Pwned again – you may want to check your WordPress site

Almost exactly a year ago, an IT security chap discovered a vulnerability in timthumb.php – an image resizing script used in more than 250 popular themes and plugins for WordPress.org sites. Using this vulnerability, unpleasant people could quite easily gain access to your site and execute whatever code they wished on it. If you like, watch this video to see how it’s done.

Pwned!

Artist's impression of the unpleasant types looking to pwn your website

Artist’s impression of the unpleasant types looking to pwn your website. Photo: Jolene 00 via sxc.hu

Although I had followed WordPress’s instructions for  hardening my WordPress installation, sneaky people used this security hole to pwn my website last year.

Fortunately, these miscreants didn’t use their power to infect my site with malware or destroy my reputation. In fact, all they did was install a bit of code. If this code detected a regular web browser, it would do nothing. If it detected a search engine bot, it would insert a great big chunk of links to dodgy websites. The search engine would go, ‘OK, here’s a relatively reputable site linking to all these other sites. They must be legit.’ In effect, it was using my site’s reputation to advance the search rankings of all manner of disreputable sites.

Of course, search engines frown on this sort of behaviour – presenting one lot of content to human viewers and another to search engines is called cloaking and your site will instantly disappear from search results if you get caught out.

I wouldn’t have noticed this pwnage except for Google’s instant preview facility. One time, while ego surfing, I noticed that Google’s image of my website included this mysterious chunk of links.

Noticing this, I used Google Webmaster Tools ‘Fetch as Google’ feature and found the mystery links that were visible to Google but not to a regular browser. It didn’t take too long to discover the source of the problem and how to fix it.

Lazy and/or inept

I’ve been regularly checking my site in case the same thing happened again. Last week, it did. It’s possible I didn’t clean up the site thoroughly the first time, or it may be some new vulnerability.

Google's instant preview of my site currently

Google’s instant preview of my site currently

The point is, I lack the technical aptitude, and more importantly, the time to keep tinkering with the back-end of the site to maintain security. And the reaction of one of my most technically literate friends – “You run your site on WordPress – ha ha ha ha!”, or thereabouts – made me decide running my own site was an expense and a luxury I didn’t need.

So I moved the site back to WordPress.com. (Of course, in doing so, I managed to trigger a cascade of automated Twitter posts as I ‘published’ each article in my blog all over again. This further destroyed any claims I might have made to being technically ept.) I don’t have my choice of plugins and can’t modify the sites’s appearance as much as I’d like. But I’m outsourcing the security to people who know more about it than I do.

Fix your site

So, if you’re running a site on WordPress.org, I strongly recommend you update your core engine, plugins and themes. Use this vulnerability scanner and if there are problems, follow all these instructions if you find any.  Also read and follow these instructions for  hardening your WordPress installation.

Do it now!

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s