No spam please. We're American.
February 14, 2011 5:36 AM Subscribe
Oh, dear. It seems my WordPress blog has decided to randomly insert visible links to an online pharma company. What's going on, and how do I stop it?
While not a Wordpress expert, I haven't had need to play under the hood very much - until now. Earlier today, I was looking at one of my posts and realized there was an offending link - a text link to an online pharma site I definitely didn't put there. It's not part of any text link ad plans (I don't have any), and there are no obvious security breaches (nothing else is changed). One offending link can be found at http://chrisinsouthkorea.com/2011/02/random-pictures-40-posts/ (scroll 3/4 of the way down).
I made my way through the WordPress forums, only to find out another sort of spam insertion was common - spammy links being inserted - but not displayed - on your website. That's not quite the same thing going on here - I checked the Page Source and there's nothing else (that I saw).
So the first question is "how do I get rid of the links already infecting the site?" There seems to be one on most every post (the newest, curiously, is untouched), leading me to believe it has something to do with the database.
The second question is "how does a self-hosted Wordpress blogger prevent this sort of stuff from happening, or make it a heck of a lot less likely to happen again?" I've looked into a couple of security-related plug-ins, but there's got to be a reasonably simple way to secure things without getting too technical.
Thanks in advance!
While not a Wordpress expert, I haven't had need to play under the hood very much - until now. Earlier today, I was looking at one of my posts and realized there was an offending link - a text link to an online pharma site I definitely didn't put there. It's not part of any text link ad plans (I don't have any), and there are no obvious security breaches (nothing else is changed). One offending link can be found at http://chrisinsouthkorea.com/2011/02/random-pictures-40-posts/ (scroll 3/4 of the way down).
I made my way through the WordPress forums, only to find out another sort of spam insertion was common - spammy links being inserted - but not displayed - on your website. That's not quite the same thing going on here - I checked the Page Source and there's nothing else (that I saw).
So the first question is "how do I get rid of the links already infecting the site?" There seems to be one on most every post (the newest, curiously, is untouched), leading me to believe it has something to do with the database.
The second question is "how does a self-hosted Wordpress blogger prevent this sort of stuff from happening, or make it a heck of a lot less likely to happen again?" I've looked into a couple of security-related plug-ins, but there's got to be a reasonably simple way to secure things without getting too technical.
Thanks in advance!
I should add, in terms of mitigation, that the only way you can really prevent this stuff from happening is being very disciplined about staying on top of wordpress updates and hoping you're not the crumple zone for the most recently discovered exploit.
That and keep backups; there's not much else you can do.
posted by mhoye at 5:50 AM on February 14, 2011 [1 favorite]
That and keep backups; there's not much else you can do.
posted by mhoye at 5:50 AM on February 14, 2011 [1 favorite]
Maybe it's the same issue as here:
How to Diagnose and Remove the Wordpress Pharma Hack
posted by backwards guitar at 6:04 AM on February 14, 2011 [4 favorites]
How to Diagnose and Remove the Wordpress Pharma Hack
posted by backwards guitar at 6:04 AM on February 14, 2011 [4 favorites]
re: upgrading Wordpress, I used to slack off on this because it was a hassle having to do it manually, but when I had a similar problem to you I upgraded to the latest version and it now has an auto-update function where you just click a button in the Admin panel and it does all the upgrading itself.
posted by EndsOfInvention at 6:18 AM on February 14, 2011 [2 favorites]
posted by EndsOfInvention at 6:18 AM on February 14, 2011 [2 favorites]
seconding EndsOfInvention. This sounds like the Pharma Hack. You won't see the ads in your posts because they are not there. There is a file in one of your folders that intercepts what is seen by Google and inserts the ads. You have to find those files and upgrade WP to get rid of it.
posted by dawkins_7 at 6:55 AM on February 14, 2011
posted by dawkins_7 at 6:55 AM on February 14, 2011
chrisinseoul: "I've looked into a couple of security-related plug-ins, but there's got to be a reasonably simple way to secure things without getting too technical. "
It's far too hard to plugin your way to security. If you're going to host a wordpress install, it's probably worth putting the whole thing into revision control, so you can identify culprit files (via "svn stat" -- anything with a ? mark is new).
In addition to mhoye's suggestions, it's worth inspecting the themes and plugins you use. There's a growing number of sites that host infected themes. There are tools & plugins to scan your other plugins and themes for unusual suspects, but it's only a matter of time before they're useless.
Personally, I'm looking into statically hosting everything. The blog post itself doesn't change much right? Now that there are javascript comment services, this is looking more feasible and I'll probably set that up myself this week.
posted by pwnguin at 7:02 AM on February 14, 2011 [3 favorites]
It's far too hard to plugin your way to security. If you're going to host a wordpress install, it's probably worth putting the whole thing into revision control, so you can identify culprit files (via "svn stat" -- anything with a ? mark is new).
