Same here, and I did have something vulernable: Super Cache. I just updated.
You know what would be nice? Opt-in e-mail lists for each plug-in. If I hadn't seen this article, I might not have updated for months. If I'd gotten an e-mail that says, "SUPER CACHE COMPROMISED, UPDATE NOW," I sure would've.
I just spend half day cleaning client's website from intense attack targeting outdated timthumb vulnerability.
Attacker discovered inactive old theme (canvas) within website, scanned for thumb.php and planted external malicious PHP script inside website.
Then through that planted malicious script - infected about 100 of other PHP files overwriting header of each with malicious code.
This type of attack couldn't be cleaned up just by reinstalling wordpress as attacker could use any of newly infected files to re-infect the whole site again.
Luckily her website was hosted at http://hostrum.com where she had a detailed report of all suspicious files that are suddently appeared.
Lessons:
1. Make sure your hosting company has realtime malware notification and protection. Very little number of hosting companies do that.
2. Do no keep uninstalled old themes or old plugins - they can be used as a backdoors into website. Delete them if not used.
Just as an FYI, those attacks are fully automated. There wasn't really some guy on the other end doing this. Had a client have this same thing happen to them and the request to re-infect kept coming in long after the initial issue was resolved.
Another good thing to do which will disable 99% of these kind of attacks, is disable the following PHP functions:
The specific vulnerability mentioned in this article is only exploited when a comment containing dynamic snippets is posted. Most WP blogs use comment moderation of some sort to prevent spam and that prevents this attack from being widely exploited, in my opinion.
I had an attached comment with this information but want to break it out as it will likely be useful to people without lots of time dealing with the various ways Wordpress can/will (mostly will) get attacked.
First: Double-check your folder and file permissions. A lot of plugins like and love very open folder permissions so they can write stuff everywhere. Be very careful with changing permission on core Wordpress stuff! If for instance you give the web-server write permissions to the core, you're going to have a bad time. This is made worse by the fact that many people are used to using the wp-admin 'upgrade' functionality. In my view this is beyond awful. A lot of WP exploits would be made much harder by just not allowing this and manually upgrading the Wordpress core. It's very easy anyway.
Second: Disable the following PHP functions in php.ini on the server hosting Wordpress
You can just add that line anywhere in the php.ini, restart apache (or php-fpm if you're using that) and you've suddenly blocked 99% of the Wordpress and greater PHP attacks against your server. Essentially you'll run across some PHP scripts eventually that want one or more of those permissions. If they do, run them on a server separate from Wordpress and also keep the application way up to date (or you'll have a bad time).
WPScan allows you to do a URL/folder based wordpress scan looking for vulnerable files, wordpress versions and plugins. It is a very good tool to keep handy if you host lots of Wordpress sites.
Oh, one more little thing. The timthumb vuln issue someone mentioned below... keep this handy for newest version http://timthumb.googlecode.com
Wait, what? WPScan is a standalone Ruby script. You run it against a Wordpress site. There's nothing to install on the WP website in question. You can even run it against public WP websites if you wanted to (although I imagine you might get some sternly worded letters from some).
11 comments
[ 2.5 ms ] story [ 40.3 ms ] threadYou know what would be nice? Opt-in e-mail lists for each plug-in. If I hadn't seen this article, I might not have updated for months. If I'd gotten an e-mail that says, "SUPER CACHE COMPROMISED, UPDATE NOW," I sure would've.
2. Do no keep uninstalled old themes or old plugins - they can be used as a backdoors into website. Delete them if not used.
Another good thing to do which will disable 99% of these kind of attacks, is disable the following PHP functions:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source
There's very, very few scripts which actually need these, and if you run across one that does... you probably shouldn't use it anyway.
First: Double-check your folder and file permissions. A lot of plugins like and love very open folder permissions so they can write stuff everywhere. Be very careful with changing permission on core Wordpress stuff! If for instance you give the web-server write permissions to the core, you're going to have a bad time. This is made worse by the fact that many people are used to using the wp-admin 'upgrade' functionality. In my view this is beyond awful. A lot of WP exploits would be made much harder by just not allowing this and manually upgrading the Wordpress core. It's very easy anyway.
Second: Disable the following PHP functions in php.ini on the server hosting Wordpress
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source
You can just add that line anywhere in the php.ini, restart apache (or php-fpm if you're using that) and you've suddenly blocked 99% of the Wordpress and greater PHP attacks against your server. Essentially you'll run across some PHP scripts eventually that want one or more of those permissions. If they do, run them on a server separate from Wordpress and also keep the application way up to date (or you'll have a bad time).
Third: Install and keep this handy http://wpscan.org/
WPScan allows you to do a URL/folder based wordpress scan looking for vulnerable files, wordpress versions and plugins. It is a very good tool to keep handy if you host lots of Wordpress sites.
Oh, one more little thing. The timthumb vuln issue someone mentioned below... keep this handy for newest version http://timthumb.googlecode.com
Any questions?
We are also working hard to keep an updated internal database of all vulnerable plugins and themes, so update it often ;)