It was brought to our attention recently that there has been a sprout of compromises to WordPress websites across the globe.
Please note: Currently, we are still unsure as to the exact methods the hackers use to breach the compromised WordPress websites, but after pouring through source code and employing some basic debugging techniques, we managed to find the cause and solution. Here it is…
How do you know if your WordPress website has been hacked?
These guys, who are hacking WordPress websites are sneaky, and their sole aim is to get their affiliate links found by Google. They therefore try their hardest to get their links to remain undetected on your website for as long as possible. One of the ways they do this, is to first of all hide what they are doing from YOU, the website administrator. Another way, is to hack in, leave everything on your site as it is, working as it should do, as this will not arouse any suspicion.
You won’t know the hackers have compromised your website until you get down and dirty with your source code. From what we can tell so far, the hacker’s code only affects WordPress single posts (using the single.php template file). You may also be able to copy your post’s content, paste it into a blank document and see the hacker’s links instead of your post’s content.
Hopefully you are using Google Chrome or Firefox, you will need to either right-click any of your single post and select “Inspect Element” or “View Selection Source” respectively, or just right-click anywhere and select “View Page Source” if you are still using IE however.
The Problem – “Tell-Tale Signs”
The code that gets inserted into your post looks like this:
<!-- 5ad6387ced83ae3aa1208aceb74bc3d456 -->
<div style="display: none; position: absolute; top: 30px; left: 260px; ">
Another tell-tale sign that your WordPress website has been hacked, is that it will drop out of Google ENTIRELY after a day or two. This is for a few reasons; the techniques the hackers emply to disguise their links is profoundly “black hat” and the links are pointing to what now is deemed as a bad neighbourhood (did you hear what happened to FullTiltPoker.com in the US?).
The only way you will now be able find your website in Google, is to type in your exact domain name e.g. yodelay.com. If your website has been compromised, you will see something similar to this:
Yodelay To The Rescue… With The Solution!
Thankfully, the solution we found is rather simple and will have you facepalming yourself if you spent hours on trying to find it…
First things first, change your WordPress password AND your FTP password, this is essential and should be done immediately. Furthermore, if your WordPress password or FTP password is identical to ANY other account password associated with your domain, change those passwords too. You need to do this because, it is still unclear as to how the hackers are gaining write access to your web server in the first place.
So, on to the fix – the sooner you do this, the better:
The hacker’s code can be found at the beginning of the index.php in your site root.
The solution is therefore to replace this file with the index.php you get with the default WordPress.org software download. So you need to download the latest version of WordPress (currently 3.1.1), extract the entire zip file into your local site root folder (this is where you will find your wp-config.php file). This will replace the infected index.php with a fresh clean one. Upload your new file structure, starting with the new index.php, to your web server.
When you check to see if the hidden links are still there. They will be gone. You can breathe a huge sigh of relief.
We suggest you sit back now and have a beer, but there are more things that you should consider doing first…
Proactive Preventative Protection
We recommend changing your unique keys in your wp-config.php file, but don’t do that unless you know what you are doing.
Take a look through all your WordPress users. Remove any recent users that look suspicious or have different user roles to others. Don’t remove yourself! If you have time, notify all your users of the security breach and ask them nicely to change their passwords.
Check your root directory file/folder permissions using your FTP client, they should all be 755 (directories) or 644 (files).
Once you’ve done that, change all of your passwords again, just to be certain. Use passwords that contain numbers and at least 2 words entirely unrelated to each other such as: an adverb, a number, followed by a noun and then 2 more random numbers. E.g. quickly3catfish91 (WordPress has a built-in password strength indicator, aim for 90+/100). Then think of a different one for each password you decide to change. Just remember to write these down somewhere.
Finally a Kind Word of Advice For You and Your Newbie WordPress Developers
Additionally, something else that could happen as a result of implementing this solution, is that something custom-developed in WordPress stops working for you when the clean files are uploaded. This will be the fault of your web developer (or whoever built the website).
If you have been told by your web developer not to update WordPress, this may be because they have hacked the source code themselves or written a sub-standard plugin or theme for your solution. If this is the case, you should encourage them in self administering a face palming in proportion to the pain they have caused you, or at least get them to do it properly!
It is the developers fault your install of WordPress has stopped working, not yours. Some lesser experienced Developers will hack WordPress in order to get something developed faster or easier, but without considering the future implications of such an action.
Do not get confused with the use of the term “hacked” in the paragraph above. Hacking simply means when you modify published source code for your own purposes. Developers often hack without even realising.
Remember, you should always be able to update WordPress or upload a clean WordPress code file structure.
If you need further information on this global security breach, people have posted on the WordPress.org forums with very similar issues and there are some other great suggestions featured here as well:
UPDATE: We have recieved reports that Joomla websites are also vulnerable to the hackers.