In addition to mhoye's suggestions, it's worth inspecting the themes and plugins you use. There's a growing number of sites that host infected themes. There are tools & plugins to scan your other plugins and themes for unusual suspects, but it's only a matter of time before they're useless.
Personally, I'm looking into statically hosting everything. The blog post itself doesn't change much right? Now that there are javascript comment services, this is looking more feasible and I'll probably set that up myself this week.
posted by pwnguin at 7:02 AM on February 14, 2011 [3 favorites]
There's a good chance that there is a shell script somewhere on your server, and if so, you won't get anywhere fixing this problem until that is removed. There are a bunch of old questions here about finding/diagnosing shell scripts, which isn't very easy -- you will probably have to thoroughly comb through log files.
You probably want to tighten up security on php & your web server, not just wordpress per se. Disallow things like eval, exec, base64_decode etc. that no script should really need anyways (There are tutorials on this.) Ideally, don't run the server as a user that has write permission anywhere that can serve files. This decreases convenience -- no autoinstall of themes, but it is much more secure against bad php code. This stuff won't necessarily protect against hacks that affect your database, since you can't really do without write access to that, but it will make it a lot harder for an intruder to install and run shell scripts or hidden ad servers.
posted by advil at 7:40 AM on February 14, 2011 [1 favorite]
You probably want to tighten up security on php & your web server, not just wordpress per se. Disallow things like eval, exec, base64_decode etc. that no script should really need anyways (There are tutorials on this.) Ideally, don't run the server as a user that has write permission anywhere that can serve files. This decreases convenience -- no autoinstall of themes, but it is much more secure against bad php code. This stuff won't necessarily protect against hacks that affect your database, since you can't really do without write access to that, but it will make it a lot harder for an intruder to install and run shell scripts or hidden ad servers.
posted by advil at 7:40 AM on February 14, 2011 [1 favorite]
Response by poster: Hi from the OP,
Thanks for the thoughts - WordPress was updated to 3.0.5 the day it came out. I've been using Mystique for months without an issue.
With respect to the wonderful MeFi's on other blogging platforms, where are you WP'ers at? What are you using / doing to ensure you have few / no security problems?
posted by chrisinseoul at 7:49 AM on February 14, 2011
Thanks for the thoughts - WordPress was updated to 3.0.5 the day it came out. I've been using Mystique for months without an issue.
With respect to the wonderful MeFi's on other blogging platforms, where are you WP'ers at? What are you using / doing to ensure you have few / no security problems?
posted by chrisinseoul at 7:49 AM on February 14, 2011
With respect to the wonderful MeFi's on other blogging platforms, where are you WP'ers at? What are you using / doing to ensure you have few / no security problems?
The upcoming Vaultpress will have a security feature, as well as the main backup solution offered.
posted by ukdanae at 8:07 AM on February 14, 2011
The upcoming Vaultpress will have a security feature, as well as the main backup solution offered.
posted by ukdanae at 8:07 AM on February 14, 2011
Response by poster: OK, sooo...
Passwords have been changed, and some of the default settings have been changed. Now thigh-high into the cleanup, and it seems virtually every post has been infected with a different link. They seem to be inserted randomly; each one is different enough to make searching-and-replacing a headache, but they point to the same four sites.
posted by chrisinseoul at 9:11 AM on February 14, 2011
Passwords have been changed, and some of the default settings have been changed. Now thigh-high into the cleanup, and it seems virtually every post has been infected with a different link. They seem to be inserted randomly; each one is different enough to make searching-and-replacing a headache, but they point to the same four sites.
posted by chrisinseoul at 9:11 AM on February 14, 2011
You should read latin mouse's link and look around for base64 stuff. It's probably just a piece of javascript that pulls in ads to the browser, it's likely not acting on the server-side at all except to insert a little code into your users' browser that then pulls in an ad all on its own.
posted by rhizome at 9:44 AM on February 14, 2011
posted by rhizome at 9:44 AM on February 14, 2011
With respect to the wonderful MeFi's on other blogging platforms, where are you WP'ers at
I use Wordpress, but hosted by Wordpress. (http://wordpress.com/) I am a professional web developer but I just do NOT want to deal with that security and upgrade stuff on my own time ever ever ever.
There are a few things you can't do, but I have my own url and my own css and that is good enough for me. (You can see my site in my profile)
posted by drjimmy11 at 9:49 AM on February 14, 2011
I use Wordpress, but hosted by Wordpress. (http://wordpress.com/) I am a professional web developer but I just do NOT want to deal with that security and upgrade stuff on my own time ever ever ever.
