Weekends are supposed to be fun, Aren’t they?
And the latest version of WordPress is supposed to be secure, isn’t it? Well this weekend the conventional wisdom was proven wrong.
I am a reseller for a very large domain registration and hosting company for a few years now. I primarily used it to get discounts for myself and my customers on web hosting and domain registration. I didn’t make any real profit on it but also didn’t lose money.
A month or so ago I decided to take a little bit more interest in my reseller account. The web site they supply doesn’t index well in search engines because of the way it is set up. I decided to set up a website that will link to the supplied product pages to get a little more search engine “love”.
As this is a side project I don’t spend a lot of time on it but this Saturday I decided to spend a little time on the site. This first thing I did was to do a search for the site and it is nicely indexed in Google, but to my surprise almost all of the links had a comment “This site may be hacked”
A little bit of investigation showed that when you click on a link in search engine results you get taken to a porn site instead of my site. Typing the url in a browser took you to the correct site. I thought quite a bit on how does a hacker get this right and then it clicked. WordPress uses apache’s mod_rewrite to generate pretty urls. WordPress calls it permalinks. Because most people don’t have access to their webserver configuration they can use a file .htaccess to change server configurations. WordPress will do the changes for you if it has access to the .htaccess file.
I logged into the server and checked the .htaccess file. The file was changed to check if the site linking to my site is google, bing, or yahoo. With a little bit of extra trickery it then redirected to the porn site.
It was quite easy to fix the problem i.e. change the .htaccess file to what it should be, change it to be read only and reinstall wordpress. And of course change all passwords for wordpress including the database as well as the hosting account.
That was the easy part, the challenge is to secure wordpress and also the hosting account. Most people don’t have any real control over the server where they host their site so you change your hosting passwords and report it to the provider if they have a reporting mechanism.
There are many things you can do to make wordpress more secure than the default install. There is a lot of information floating around on the web on how to do this but about 70% seemed outdated or plain wrong.
I then looked for wordpress security plugins in the hope that the plugin authors will stay up to date with the current versions of wordpress. I eventually decided to use a plugin called sucuri. I also considered wordfence but it for some reason I didn’t feel comfortable with it. There was no real technical reason to choose sucuri instead of wordfence. Both plugins have a free and paid version.
Most of the things sucuri changes you can do manually, but they also offer a site scanning service that checks the wordpress source code and for problems when the site is accessed from outside.
NOTE: I’m not entirely sure the attack came via wordpress but it is the likely culprit.
The server where I am hosting could also be compromised. If the server is compromised a lot of people (including me) have really big problems.
I didn’t include lots of technical detail, if you are really interested Google is you friend.