What We’ve Learned About Hacked WordPress Blogs

wordpressWordPress has recently released their latest 2.8.5 version, dubbed a “Hardening Release“. It is highly recommended that all WordPress blog owners upgrade to this latest release, which has fixes and more security patches to make your blog less susceptible to being hacked or attacked.

Blogs prior to version 2.8.4 were quite susceptible to a worm that is still going around that could create new invisible admin users, upload malicious php scripts into the plugins section of the blog, and other nefarious items. Here is what we have found across the hundreds of blogs we host, and a few things you can do when you find your blog to be hacked.

First, the stats…

We spent a few weeks detecting and then cleaning hacked WordPress blogs across our network.  We found 12% of all the blogs we host were hacked in some form. That is quite a lot of hacked blogs! Imagine how many are hacked across the Internet!

How we found the hacked blogs

From our research, there were a few telltale signs that made it easier to detect these compromised WordPress blogs. Hopefully this can help others find them:

  • wp-content/plugins/zz/…
    wp-content/zz/…

    We found that hacked blogs by the worm many times had an extra folder in either wp-content or wp-content/plugins named “zz” with a copy of the plugins installed (if you’re doing a server wide search, you can try “locate zz/akiskmet/akismet.php”). Not all of them had this, but most did.
  • Timestamps on hacked plugin files with the year “1933”
    We also found that the actual hacked plugin files had a timestamp set to the year 1933. Using the “find” command would detect these files.
  • Strange named plugin files starting with a dot and being much larger in size than normal
    Many hacked files started with a dot in their filename, were 30-50 KB in size, and when viewed had encrypted/obfuscated php code. This was another sign of a hacked blog.
  • Multiple admin users in the MySQL “users” table
    We found that hacked blogs had copies of admin users in the table, often with site URLs of “http://” or just www. The hackers were tricky in that they put Javascript code in the “First Name” field to make these users invisible when viewing the admin users in the dashboard (although they would flicker on the screen for a quick moment).

How we cleaned the hacked WordPress blogs

Once we found them, we:

  • removed any of the suspicious directories/files in the plugins section
  • went into phpmyadmin and removed any duplicate admin users
  • temporarily reset the admin password so we could log into the dashboard
  • Tip: You can edit the admin password in phpmyadmin and set the password using “MD5″ encryption. Just record the old encrypted password to be able to put it back.
  • manually upgraded the blog to the latest version (with a special tar that removed the stock images to avoid overwriting custom headers)
  • logged into the dashboard to verify all was well
  • and reset the admin password.

What you can do as a site owner to detect and clean a hacked WordPress Blog

There are a number of tools out there besides what I’ve detailed above that can help with detection and removal:

  • Install the WordPress Exploit Scanner, a plugin that searches for suspicious files on your blog, and posts/comments that indicate spam and/or a hacked blog.
  • If your admin dashboard is a blank white screen when you attempt to log in, try moving the “wp-content/plugins” directory to a temporary name via FTP/ssh, and then see if you can log in. If you can, it’s likely you have either a bad plugin, or a hacked plugin.

The best thing you can do is keep your WordPress blog updated to the latest version, monitor your admin users and plugins, and keep up to date with the latest WordPress happenings by following the official WordPress Blog.

Please share any other tips you might have for finding and fixing a hacked blog.

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

Leave a Reply