19 May 2010 » So your Wordpress has been hacked
Last week, someone informed me that my blog had been hacked:
I'm not quite sure what the vector was. Wordpress wasn't very secure and I didn't take too many measures to harden it. A coworker of mine (on our security team) decided it might be fun to have a look at the infected Wordpress Installation.
Here's how the hack works
- Your blog appears normal to you and your visitors.
- Some rogue PHP code detects if Google is crawling your site and modifies the text and links so it looks like your website is a Viagra pharmacy.
- The links go to other infected blogs and thus builds up page rank for this ring of blogs. So the upside is that your blog may be a top result... for VIAGRA.
Prevention
Here are some tips for prevention, but you can find a lot more by googling for Wordpress hacks. My solutions are more technical:
- Don't use Wordpress - I recently switched to Jekyll since it was conceptually easier to understand, and it's coder-friendly.
- Remove all users other than your own.
- Change your password.
- Check your code into git so you can see what files have changed.
- Prevent Wordpress from writing to your webroot.
Restoration
Here's what you'll need to do to de-spam yourself:
- Verify that you are still spammed by using Google Webmaster Tools|Labs|Fetch as Googlebot.
- Back up your blog and database.
- Move your Wordpress installation to a new directory.
- Install Wordpress from scratch.
- Remove all users except for yourself.
- Change your password.
- Copy your theme to your new installation.
- Install only the plugins you need.
By step 4, you should be able to verify, using Fetch as Googlebot, that your website is no longer an online pharmacy.
Good luck.