Thursday, April 20

WordPress is the new Windows

Judging by the amount of effort that you nowadays have to take to keep your WordPress blog at least partially clean and safe from hacking, it really reminds me of the days of Windows XP (that’s the last time I seriously used Windows) and the numerous measures you had to take to keep it free from malware.
Similar to Windows in the 90s, WordPress is pretty much a mono culture at this point. And monocultures attract vermin.
All my WordPress instances have recently been infected. The goal of the infections was never to bring the sites down though. Destruction doesn’t help those who infect the sites. They want to either boost someone’s Google rank by creating more back links or they simply try to spam others through links or spam mails.
In the case of my WordPress instances, I began noticing, when Google began bouncing mails, telling me the server was now rate-limited. Thousands of spam mails were being sent out by my WordPress instances, one in particular.
By the way, I don’t believe infection rates and size (or level of fame) of a site have any real correlation.
Time to put the pest exterminator suit on.
I won’t go into depths, but re-installing everything wasn’t an option, so here is a brief overview on what I did to disinfect things.
Warning: before you proceed, please be aware that some of the things mentioned below have the potential to impact functionality of your WordPress site or even make it unusable. Only do this if you know what you’re doing!
1. install “Plugin Vulnerabilities” – this plugin keeps a database to tell you which of your WP plugins have known security holes. There’s no guarantee that the list is complete (it probably isn’t) but it will at least give you a good indication what the worst culprits are. This is safe to do.
2. deinstall all plugins that are not 100% necessary. Yes, I had a few plugins installed that were doing minor things that I didn’t really need. In general, plugins are probably the biggest attack vector. This is safe to do.
3. install plugin Wordfence and scan the sites with it. This will for example detect if any of your default WordPress files are different from the ones that should be there. Wordfence is free, you can upgrade to a paid pro version. You should probably know what you’re doing when deleting or repairing files that were detected during the scan.
4. check for unknown users – check your list of users. Have any unknown ones been added? Be careful to not delete existing users that have posts associated with them.
5. remove admin user – user name “admin” is a guarantee that someone from the outside will try to brute force the password for it. My WP users with administrative rights have different names now. I also enabled the “block immediately” option in Wordfence in case someone tries to log in as “admin”. Be careful to have at least one other user with Administrator status that you can reliably log into.
5. manually search for strange stuff – I’ve also manually gone through a lot of the default index.php files that come with WP. Those are for example wp-content/index.php, wp-content/plugins/index.php and a few more. Their role is to prevent anyone from listing the directory contents of those directories. Unfortunately after an infection they’re also often modified to contain malicious code and Wordfence didn’t find all of them. It helps if you know how to use the command line and a text editor.
6. install Sucuri – this is another security plugin that does a few things different from Wordfence and overlaps in other areas. Among things like blacklist checks, it will also allow you to harden some areas of your WordPress instance. Sucuri is free. You can upgrade to a paid pro version. You should probably know what you’re doing when it comes to the different hardening options.
7. scrub the database – in the WP user list, I found that the counts at the top of the list (All / Administrator) were off. So I used phpmyadmin to check through the database. Turns out that table wp_usermeta had a lot of extraneous entries for users that didn’t really exist. I deleted those. This is for advanced users only, you can seriously mess up your WordPress installation by poking around inside the database.
If you go online, you’ll find a lot more options, but the above steps seem to have done the trick for me. And honestly, I don’t want to wade even deeper into this.