How do I cure my Wordpress blog of this spam infection for good?
March 5, 2010 2:54 AM Subscribe
I have two Wordpress blogs on the same server, both of which have become exposed to some sort of vulnerability whereby occasionally the header file will be filled with JavaScript links and mentions of various enlargement techniques and erectile pharmaceuticals. I can delete the links but eventually they come back. I have closed the sites to comments, reinstalled the themes, reinstalled Wordpress and installed antispam systems but the vulnerability must lie in some part of the site (eg a previous comment or one of the scripts) where it can be re-used even if I update Wordpress. I don't have technical skills, so how can I find the source of this threat? If I have to install Wordpress from scratch, how can I export the content of the sites to the new install without bringing the spam with it?
Just to check - have you upgraded to the latest Wordpress, or just reinstalled the previous versions?
posted by Pronoiac at 3:26 AM on March 5, 2010
posted by Pronoiac at 3:26 AM on March 5, 2010
Response by poster: I have upgraded to the latest version - in fact I have done it several times (and upgraded to latest versions of the theme I'm using) and the problem keeps coming back. So I suspect my vulnerability must reference some piece of code in some file or plugin that isn't getting updated.
If I need to get "someone who knows what they're doing", where would I find said person?
posted by skylar at 4:07 AM on March 5, 2010
If I need to get "someone who knows what they're doing", where would I find said person?
posted by skylar at 4:07 AM on March 5, 2010
I had something similar last year. Ultimately the simplest solution is to nuke and reinstall from scratch. Use the Tools -> Export function to save the content of your blog (it'll save everything except the themes, plugins and images), delete the whole existing install, then install the latest version and use Tools -> Import to repopulate the blog.
You will, as I mentioned, have to put the theme and any plugins back in yourself, and re-upload any images from scratch, which is a pain. But this solution is a lot faster and more guaranteed to work than sorting through hundreds of files looking for the tiny bit of injected php that's causing the problem.
posted by Hogshead at 4:41 AM on March 5, 2010
You will, as I mentioned, have to put the theme and any plugins back in yourself, and re-upload any images from scratch, which is a pain. But this solution is a lot faster and more guaranteed to work than sorting through hundreds of files looking for the tiny bit of injected php that's causing the problem.
posted by Hogshead at 4:41 AM on March 5, 2010
Is this in a wordpress header, ie can you see it in the wordpress application or its just outputted to the browser? If the latter then it could be that apache is the problem. Have you contacted your webhost?
posted by damn dirty ape at 6:59 AM on March 5, 2010
posted by damn dirty ape at 6:59 AM on March 5, 2010
1. If it's not already, move everything associated with your wordpress install into a subfolder "wordpress" in your main webroot (maybe called public_html, maybe called htdocs, or similar)
2. Get WordPress working in the subdirectory as in this howto
3. Examine everything besides WordPress for possible vulnerabilities - anything php, anything cgi, whatever
4. Add new and completely fresh copy of wordpress in subdirectory of webroot called wordpress292
5. You want to do your upgrade by copying over ONLY what you need from the prior wordpress - .htaccess, wp-config.
5a. Move over the content from wp-content, but examine in FIRST. Uploads should only be the files you yourself uploaded - usually just jpgs and gifs. If there are php files in there, they don't get to be copied over to wordpress292
6. Make a list of the plugins you have and that are active, download fresh copies of these from wordpress.org and install them into wordpress292/wp-content/plugins
7. You need to have someone look at your theme for vulnerabilities - download a fresh copy of your theme from original developer and install into wordpress292/wp-content/themes, set the theme files only to be writable by owner
8. Change ALL your passwords you know of associated with this hosting account
9. Upgrade your old wordpress to the new wordpress292
10. move the bad wordpress folder somewhere out of your webroot
That's how I'd approach it, just start super fresh and new, be paranoid, and I'd hassle my webhost for a list of FTP logins/shell logins/control panel logins to see if there's anything strange. Really it sounds like your WordPress was just old and got botted, but it could be something else.
posted by artlung at 7:43 AM on March 5, 2010
2. Get WordPress working in the subdirectory as in this howto
3. Examine everything besides WordPress for possible vulnerabilities - anything php, anything cgi, whatever
4. Add new and completely fresh copy of wordpress in subdirectory of webroot called wordpress292
5. You want to do your upgrade by copying over ONLY what you need from the prior wordpress - .htaccess, wp-config.
5a. Move over the content from wp-content, but examine in FIRST. Uploads should only be the files you yourself uploaded - usually just jpgs and gifs. If there are php files in there, they don't get to be copied over to wordpress292
6. Make a list of the plugins you have and that are active, download fresh copies of these from wordpress.org and install them into wordpress292/wp-content/plugins
7. You need to have someone look at your theme for vulnerabilities - download a fresh copy of your theme from original developer and install into wordpress292/wp-content/themes, set the theme files only to be writable by owner
8. Change ALL your passwords you know of associated with this hosting account
9. Upgrade your old wordpress to the new wordpress292
10. move the bad wordpress folder somewhere out of your webroot
That's how I'd approach it, just start super fresh and new, be paranoid, and I'd hassle my webhost for a list of FTP logins/shell logins/control panel logins to see if there's anything strange. Really it sounds like your WordPress was just old and got botted, but it could be something else.
