If you run a WordPress blog, drop everything and go check your blog security! Wait… I mean drop everything except reading this blog. Read, then drop. Right, hope that is sorted out now.
The point is that there is apparently a security hole in WordPress that is A) a serious pain in the ass, and B) nobody is quite sure how it is spreading. We were his with this on the Ignite Phoenix blog, and it took us the better part of a day to get back on our feet.
What It Is
We saw the problem when people visiting any of our pages were redirected to malware installation sites. People using Chrome were getting errors immediately, and it was triggering anti-virus software from AVG to Norton’s. After some research and help from Chuck Reynolds, we determined he had a variant of this Cloaking Hack. Originally just adding keywords to the infected site, the new version we had put the redirect into every page on our site.
We tried to scrub it from our files and database (yes, it messes with your database) but we kept getting re-infected. We finally ended up having to move to a whole new host and reinstall everything from the ground up. This was tricky since we could not reliably do an export from the previous site.
If you get it
Huge thanks to WP blogger’s cloaking hack post for getting us started down the road to repair. If you’re hit, I suggest starting here. This bugger also hit Chris Pearson, the developer of the Thesis Theme, who made a great post on diagnosing and repairing the pharma hack (our problem was a variation of this). The two of these are great resources and point to other places you can look to if you’re hit.
Secure your blog!
Do not want! Trust me, take the time and do what you can to avoid this.
- Remove any old plugins and themes you’re not using. Some hosting providers install a ton of themese by default. Get rid of them.
- Use strong passwords. Don’t use something simple and easy to guess, or even common terms. This is good advice in general, but is is amazing how often it is ignored.
- Keep up to date on software versions. Don’t let your plugins in or core installation lag behind.
- Run a database backup plug-in, like WP DB Backup. You can have it back up your database and email it to you every day/week. We had to use one of our backups to restore to when we rebuilt the site.
- Follow these WordPress security tips if possible. Some of these may be tricky for some people to do, but try all you can. #4 should be simple for everyone, and an absolute must.
- There are other good posts on WordPress security if you want to get deeper, including some recommended WordPress security plug-ins.
Take the time to review your site(s) and tighten them down. If one good things comes from our meltdown, let it be that we can help stop it from happening to someone else.
Related articles by Zemanta
- 9 WordPress Plugins to Assist With Supporting a Client’s Website (kimwoodbridge.com)
- WordPress Security – A Comprehensive Guide (bloggingpro.com)
- JDI: Backup your WordPress (blogmistress.com)