Surviving a blog hacking attack

There’s a serious security concern for WordPress users as a worm has been lurking the Internet wreaking havoc on unpatched versions of WordPress.

The warning comes from no less than WP creator Matt Mullenweg himself in a recent post on the WordPress Dev Blog:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

Though I’ve read and heard of blog attacks before, I’ve never really encountered one on my own blog. Well, that was until the last week of July and the whole month of August that is. This blog had been a victim a hack attack. Probably from that worm mentioned in Matt’s post, but I still haven’t found a solid piece of evidence to prove this. Yet there were plenty of other signs that indeed the worm had attacked my blog.

It required me to change my password

Never in my entire four years of blogging have I ever encountered a need to recover my own password because I’ve been careful with it and I’ve never forgotten it. So I found it bizarre one morning on the closing weeks of July that my original password was not being accepted by my blog. Thinking it was part of a routine WordPress update I installed, I simply opted to reset my password and replaced it with a stronger one. How naive of me as WordPress has never done something like this before.

Sudden decline in blog traffic

My web traffic went down to almost nothing
My web traffic went down to almost nothing

Shortly a few days after that ‘mandatory’ password change, I noticed a sharp decline in my blog’s traffic. Thinking it was another round of punishment from Google for the paid link ads on my blog, I said to my self that it will return to normal after a few weeks. Unfortunately, those weeks lasted for the whole month of August and the early days of September. From a daily average of 1000+ visitors, blog traffic plummeted to an average of 5 a day! Something else was wrong with my blog and I began to look around for things out of the ordinary. A broken plugin perhaps or a theme element gone wrong.

My theme was acting weird

Though at that I haven’t updated the Vigilance theme I was using, I noticed that whenever I’d view the front page of my blog, something would stick out of just below the footer and brake the width of the theme. Thinking it was just some stray CSS elements or some code from the buttons on my blog I paid little attention to it. Then it dawned upon me that this first occurred days after my “mandatory password reset” took place.

Then my blog screwed every browser it encountered

Shortly after writing my post on August 25, Chrome would crash after spewing out lots of new tabs every time I’d view my blog’s front page. Thought it was just Chrome shooting its own foot, I tried viewing my blog with Firefox and the same thing happened. It was at this moment that I decided to have a second look at my theme files.

Codes for spam in the form of iframes that were redirecting traffic from my blog to a website about greeting cards and stuff were inserted into my theme header and footer files! This is what has been causing my blog to break its margins, this is what has been stealing my blog traffic and this is what has been screwing up with my browsers.

Things were fixed with a minor surgery

So immediately, I downloaded all the themes in my blog’s theme folder via FTP and had each and every single theme file checked and re-checked for any spam codes inserted by that worm. I also removed most of the plugins that have been inactive for so long and I also checked the WordPress files for malicious codes.

Digging a little deeper, I once more combed my MySQL database for any injected code and alien user accounts. Fortunately, the only part of my blog that was compromised by the worm was the theme currently in use. So after cleaning up the theme files and re-uploading them, the ordeal quickly ended.

Blog traffic quickly recovered to normal levels and my blog behaves normally now when viewed in all the web browsers I use.

Beefing up the security

To prevent another future attack, I’ve beefed up the security of my blog. I once more changed my password to a more secure one. I’ve deleted all the plugins that I’m not using. User registration has also been disabled and for a new layer of protection, I’ve installed the WordPress Firewall plugin as recommended to me by Ade when I checked his blog for a possible attack last month.

Just recently, I followed some of the steps mentioned by Jaypee, Donncha O Caoimh and the WP team.

For now, I rest more easily at night knowing that despite suffering a blog hacking attack, my WordPress-powered blog is more secure than ever thanks to this learning experience and the expertise of the WordPress community.

However, vigilance, diligence and being a smart blogger would be my edge in keeping my blog safe from those nasty evil-doing hackers.

Leave a Reply