Has Your WordPress Blog Been Hacked?

If you own a WordPress blog, you may have been hacked, but what’s worse, you may not even know that you have been exploited.

This happened to me recently, and today I want to ensure that every WordPress reader not only knows how to detect this problem, but how to fix the problem & how to protect your site from future attacks.

Ok, here is the thing… like most marketers, my technical skills are not very good, but like most marketers, I have a lot of very useful contacts. So I contacted a good friend of mine (Paul from SEOidiot)

Paul takes up the story below:

What Happened To DeanHunt.com – By Paul

Here’s the technical side of what they did and what we did to get around it, plus a brief explanation of what I coded to try and give people the chance to check for themselves: -

WordPress uses calls to wp_head and wp_footer to allow plugins to alter the content being returned as the page loads, a good example of this working well would be the SEO Title Tags plugin. However this is the functionality that the spammers used to insert a whole raft of links into the footer.

This article [http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/] explains the technique for anyone who likes headaches, but in basic terms they are using compromised theme files or adding in new files to your compromised server which act on the wp_footer call to insert their links.

They have been even smarter than that though as they have cloaked the links, so if you pop over to your own hacked site and view the source code you wont see the inserted links. Only when Googlebot comes along are the links shown, which is obviously a bad thing as Google suddenly thinks you’re linking out to a bunch of parasite hosted pills sites and will give you a penalty or remove you as a result.

Note: Dean’s rankings were virtually wiped out in Google

The Solution

So how to solve this? On a dedicated box you can trawl through searching for the files known to be compromised but a simpler and easier method is to remove the wp_footer call from the footer.php file in your current theme.

There are very few plugins that do anything useful in the footer so this made sense for Dean. If it had been the WP_head that was inserting links we would have needed to get the host to find the dodgy files or perhaps to have moved to a clean install somewhere else.

Because it isn’t easy for people to detect when they have been hacked this way I wrote a little tool to show people what their Google cache thinks are links out from your page, you can find this free tool at http://www.seoidiot.co.uk/cachecheker/

Back to Dean….

So in a nutshell, your WordPress blog may have been hacked, and the usual checks won’t show anything wrong. You may only realise something is wrong once you have been booted out of Google.

I am happy to announce that my Google rankings returned within 4 days of the offending spam being removed, which just shows once more why Google are by far the king of the search world.

So how can you prevent this happening to your WordPress site?

Firstly, and perhaps most importantly, make sure your WordPress is up to date. If you remain with the latest version at all times, you stand a much better chance of never having these issues.

For the more technically minded amongst you, i got some great tips from Matt Cutts, and this post I hope that considering the circumstances, Matt won’t mind me posting his tips below:

1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
# IP while in Kentucky; delete when back
allow from 128.163.2.27

I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.

3. Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like

” />

I’d just go ahead and delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

Credit to Matt, Reuben and my buddy ShoeMoney I also got a lot of assistance from David Geere from the awesome EatingBritain. Oh, and David Naylor was incredibly helpful as well. Thanks David.

What’s Next For My WordPress Site’s Security?

Myself and Dave are looking to do a fresh install of WordPress, and we will also be looking into any plugins that can further assist us.

If you have any advice or tips based on the above, please leave them in the comments box. Also, send this post to any friends who have a WordPress site, I would hate for them to go through the hell that I had to suffer.

A wise man once told me: “what doesn’t kill you, only makes you stronger”, together we can ensure we are all strong enough to avoid this sort of issue in future.

Dean