WordPress Security Issue

This weekend there has been a huge attack on websites that are developed using PHP, namely WordPress websites. From the websites I have been monitoring on this issue, right now it’s not really known how the attacker(s) are accessing the PHP files. What is known is that the attack is modifying every PHP file on a server. It appears only websites that are on a shared hosting account are being affected. At this point in time it cannot be said if the attack is targeting websites and accessing them via admin login accounts, ftp accounts, or by direct access to the web servers and running a script to modify every PHP file on that server (This would include all websites on a shared hosting server).

Discovering if your website has been hacked can be done very simple by going to your website, viewing the source file and going all the way to the bottom, right above the </body> tag. If your website has been hacked, you will see a javascript tag with the one of the following URL in it:

//www.indesignstudioinfo.com/ls.php
//zettapetta.com/js.php

If you are using WordPress, logging into your dashboard you will find that it does not display properly. Having your dashboard not displaying properly is a good indication your website has been recently hacked.
If your website has been hacked, there is something you can do about it. You can find directions on how to remove the malware code that has been added to every PHP file on your website by going to http://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html. There are step by step directions on how to run a script written by Sucuri Security to remove this malware code.

Once you have the code remove, clear the cookies, history and cache saved by your browser. It is not known what information this malware javascript is trying to collect (or what it function is), but clearing these items should keep you safe. You may also want to run your anti-virus software to make sure your computer is clean.
After you have cleaned your browser cache, cookies, and history, you should log into WordPress and change your password. This is just a safety precaution.
I am planning on posting a few security tips for WordPress in the next few days. Come back soon to learn a few steps you can take to help keep your WordPress website safe from being hacked. If you have any questions or if your website has been hacked and what to share how you were able remove the malware, please leave a comment. Sharing knowledge helps to build a safer and more reliable Internet.

About Joe

Hi. I am a web designer and front end developer located in Muskegon Mi. I specialize in helping small and medium size businesses succeed online.
This entry was posted in Resources and tagged , , , , . Bookmark the permalink.

2 Responses to WordPress Security Issue

  1. Suresh says:

    Good article.
    But even after changing passwords, the website is still compromised because: if the attacker was able to get our password before getting hacked, he can do that again.
    so i believe there is no use in changing the passwords.

    • admin says:

      Suresh, thank you for commenting on this article. It is true that changing the password may not prevent an attack like this from happening again. With this attack, right now it is not known how the attacks took place. But if a website has been hacked, especially in a case like this where it’s not really know what the attackers are after, it is a good idea to change your password. The reason for this is it is possible for the attackers to have collected user names and passwords from the website, including the admin user name and password and could use that information in a future attack. Anytime you discover a website one runs to have it’s security compromised or even an account they have on another website (such as facebook, twitter, myspace), it is just good practice to change your password to provide one area an attacker could breach security of that website or account again.

Leave a Reply to Suresh Cancel reply