There are a few things you can't do, but I have my own url and my own css and that is good enough for me. (You can see my site in my profile)
posted by drjimmy11 at 9:49 AM on February 14, 2011
oh and I forgot to mention my main point, which is that since they are the host, they are responsible for outages, hacking, spam protection and all that good stuff.
posted by drjimmy11 at 9:50 AM on February 14, 2011
posted by drjimmy11 at 9:50 AM on February 14, 2011
Oh, one other possibility is that something else has been hacked, and via that they got into your WP install. For example, Apache normally runs all it's processes as a single user, which means when someone else on shared hosting is hosed, you can be too. Sure, you've got a different mysql username and password, but apache has to read that from somewhere, right?
If you haven't done so already, check out Hardening Wordpress on the codex. I know I've suggested a static blog system upthread, but I have set up WP for clients before. Here's how my ideal wordpress install would behave, beyond the codex advice:
1. Turn off the self editing feature. That is a recipe for disaster. Change permissions on everything to where your webserver has readonly access. This breaks the autoupdate tool though. If you must have it, set up a preproduction environment, do the changes there and push them out via revision control.
2. Set up a proper .deb repo that that doesn't suck, and offer a rolling release and stable branches. Then set up a cron job to automatically upgrade wp nightly from there without involving the webserver.
3. Turn on SSL for everything, or at least the admin area, and use valid certificates.
4. One DB user / password / schema per blog.
5. Client side certs for admin users. If your desktop is infected with a keylogger (ref SMBC), cleaning up and locking down will just be defeated again. Client side certs make your workstation a much harder target to attack, even though it's just obscurity at that point.
6. Remote syslogging to a secured server.
7. No FTP access to the webspace; SCP only. Set up fail2ban and allow pubkey auth only.
I can't say for sure how you got 0wned, but it happens. I guess we have to stay on guard.
posted by pwnguin at 11:42 AM on February 14, 2011 [2 favorites]
If you haven't done so already, check out Hardening Wordpress on the codex. I know I've suggested a static blog system upthread, but I have set up WP for clients before. Here's how my ideal wordpress install would behave, beyond the codex advice:
1. Turn off the self editing feature. That is a recipe for disaster. Change permissions on everything to where your webserver has readonly access. This breaks the autoupdate tool though. If you must have it, set up a preproduction environment, do the changes there and push them out via revision control.
2. Set up a proper .deb repo that that doesn't suck, and offer a rolling release and stable branches. Then set up a cron job to automatically upgrade wp nightly from there without involving the webserver.
3. Turn on SSL for everything, or at least the admin area, and use valid certificates.
4. One DB user / password / schema per blog.
5. Client side certs for admin users. If your desktop is infected with a keylogger (ref SMBC), cleaning up and locking down will just be defeated again. Client side certs make your workstation a much harder target to attack, even though it's just obscurity at that point.
6. Remote syslogging to a secured server.
7. No FTP access to the webspace; SCP only. Set up fail2ban and allow pubkey auth only.
I can't say for sure how you got 0wned, but it happens. I guess we have to stay on guard.
posted by pwnguin at 11:42 AM on February 14, 2011 [2 favorites]
pwnguin: the version control idea is excellent. I highly suggest this. I'm going to go implement it on my own bunch o' blogs.
posted by Freen at 12:53 PM on February 14, 2011
posted by Freen at 12:53 PM on February 14, 2011
Response by poster: A final note from the OP:
I ended up re-installing WordPress and starting off with security solutions (things like changing the default 'wp_' table prefix to something more random), along with installing several plugins. The thing that's made the biggest difference was locking things down via .htaccess - something I hadn't done the previous time around. That's one mistake I won't make again.
For plugins - Akismet, NoSpamNX, SI CAPTCHA Anti-Spam, W3 Total Cache, Wordpress Firewall, and WP Security Scan seem to lock things down quite nicely.
posted by chrisinseoul at 3:31 AM on February 28, 2011 [1 favorite]
I ended up re-installing WordPress and starting off with security solutions (things like changing the default 'wp_' table prefix to something more random), along with installing several plugins. The thing that's made the biggest difference was locking things down via .htaccess - something I hadn't done the previous time around. That's one mistake I won't make again.
For plugins - Akismet, NoSpamNX, SI CAPTCHA Anti-Spam, W3 Total Cache, Wordpress Firewall, and WP Security Scan seem to lock things down quite nicely.
posted by chrisinseoul at 3:31 AM on February 28, 2011 [1 favorite]
This thread is closed to new comments.
- update to the latest version of Wordpress,
- go through the accounts section of your WP interface, change the passwords on the accounts you're familiar with and delete the ones you don't, and
- scrub you entries manually.
There may be a better way of doing that last step.
But one thing I'd reconsider is whether or not you want to continue self-hosting this stuff. You probably don't want to self-host web services like WordPress unless you're ready to become a part-time security professional, which most people just aren't.
posted by mhoye at 5:49 AM on February 14, 2011 [6 favorites]