posted by artlung at 7:43 AM on March 5, 2010
You need to peak at the users table in the db, not through WP. They often create hidden admin users. Also be careful with your uploads directory being open. It's easy to upload a file there (the text inside said expl0rer, note the zero) which let's them upload files to other directories if the perms are right.
posted by jwells at 8:59 AM on March 5, 2010 [1 favorite]
posted by jwells at 8:59 AM on March 5, 2010 [1 favorite]
Response by poster: Is this in a wordpress header, ie can you see it in the wordpress application or its just outputted to the browser?
I can see it in the header.php file when I use the Wordpress admin page. In other words it isn't just outputted to the browser.
posted by skylar at 9:04 AM on March 5, 2010
I can see it in the header.php file when I use the Wordpress admin page. In other words it isn't just outputted to the browser.
posted by skylar at 9:04 AM on March 5, 2010
Have you looked at all your .htaccess files in all your directories?
posted by damn dirty ape at 9:10 AM on March 5, 2010
posted by damn dirty ape at 9:10 AM on March 5, 2010
I don't recall how I rooted this content out, but I seem to recall that some of it was in local files and that some of it was in the database itself, so I dumped the database and did a search on that to see if I could find the contents in there.
This really sounds like that WP bug from a year ago that was a real pants on fire update that needed to get installed to stop this behaviour.
posted by so_ at 10:03 AM on March 5, 2010
This really sounds like that WP bug from a year ago that was a real pants on fire update that needed to get installed to stop this behaviour.
posted by so_ at 10:03 AM on March 5, 2010
My web hosting company was very helpful in tracking down this sort of problem, although they denied it wasn't anything on their end (it turned out it was indeed on their end - once they fixed whatever it was, my problems disappeared).
WP is ubiquitous enough that they'd hopefully have a handle on what to do to deal with it, Good luck!
posted by DandyRandy at 10:19 AM on March 5, 2010
WP is ubiquitous enough that they'd hopefully have a handle on what to do to deal with it, Good luck!
posted by DandyRandy at 10:19 AM on March 5, 2010
+1 contact your web hosting company.
If the problem is in the header.php file, log in to your site with an FTP client and change the permissions on the header.php file so that you're the only one with permission to write to it. (If you do this, the application probably won't have access to write to it.)
Log in to your web hosting admin panel and see if the offer phpMyAdmin access to your database. From there you can browse the users table to look for suspicious users. Change the information (username, password, email address) to something you control so they can't log in again. (be careful when you do this, though, you don't want to screw yourself or piss off people who've registered to comment.)
artlung's advice is also good. One way to handle this is to create a clean, fresh install of wordpress - you can use the same database but tell it to use a new prefix. Then once this install is working & you know it's secure, point it to the old database & point the old blog's file location to the new wordpress location. This is all pretty technical, though, so... really, it all just boils down to ask your ISP for help.
posted by MesoFilter at 2:11 PM on March 5, 2010
If the problem is in the header.php file, log in to your site with an FTP client and change the permissions on the header.php file so that you're the only one with permission to write to it. (If you do this, the application probably won't have access to write to it.)
Log in to your web hosting admin panel and see if the offer phpMyAdmin access to your database. From there you can browse the users table to look for suspicious users. Change the information (username, password, email address) to something you control so they can't log in again. (be careful when you do this, though, you don't want to screw yourself or piss off people who've registered to comment.)
artlung's advice is also good. One way to handle this is to create a clean, fresh install of wordpress - you can use the same database but tell it to use a new prefix. Then once this install is working & you know it's secure, point it to the old database & point the old blog's file location to the new wordpress location. This is all pretty technical, though, so... really, it all just boils down to ask your ISP for help.
posted by MesoFilter at 2:11 PM on March 5, 2010
I'd put a few bucks on the server itself being compromised. My host provider recently had a compromised machine that affected everyone's default WP installs by injecting an iframe. Once the original problem is fixed, performing a custom install as artlung suggested will somewhat mitigate your exposure to these sorts of attacks.
posted by Fezboy! at 3:06 PM on March 5, 2010
posted by Fezboy! at 3:06 PM on March 5, 2010
This thread is closed to new comments.
Change your passwords. Check for suspicious accounts.
I don't have technical skills, so how can I find the source of this threat?
Why bother? You just want it working.
But to answer your question: you can't. Get someone else who knows what they are doing :)
posted by devnull at 3:00 AM on March 5, 2010