Tips, Tricks, Tools & Techniques

for Internet Business, Life, the Universe and Everything

RSS Feed



Has Your WordPress Blog Already Been Hacked? (Do You Know?)

22 February, 2008 (21:15) | Security, WordPress | By: Nick Dalton

There are several exploits targeting WordPress blogs that insert HTML into old posts or into the page template itself. Here are a few procedures that you should follow regularly to check on the health of your blog.

Search existing posts

  1. Goto Manage Posts in the WordPress admin section.
  2. In the “Search terms…” field enter one of the following:
    • iframe
    • script
    • href
  3. Click “Filter”

This will show any posts that contain the above HTML keywords. Unless you’re writing about HTML your posts will probably not contain these keywords. If they do show up in a post and it’s something that you wrote, don’t worry about it. The presence of these keywords are an indicator that someone else may have injected something into your posts. But if you wrote it, then you’re fine.

The reason I search for these particular keywords is that an attacker usually wants to gain something from your blog: a way to install badware on your visitors’ computers (iframe), a blanket way to manipulate your blog output (script), or a simple link (href).

Search existing comments

Repeat the above procedure for comments on the Comments admin page.

View HTML

Visit your blog and view the HTML source. Search for the same iframe, script and href keywords on a couple of different types of pages:

  • Home page
  • And individual post
  • Your about page

There will be a lot of matches on the href keyword, but the links should all go to your own blog or other places that you know you have linked to. If you find links to web sites that hawk various body enlargement pills, then you have probably been compromised.

Google AdWords and other advertisement networks often use JavaScript includes. So does BlogRush. If you trust the network, then there is no reason to worry about these script statements.

Iframes are sometimes legitimately used by affiliate promotions, for example Amazon product links. Again if you trust the vendor you’re fine. Earlier in the week I wrote about a current exploit which adds an iframe to the wp-stats-php.info site. If you see any such iframes, that’s really bad.

Google Webmaster Tools

Google supposedly marks pages that have been banned from their index due to malware in their Webmaster Tools. You should definitely have a Google Webmaster Tools account to get information on how Googlebot sees your web site and lots of useful search statistics. The banned page indication is an extra bonus.

Repeat Often

You should repeat all the above procedures on a regular basis. I know that’s a pain! But dealing with a compromised blog is much worse. Compared to the countless hours you spend on writing great blog posts and engaging in conversations with your readers, it doesn’t take that much time to keep your blog safe.

Comments

Comment from Burton Kent
Time: April 1, 2008, 11:47

If you want to avoid being hacked, check out the AskApache plugin. http://wordpress.org/extend/plugins/askapache-password-protect/

It helps protect your wp-admin directory, where most hacking takes place. You can allow your browser to save the password, so it just adds another click for you, but quite a bit of complexity for hackers.

Write a comment