WordPress vulnerability in the wild

Five days ago, I noticed that the number of hits coming to this blog decreased drastically. Specifically, the WordPress.com Stats plugin showed that my incoming hits from search engines had decreased to nearly zero. And since Google is this blog’s front page, that represented a rather drastic drop in traffic. I was down to just the regulars, those faithful readers who either refresh this blog regularly or are subscribed to the RSS feed (you know who you are). I wondered if I had pissed off the Google gods, and tried to wrack my brain for any bad SEO juju I could have employed.

Two days later, my traffic still hadn’t improved. My visitor numbers were in the doldrums for three straight days. You can imagine how disheartening it is to spend a year and a half working on building up a blog, only to slip backwards by over a year’s worth in traffic numbers. I was starting to foster an irrational hatred of Google. Then I randomly ran across a new WordPress vulnerability in the wild thanks to a link on Reddit. Here’s the description from the linked blog post:

Many sites that are running WordPress blogs have been hacked by a very clever and hidden PHP Injection which is redirecting all requests from Google, MSN, Live, Altavista, Ask, Yahoo, and other search engines and redirecting it to ‘anyresults.net’ a site filled with pay-per-click ads and redirects to other landing pages. This is a very clever trick as visiting a web site either through a direct navigation type in or a bookmark does not display the problem. Only search engine visits are redirected and many site owners are delayed at discovering this problem until they notice huge dips in traffic or revenue stats.

Wow, did that ever sound familiar! And after a quick check, what do you know, my site had been hit by the 0-day WordPress vulnerability described in the linked post. The fix was very simple: remove the offending code from my wp-blog-header.php file. How in the hell it got in there is still unknown. Hopefully WordPress fixes this soon. In the mean time, I’m just keeping a very close eye on my visitor statistics, and I have a pre-exploit backup I can revert to if absolutely necessary. Very thankfully, my visitor numbers have returned to what they were from before the exploit, so it looks like I won’t face any permanent damage.

As you can imagine, I’m a bit peeved at the WordPress folks right now. I’ve complained about the security problems in their software before, and new problems are always being discovered. If you don’t keep on top of WordPress upgrades very regularly — or even if you do, as I have discovered — you can be hit with all sorts of bad stuff. It’s more proof of that ancient pearl of wisdom in computer science: truly secure programs are designed with security in mind from the ground up. You can’t possibly make a program secure by trying to play whack-a-mole with all of the security holes in insecure software. If security wasn’t front and center in your mind from the get go, you can’t fix it later on, as security drives major architecture decisions that are much harder to revisit in mature codebases than simply dashing out another stop-gap security patch.

8 Responses to “WordPress vulnerability in the wild”

  1. T2A` Says:

    I thought WP was a big insecure, resource-hog joke to the community at large anyway. D:

  2. Cyde Weys Says:

    Yeah, and if only there was something better.

  3. William Says:

    How many of us are there?
    I mean, I don’t leave the site open all the time, but it’s probably open in one of my Fx windows for the better part of 75% of the time my computer’s online.

  4. Donncha O Caoimh Says:

    Unfortunately your blog was probably hacked before you upgraded. More here: http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

  5. T2A` Says:

    Depends on what you define as better. If having support for easy theming and plugins makes WP good then whatever. But I’m sure there are plenty of other blog softwarezzz out there that can do the basics just as well and with a lot less resources.

  6. Cyde Weys Says:

    Thanks Donncha O Caoimh, you were right on. I actually ran into one of the symptoms described in one of your linked pages, WordPress not recognizing that it has successfully been upgraded to 2.5.1. I had a hidden plugin masquerading as an image file, and had to do some playing around in MySQL to both find it and get rid of it.

    Unfortunately, I think that some of these fixes may be beyond the average WordPress user.

  7. Ripberger Says:

    Wikipedia Review was hacked not so long ago. Apparently the hack was part of a large-scale attack against WordPress sites.

  8. WordPress continues delivers cutting edge features | Cyde Weys Musings Says:

    […] know I’ve been critical of WordPress in the past, but the new release of WordPress 2.6 allows me to pause and give thanks […]