How WordPress Blogs Are Hacked

The previous two articles in this series have suggested ways to combat the ever-increasing hack attacks that WordPress blogs are receiving. In this final article, we will discuss some real-life examples and what can be learned from them. As a disclaimer, it should be noted that some hackers are very skilled and are continually improving their methods. These are anecdotes from the past and the future will undoubtedly be very different.

Typical Hacking Exploits

For specific details of typical hacking exploits, the following accounts are particularly good:

The methods used in these cases are probably all the work of one hacker, by nickname goro, who may well have been one of the commenters on the first of these three posts.

We will not go into the specific details here (since they will undoubtedly evolve), but rather discuss the bigger picture associated with these exploits. In the case of the hacking done on the SMM blogs, there were some clever refinements. The mechanism inserted on the domain generated hundreds of random, unique blog post web pages, which included links to online pharmaceutical web pages. Since the websites were well ranked in Google, many of these hundreds of blog posts were served to the search engine spiders as they made their visits. After a period of hours, the mechanism then stopped. This may have been to avoid a huge spike in traffic, which would have been more easily detected.

How Google May Have Rewarded Their Efforts

During the last two or three months, Google has been giving much more rapid visibility and higher ranking to blog posts in its regular web search. In the latter part of January, blog posts appropriate for particular keyword searches would appear within a small number of hours in the regular web search. The algorithm may well be using the RSS news feeds associated with the blogs. This gave particular prominence to the blog posts generated by the hacking mechanism. They would almost always appear among the top five positions on a search for particular online pharmaceuticals and often in the first position. Presumably this gave a significant economic advantage to the hacker.

Although the hacking mechanism was removed within 36 hours, the false and now non-existent blog posts still persist in the Google index over 3 weeks later. In some cases the cached versions of the false blog posts are still available.

An interesting parallel development during this time is that Google Blogsearch now has a delay of a few days in displaying new blog posts. Until recently such a new blog post might have appeared within an hour or two, since it was triggered by the pinging of the RSS news feed. Whether this is a reaction to a large volume of blog posts generated by hackers one can only surmise.

How To Repair The Damage

Hopefully this series of articles has sensitized you to the dangers of hacking. This should prompt you to maintain a constant vigil so that any hacker intrusions will be spotted rapidly. You should also as Wayne Liew suggests regard WordPress Upgrades as a Must. The continuing improvement in security may not serve to keep out hackers but at least it may encourage them to attack an easier prey.

If your WordPress blog is hacked, it can be quite a challenge to find out what has been changed. Sometimes the hacker may have modified files deep within folders that are not normally touched in upgrading, such as the images folder or the wp-content folder. Checking the size in bytes of particular files compared with versions in the most recent backup will reveal suspicious differences. Sometimes the .htaccess file may have been modified to create additional and inappropriate mechanisms. In such cases, you’ve got to make sure that you eliminate all such additions to the website. If you have backed-up a clean version of the website recently, it might be better to take down the website and replace it with a clean version.

Blogs Take Center Stage For Marketers And For Google
How to Remove Spam Injection

Previous articles in this series:
WordPress Blog Hacked
Guarding Your WordPress Blog

17 thoughts on “How WordPress Blogs Are Hacked”

  1. First of all, thanks for the link.

    I guess one should always have their blogs backed up. At least even if a hacker is smart enough to break though every barrier that we have set up, we still have something to fall back onto.

  2. Excellent post, Barry.

    Your caution about having backups is important; without backups, you’re open to all kinds of things happening, including simple error. That would include backing up your database on an ongoing basis, as some hacks may insert stuff in the database.

    I also think that, if your WordPress blog gets hacked, it’s vital to look into *how* it got hacked so that you can plug the hole.

  3. I agree, Barry.

    I looked through some of the examples at the links you provided. I think one thing that can be helpful is that, if you don’t need for people to register, to simple put a password on the wp-admin folder. At least, that’s one thing out of the way.

  4. I think the best way for hackers to hack wordpress is through some sort of injection through the browser URL bar. Before the recent upgrades, XSS (cross ssite scripting) were the most common, especially through the editor.

  5. There is always the possibility that a plugin has not been made as securely as it should. It’s important to stay aware of developer comments about plugins and watch out for security loopholes. Normally the most popular ones should not give problems.

  6. I don’t know if “spamming” considered as hacking.
    I would recommend Yawasp against spamming by the way. (Admin note: Yawasp is in German.)

  7. Wow, what a revelation. I was still using blogger for my blogs. I was searching for info. on wordpress. I want to get into it. After reading this, I’m a little bit more cautious.

  8. I would still strongly recommend using WordPress rather than Blogger. What you gain with functionality and SEO far outweighs the small amount of effort required to maintain a high security level.

Comments are closed.