Cleaning Up from Wordpress Hack

July 8th, 2008

Let me preface this post by saying that I really, really like Wordpress …

However, I’ve been cleaning up a mess that injected spam into my blog for a while now. The hacks consisted of two types:

  • Comments that injected spam links
  • Hacked template files that imported scripts with spam links

If you use Wordpress, make sure you take a close look at your source code. Better yet, lock down the permissions on all your template files. This will not allow you to use the online theme editor that Wordpress provides, but for most of us, it’s an acceptable trade-off.

I don’t understand the cause of the security breach, but have been more diligent ever since about updating to the newest version of Wordpress whenever it’s released. I’d suggest all bloggers do the same. We’ve got to stop the spam.

Some links for more info:

Entry Filed under: Signposts, WordPress

Bookmark This: del.icio.us:Cleaning Up from Wordpress Hack digg:Cleaning Up from Wordpress Hack newsvine:Cleaning Up from Wordpress Hack blinklist:Cleaning Up from Wordpress Hack furl:Cleaning Up from Wordpress Hack reddit:Cleaning Up from Wordpress Hack blogmarks:Cleaning Up from Wordpress Hack

14 Comments Add your own

  • 1. Bookmarks about Css&hellip  |  August 1st, 2008 at 7:30 pm

    [...] - bookmarked by 1 members originally found by dcasimiro on July 17, 2008 Cleaning Up from Wordpress Hack http://blog.designdelineations.com/2008/07/08/cleaning-up-from-wordpress-hack/ - bookmarked by 1 [...]

  • 2. Weng  |  October 30th, 2008 at 10:05 am

    Well, all I can say is we’ve all been victims of this kind of internet loophole. It will be vigilant if we are always ready to combat hacks or spam through upgrading our tools on a regular basis.

  • 3. Bill  |  October 30th, 2008 at 7:16 pm

    Sounds like a nightmare. One always wonders why these security holes aren’t closed by default and only allowed open by explicit action (as in “Are you sure? Are you REALLY sure?”). Spam is horrible. I almost hate opening email any more (but, thanks to gmail, most of my spam gets filtered).

  • 4. Harvey Ramer  |  October 30th, 2008 at 11:08 pm

    Weng,
    I admit that I should have upgraded sooner, but this issue also could have been avoided by simply not allowing write access to my template files. No reason that I need my theme files to be modified unless I download them and update them offline.

    Bill,
    I don’t really blame Wordpress, though it was partially their fault. By not securing my exposed theme files, I was definitely more vulnerable than I needed to be.

  • 5. Busby SEO  |  October 31st, 2008 at 10:02 pm

    in addition,if you’re using wordpress plugin automatic update you can deactive now…

  • 6. Harvey Ramer  |  November 1st, 2008 at 9:34 am

    Busby SEO, are you saying this plugin is a security risk? http://techie-buzz.com/wordpress-plugins/wordpress-automatic-upgrade-plugin.html

    If so, why? I believe that automatic upgrade function is built into 2.5.x, so that plugin shouldn’t be needed. Am I correct?

  • 7. Sean "costa caleta" Redfearn  |  November 2nd, 2008 at 8:46 am

    Wordpress has always been good but I think we should update our blog time to time when needed.

  • 8. Harvey Ramer  |  November 2nd, 2008 at 2:27 pm

    Yes, it is critical to stay up with Wordpress upgrades. It’s easy to upgrade and unlike many other software packages, it never breaks any of my themes when I upgrade.

  • 9. Eric Carter  |  November 2nd, 2008 at 4:40 pm

    I hate having to update my wordpress.

  • 10. 123bargains  |  November 4th, 2008 at 1:35 am

    Thanks for the warning. What about the various third party plugins they have outhere. Also when you update wordpress, does it ever mess up the plugins?

  • 11. Harvey Ramer  |  November 4th, 2008 at 10:30 am

    In general, most plugins are compatible with upgrades. It depends on the quality of the plugin and whether the Wordpress architecture they rely on has been altered.

    The Wordpress folks maintain a list of compatible plugins.

  • 12. webhosting-dir  |  November 5th, 2008 at 8:44 am

    If you stick with wordpress’s list of plugins that they list I have never had a problem, but went outside the box a couple times and both times had nothing but issues with security

  • 13. SEOPressFormula  |  November 6th, 2008 at 12:29 am

    I am still having problems upgrading so thanks for the post.

  • 14. Harvey Ramer  |  November 6th, 2008 at 9:29 am

    SEOPressFormula, I see that you’re on Wordpress 2.5. Are you having trouble making the move to 2.7?

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

About Harvey Ramer

CSS Web design, e-commerce Web design, and internet marketing issues from the desk of Harvey A. Ramer at Design Delineations.

View Harvey Ramer's profile on LinkedIn

Reader/Customer Feedback

Harvey Recommends

Accolades

Design Notes: A CSS Web Designer’s Blog at Blogged

Calendar

July 2008
M T W T F S S
« Jun   Aug »
 123456
78910111213
14151617181920
21222324252627
28293031  

Most Recent Posts