The previous two articles in this series have suggested ways to combat the ever-increasing hack attacks that WordPress blogs are receiving. In this final article, we will discuss some real-life examples and what can be learned from them. As a disclaimer, it should be noted that some hackers are very skilled and are continually improving their methods. These are anecdotes from the past and the future will undoubtedly be very different.
Typical Hacking Exploits
For specific details of typical hacking exploits, the following accounts are particularly good:
- Is your WordPress Installation Compromised? Al Gore’s is – by Stuart McKeown (12. Nov 2007)
- Matt Heaton (Bluehost and Hostmoster CEO) WordPress blog Hacked by Mick Jagger from Moscow – by Noah (3 Dec 2007)
- Blackhat SEO Spammer targeting High PR WordPress Blog – by Noah (14 Feb 2008)
The methods used in these cases are probably all the work of one hacker, by nickname goro, who may well have been one of the commenters on the first of these three posts.
We will not go into the specific details here (since they will undoubtedly evolve), but rather discuss the bigger picture associated with these exploits. In the case of the hacking done on the SMM blogs, there were some clever refinements. The mechanism inserted on the domain generated hundreds of random, unique blog post web pages, which included links to online pharmaceutical web pages. Since the websites were well ranked in Google, many of these hundreds of blog posts were served to the search engine spiders as they made their visits. After a period of hours, the mechanism then stopped. This may have been to avoid a huge spike in traffic, which would have been more easily detected.
How Google May Have Rewarded Their Efforts
During the last two or three months, Google has been giving much more rapid visibility and higher ranking to blog posts in its regular web search. In the latter part of January, blog posts appropriate for particular keyword searches would appear within a small number of hours in the regular web search. The algorithm may well be using the RSS news feeds associated with the blogs. This gave particular prominence to the blog posts generated by the hacking mechanism. They would almost always appear among the top five positions on a search for particular online pharmaceuticals and often in the first position. Presumably this gave a significant economic advantage to the hacker.
Although the hacking mechanism was removed within 36 hours, the false and now non-existent blog posts still persist in the Google index over 3 weeks later. In some cases the cached versions of the false blog posts are still available.
An interesting parallel development during this time is that Google Blogsearch now has a delay of a few days in displaying new blog posts. Until recently such a new blog post might have appeared within an hour or two, since it was triggered by the pinging of the RSS news feed. Whether this is a reaction to a large volume of blog posts generated by hackers one can only surmise.
How To Repair The Damage
Hopefully this series of articles has sensitized you to the dangers of hacking. This should prompt you to maintain a constant vigil so that any hacker intrusions will be spotted rapidly. You should also as Wayne Liew suggests regard WordPress Upgrades as a Must. The continuing improvement in security may not serve to keep out hackers but at least it may encourage them to attack an easier prey.
If your WordPress blog is hacked, it can be quite a challenge to find out what has been changed. Sometimes the hacker may have modified files deep within folders that are not normally touched in upgrading, such as the images folder or the wp-content folder. Checking the size in bytes of particular files compared with versions in the most recent backup will reveal suspicious differences. Sometimes the .htaccess file may have been modified to create additional and inappropriate mechanisms. In such cases, you’ve got to make sure that you eliminate all such additions to the website. If you have backed-up a clean version of the website recently, it might be better to take down the website and replace it with a clean version.