Five days ago, I noticed that the number of hits coming to this blog decreased drastically. Specifically, the WordPress.com Stats plugin showed that my incoming hits from search engines had decreased to nearly zero. And since Google is this blog’s front page, that represented a rather drastic drop in traffic. I was down to just the regulars, those faithful readers who either refresh this blog regularly or are subscribed to the RSS feed (you know who you are). I wondered if I had pissed off the Google gods, and tried to wrack my brain for any bad SEO juju I could have employed.
Two days later, my traffic still hadn’t improved. My visitor numbers were in the doldrums for three straight days. You can imagine how disheartening it is to spend a year and a half working on building up a blog, only to slip backwards by over a year’s worth in traffic numbers. I was starting to foster an irrational hatred of Google. Then I randomly ran across a new WordPress vulnerability in the wild thanks to a link on Reddit. Here’s the description from the linked blog post:
Many sites that are running WordPress blogs have been hacked by a very clever and hidden PHP Injection which is redirecting all requests from Google, MSN, Live, Altavista, Ask, Yahoo, and other search engines and redirecting it to ‘anyresults.net’ a site filled with pay-per-click ads and redirects to other landing pages. This is a very clever trick as visiting a web site either through a direct navigation type in or a bookmark does not display the problem. Only search engine visits are redirected and many site owners are delayed at discovering this problem until they notice huge dips in traffic or revenue stats.
Wow, did that ever sound familiar! And after a quick check, what do you know, my site had been hit by the 0-day WordPress vulnerability described in the linked post. The fix was very simple: remove the offending code from my wp-blog-header.php file. How in the hell it got in there is still unknown. Hopefully WordPress fixes this soon. In the mean time, I’m just keeping a very close eye on my visitor statistics, and I have a pre-exploit backup I can revert to if absolutely necessary. Very thankfully, my visitor numbers have returned to what they were from before the exploit, so it looks like I won’t face any permanent damage.
As you can imagine, I’m a bit peeved at the WordPress folks right now. I’ve complained about the security problems in their software before, and new problems are always being discovered. If you don’t keep on top of WordPress upgrades very regularly — or even if you do, as I have discovered — you can be hit with all sorts of bad stuff. It’s more proof of that ancient pearl of wisdom in computer science: truly secure programs are designed with security in mind from the ground up. You can’t possibly make a program secure by trying to play whack-a-mole with all of the security holes in insecure software. If security wasn’t front and center in your mind from the get go, you can’t fix it later on, as security drives major architecture decisions that are much harder to revisit in mature codebases than simply dashing out another stop-gap security patch.