September 26, 2009

Cloud Computing, Cloud Security 2 min read

How To Fix WordPress Hacks and Viruses

Open-source scripts are a great because they come with so much functionality, and have zero  development costs for you. However, one caveat with using these open-source scripts is that exploits and vulnerabilities affect a large portion of users - which may include you. These exploits are commonly called worms, hacks, virus attacks, vulnerabilities, and so on, but the underlying issue is that your script installation gets compromised.

WordPress Hacks

One very popular script is WordPress, and the big worm that attacked the WordPress community affects pre-2.8.4 versions of WordPress. The Wordpress exploit is detailed in the WordPress development blog:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

The only way to keep ahead of exploits like this is to keep upgrading and patching WordPress. 2.8.4, the current version of WordPress, is not affected by this WordPress hack. Our advice is to upgrade WordPress. If you're using our hosting plans, we provide a free script installer that can install a fresh, new version of WordPress for you. If you're already on WordPress and need to upgrade, simply go to Tools > Upgrade and click on Upgrade Automatically and you'll be upgraded to the latest version of WordPress automatically.

[template id="7325"]

Skip to section