How secure is wordpress? Not very.

  • I recently had a website taken off googles search index due to mass spamming of our wordpress files. Not the regular html files on my system, only wordpress files. Ever since the latest upgrade.

    All the files had been added as stated in the instructions etc, as i have done with every upgrade since – but this time everything went wrong.

    At first we couldn’t login, and we noticed our wp-config file was littered with viagra spam. So we deleted it and it allowed the login to work. But then 3 – 5 days after this, i recieved this email.

    Dear site owner or webmaster of vinylabuse.com,

    While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: https://www.google.com/support/webmasters/bin/answer.py?answer=35769&hl=en. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

    The following is some example hidden text we found at https://www.vinylabuse.com/?cat=16:

    Buy Microsoft Office 2003 Professional (DEUTSCH) with Business Contact Manager Buy Corel Paint Shop Pro PHOTO XI Buy CGTech VERICUT 6.1.2 Buy Acronis Recovery Expert Deluxe Buy Cakewalk Sonar 8.0 Producer Edition Buy Lynda.com Reason 4 Essential Training DVD Buy eBook: Adobe Creative Suite 2 How Tos 100 Essential Techniques Buy Microsoft Student 2009 with Encarta Premiun Buy Ulead VideoStudio 9.0 Buy MusicLab Rhythm\’n\’Chords 2 plug-in for Steinberg Cubase VST Buy eBook: Microsoft Office Excel 2003 Bible Buy Conceiva Mezzmo 1.1 Buy eBook: Linux Timesaving Techniques for Dummies 2004 Buy FileMaker Pro Advanced v10 for Mac Buy Autodesk AutoCAD Mechanical 2005 Buy IDM UEStudio v06.40 Buy Realize Voice 3.51 Buy Portrait Professional Max 6 Buy VTC Microsoft Windows Server 2008 Buy Adobe Illustrator CS2 Buy eBook: Adobe Encore DVD 1.5 (Peachpit Press) Buy Ashampoo Cover Studio 2 Buy eBook: Adobe Photoshop Graphics Techniques For Web Design[…]

    We have had the site running for 5 years nearly, and since the latest upgrade there has been nothing but trouble. WordPress – you need to step up a gear and solve these spam problems, i use other CMS’s such as Expression Engine and have not recieved any spam on comments or even within my ‘secure’ php system files?! We shouldn’t need to rely on 3rd party plugins to stop spam like this.

Viewing 6 replies - 1 through 6 (of 6 total)

  • …and your file/folder permissions were set at? Is your password based on a word that can be found in the dictionary? Since first hacking, have you changed all your passwords (including the database log in)? This was a warning set by Google, you say? Did you contact your *host* to see if the host had been compromised in some way? (if someone else on your shared server had been hacked into – WordPress site or not – they can gain back end access and it affects *everyone* on the server) Did you follow these WordPress instructions on securing your site? Or are you just blaming WordPress because it was what was noticably affected? (BTW – the fact that your HTML files were not affected tells me that they don’t have access to the actual filesystem, instead you have something left with open permissions that should not be. My *guess* would be your wp-content/themes/green-marinee folder is it.) Did you ensure it wasn’t hacked *before* 2.8.4? If it had been, and you upgraded without changing your passwords, then the hacker could still gain entry (because they already know how to get in).

    I’ve run WordPress sites for years. I take steps to ensure my file/folder permissions are correct, I use the salt in the wp-config.php file (which has been available in WP since 2.6 – maybe earlier), and I only edit themes locally and upload via FTP – NOT through the editor in the back end, and I ensure my passwords are at least 16 characters long, and accept alphanumeric characters as well as other symbols (as well as change the default login name from “admin” to something else).

    The 2.8.4 was a security patch that fixed an earlier 2.8 version that would allow a hacker to gain access to your site. A note: as soon as the vulnerability was discovered, they released a patch for it. WP is on top of things.], but you need to be responsible for the security on your own site as well. Don’t be so quick to blame – especially when you haven’t fully investigated the source of the problem.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    We have had the site running for 5 years nearly, and since the latest upgrade there has been nothing but trouble.

    Security and maintenance for any Internet connected system is an active ongoing challenge. I’m sorry you had a rough time of it, but there are managed solutions that take that burden away from you and put it on the provider. WordPress.COM is the most obvious of these offerings and there are others.

    We shouldn’t need to rely on 3rd party plugins to stop spam like this.

    Debatable. IMHO it comes down to what YOU want to accomplish which is stop the SPAM. There are many anti-spam plugins and solutions, if you want to stop your site from being overrun with SPAM then you can avail yourself of them. Desiring some of them to be integrated into the core platform is a valid opinion but adding plugins is so easy and accomplishes the goal.

    Edit: Oh and to the problem you are having right now?

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    Once you delouse your site (nice looking site BTW) keeping up with 2.8.x and latest versions of your plugins will address the WordPress security pretty well. You’ll still need to secure your hosting environment (as mentioned by Doodlebee) but once that’s all done you will be good to go.

    We shouldn’t need to rely on 3rd party plugins to stop spam like this.

    I don’t think you have been “spammed” in the sense in which you are referring to it in the statement above. You have been hacked, and the result is someone owning your files and doing with them as they please. In this case placing/injecting their own links, resulting in the hidden “spam”, as Google has communicated, however politely, in their notice to you.

    “This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.”

    WordPress version: 2.0.11

    Some possible reasons why it happened: (These exclude third party plugins, server/ftp and site security issues.)

    wordpress 2.0.11 vulnerabilities

    Best of luck with the clean up.

    someone owning your files and doing with them as they please.

    And this can happen whether you are running WordPress or MovableType or Blogger or [insert name of any php-driven CMS]. Because remember, as long as you are on a shared server, you are only as secure as the laziest SOB on it.

    And this can happen whether you are running WordPress or MovableType or Blogger or [insert name of any php-driven CMS]. Because remember, as long as you are on a shared server, you are only as secure as the laziest SOB on it.

    are you saying people running wordpress on shared hosting are not safe?
    since question about security has been asked, is it a wise idea to drop writing permission to your wordpress directory?

    I’m saying *anyone* running anything on a *shared* server is only as safe as the most unsecure account on that server. And just because your WP site was hacked, that doesn’t necessarily mean that the hacker gained access through *your* account. So … just be aware and take as many precautions as you can to ensure that your install is as secure as it can be. This means upgrading when security patches are release. ??

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘How secure is wordpress? Not very.’ is closed to new replies.