckily, there are few and far in between info about the attack.

    Sorry, I've, at this time, no idea about how it is caused and where it originates.

  • @Michael
    I looked around a bit but could not find anything relevant. I do not have access to Mosso's system and nor do they give us SSH.

    So, the best thing I thought was to secure everything and bring back to normalcy, and to later look around the internet for its relevant information. Unluckily, there are few and far in between info about the attack.

    Sorry, I've, at this time, no idea about how it is caused and where it originates.

  • Nico

    Hi,

    Thanks for this.

    The article was very easy to follow and nice to read. I will definetely link to it on my own wordpress install.

    Thanks.

  • Nico

    Hi,

    Thanks for this.

    The article was very easy to follow and nice to read. I will definetely link to it on my own wordpress install.

    Thanks.

  • Nice article. Hope you don't mind that I add a couple of tips myself.

  • Nice article. Hope you don't mind that I add a couple of tips myself.

  • @Shane
    Thanks, those tips looks real hardcore and bad-ass.

  • @Shane
    Thanks, those tips looks real hardcore and bad-ass.

  • Pingback: Web und Netzwerk » PHP - Code Injection Angriffe » Schweinfurt den ...()

  • Pingback: What if you get removed from Google? | Bill Cammack()

  • It's always good to have a little of paranoia with these things (backup db daily, restrict access to admin page, etc.)

    Great tips, thanks for sharing.

  • It's always good to have a little of paranoia with these things (backup db daily, restrict access to admin page, etc.)

    Great tips, thanks for sharing.

  • Pingback: inhale, exhale, feel, breathe » What to do when your blog is hacked and malware added()

  • I going to make a preventive plan based on your article. It's better late than none.

    Good article, stumble.

  • I going to make a preventive plan based on your article. It's better late than none.

    Good article, stumble.

  • @Hamdani

    That's nice.

  • @Hamdani

    That's nice.

  • John

    When my blog was hacked , I reinstalled everything but malware infection came back ..,
    My machine used to get infected from my own blog while I uas trying to login .. ! Here is a good article which shows how wp-login.php and admin-footer.php is injected with messy scripts to infect a blog .... ! Good Article .

    http://www.itoneworldsystem.com/blog/2009/01/03/how-to-remove-malware-from-your-blog/

  • John

    When my blog was hacked , I reinstalled everything but malware infection came back ..,
    My machine used to get infected from my own blog while I uas trying to login .. ! Here is a good article which shows how wp-login.php and admin-footer.php is injected with messy scripts to infect a blog .... ! Good Article .

    http://www.itoneworldsystem.com/blog/2009/01/03/how-to-remove-malware-from-your-blog/

  • Thanks for your sharing! Can you recommend the backup plugin you are using?

  • remove Internet Antivirus 2011

    Mine was also attacked twice!!! Hope your ariticle works for me!