Recent WordPress Hacks on MediaTemple

Originally Posted on July 28, 2010 Last Updated on March 5, 2015

Update August 2014: After years of hosting with MediaTemple, I can no longer recommend them as a host. The support and performance just aren’t there anymore. If you’re looking for top notch WordPress hosting, I now use and recommend WPEngine.

I am involved in dozens of websites, some of my own doing and others that I have created for clients at one point or another, almost every single one of which uses WordPress as a CMS. Though I mention the importance of keeping WordPress up to date, many of my clients just don’t bother, either because they’re pre WP 2.7 and it would involve a good deal of FTPing, which they are sometimes incapable of, sometimes don’t want to pay me to do it, and most often simply just don’t realize how important it is. I’ve seen a rash of hacks to WordPress sites in the past week, and not only to out of date WP installations, but even to this site, which is running the latest version of WordPress and on a (supposedly very secure) MediaTemple server.

I thought I’d share a little information I’ve gathered on this subject, in case it might be helpful to anyone else out there.

Hardening WordPress Security

I won’t bother reprinting the entire article, because well that would be plagiarism, but there’s a bunch of useful information posted at Smashing Magazine on how to harden your WP installation. Read it here.

I particularly recommend steps 1 (particularly if you don’t have any use for additional registered users other than admins, though if you do have other users, you might want to give this a skip), 3,4,5,7,8 and 9 in particular.

How to Find Compromised Files

I’ve noticed three main ways these hackers have changed my files, primarily by altering existing files but also by creating new files.

Check your header.php and footer.php (the latter was a culprit more often than the former for me) for a bunch of extra code. This will be unreadable, random letters and numbers, which is something called obfuscated code that basically makes it harder to find by antivirus software. Once you find it, delete the heck out of it.
Check any Javascript files, typically in your theme folder but possibly in your plugins folder or anywhere else on your site, for similar code, and remove it as well.
A bit more tedious, go into your /wp-content/uploads folder and look for PHP files that are just named with numbers, such as 12345.php. Delete these. Really, there probably shouldn’t be any PHP files in your uploads folder, other than perhaps an index.php file.

I’ll update this post as I come across any further information on the subject.

Update 7/29/2010 1:11am. On a very outdated client’s site (WP 2.3.3) I found the following code injected directly into posts: <script src=”https://ae.awaue.com/7″></script>. The client’s site also had a database error, which was odd that the injected malicious code would also break the database, preventing the site from being accessible and therefore the malicious code from working…

Update 7/29/2010 2:10am. It’s also a good idea to check your Users list for admins, particularly jonnya, jonnyb and amin. Delete ’em.

Up Next: How to Add Javascript Applets to as Google Chrome Bookmarks