How did they hack my Wordpress sites

Solution 1:

That's your problem right there. Most of these attacks are carried out by automated scripts that look for known vulnerabilities in older wordpress systems. Since anyone can look at bug reports and changelogs, it's not too difficult to engineer a script to exploit a weakness.

Your best defense is to always have your wordpress version AND your themes/plugins up to date.

I used to have this problem with a few of my defunct blogs, but keeping them constantly updated fixed it.

Do a grep on your existing blogs and look for any iframes or eval method calls in your WP directory. Also check the DB. Once it's all clean, update your WP version and themes/plugins and keep it updated.

Next login to Google webmaster and, if you haven't already, prove ownership and ask for a review of your site. The warning should go away after awhile.

Solution 2:

Welcome to reality. Your sites got hacked because you completely failed to take any precautions. Running such old and vulnerable versions of WordPress is simply asking for this to happen. Given the invitation you've created don't be surprised when people come to the party.

I suggest you either put some effert into your web sites or stop playing at being a webmaster and get someone who knows what they're doing to manage your systems and ensure all reasonable safety measures are implemented, including upgrading as necessary. There's more to a web site than just throwing a prepackaged version of software on it, typing some content and sitting back.


Solution 3:

Unless you have the logs from the day it happened, there's probably no way you're going to know how it happened. There's tons of exploits against historical versions of wordpress like 2.5. Here's a few CVEs that might be how they got in:

  • CVE-2008-2068
  • CVE-2008-2392
  • CVE-2009-2762
  • CVE-2009-3890

Do you keep your plugins up to date? There's exploits against them too, that could be the avenue of attack too.

You could spend days looking at CVEs and exploit code but the reason they got in there (assuming it was through wordpress) was through some bug in the code. This bug was probably found several years ago, widely published, and already fixed. There's probably nothing special about your wordpress install, it was probably exploited through some automated tool looking for old versions of wordpress.

Do you keep your plugins up to date? There's exploits against them too, that could be the avenue of attack too.

If you just want to see how someone might exploit some old version of wordpress, just search http://exploit-db.com .

FTP/SSH/Cpanel passwords are quite strong

Do you reuse passwords? Is your FTP password the same for that forum you maybe registered for 3 years ago that stored their passwords in clear text and got hacked? That's another avenue of attack.


Solution 4:

See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex


Solution 5:

This question is really old, but since I've been recently dealing with the same type of attack, here are some very basic things you can do:

  1. Edit your php.ini file to disallow base64_decode functionality. Find the line that says disable_functions = and change it to disable_functions = eval, base64_decode, gzinflate. A lot of these scrips use this function to unpack their files and get them running on your server. This will at least stop the files from auto unpacking.
  2. Change your wordpress table prefix. You'll have to do this in your MySql database as well as your config.php file. The default prefix is wp_ and that makes guessing table and field names very easy for 90% of the wordpress blogs out there. It's not a silver bullet or anything, but it'll force them to try to guess what your database names are which could slow them down enough to give up trying to insert things into your database.
  3. Change the name of your uploads folder. Wordpress allows write access to this folder via the media uploader which makes this is a really easy place for them to upload PHP files that contain shell scripts and it's likely you won't see them here. They wont show up in your media library AND they'll be buried in a place you're not likely to navigate to when using an FTP program. Just like changing the default database prefix, if you leave this folder as the default anyone with any skill at all can guess the file path to that folder. We've also gone so far as restricting file types that can be added to that folder to .jpg, .gif and .png since the uploads folder name can easily be discovered by checking the url of any image on your blog.
  4. Get a good security plugin like Wordfence. I've been very pleased with it so far.
  5. I wouldn't recommend inexperienced users to this, but another good way to keep your filepaths secret is to move your contents folder outside of the main wordpress install (ie application directory). It'll work similar to having a virtual directory, where the URLs on your blog don't reflect the literal file paths. By doing this if they try to upload to directories found in your URL they will run into errors. There's information on changing the location of your contents folder in the codex here

In general, it's a good idea to change all defaults to customize your install as much as possible. There's much, much more you can do and I highly recommend reading up on hardening wordpress and php, but simple things like this will keep out most casual hackers and those using automated vulnerability scanners.

Also know that if they had full access to your server you are going to have to change all of your user accounts. Change your account name. Change your passwords. ALL your passwords, including database, FTP... anything that requires validation is now compromised and if they have those, all the hardening in the world means nothing.