The Bad Guys
Are Back With
Over the course of the last month, WordPress has repeatedly been suffering a, “Terrible, Horrible, No Good, Very Bad Day” (to quote the famous children’s book).
WordPress has been under serious assault from a wide scope of security-jeopardizing attacks, most stemming from weak or poorly secured plugins.
First, we’re going to cover the plugins affected. Then we’ll jump into the attack that is affecting WordPress core software itself and what you need to do about THAT!
- WPTouch (Vulnerability details.)
- Disqus (Vulnerability details.)
- All In One SEO Pack (2 vulnerabilities details.)
- MailPoet Newsletters (Vulnerable not once but twice! Here & Here)
For all four of these plugins, you need to be sure you are on the latest version and that all sites in your cPanel (or local hosting environment) are also updated. All it takes is one vulnerable sites for all sites to become contaminated.
In addition, a common script that runs in many plugins, Tim Thumb is (once again!) creating vulnerabilities. (details) I really wish that theme and plugin developers would move away from this script but it is common in website development today including all of the major CMS frameworks. You’ll need to run Tim Thumb Vulnerability Scanner to sniff out and patch this one.
Defacement & Redirection Attacks
Over the last 2 months, two variations of a “code injection attack” have turned up. These are a PRODUCT of a hacker getting in somewhere else (often a vulnerable plugin as seen above, or an outdated copy of WordPress).
What’s unique about these injections is that they are not “exec base64” code blocks but are encrypted some other manner.
There are a couple variations of this but you can see two of them here and here. At this time, most of the malware scanners do not detect this new infection type, though Sucuri just recently added detection.
I sent infection files over to the teams at several of the security plugins and most, including WordFence have assured me that they will be adding this detection.
Many of these new infections overwrite your wp-config and other important files and REQUIRE recovery from a backup. If you don’t have a backup, you’re SCREWED. I use and highly recommend iThemes BackupBuddy.
Don’t know how or don’t want the headache of managing your backups? Hire my team to do it for you!
XML-RPC Hack Attack
Just in case all of that wasn’t enough for you, we’ve had confirmation this week that, once again, the XML-RPC file in WordPress core is being used to attack a site and to discover the admin password.
We’ve talked about XML-RPC many times in the past and I’ve advised you to take precautions.
This is the same file that caused many of us to unintentionally actively participate in DDOS attacks on major companies when our XML-RPC file was exploited remotely. (Yes, you may have participated too and never known it!)
Well.. they’re back again.. with another new twist. Details. This time, using the same file as a gateway to get your login details.
There is no good protection, available at this time, that enables you to leave XML-RPC available to the outside world.
I STRONGLY advise you to go into your iThemes Security plugin, in the “Settings” tab, and move XML-RPC to “completely disable”.
Yes, this is going to not only disable pingbacks/trackbacks (which haven’t been safe for some time) but is also going to block you from using many outside tools such as Livewriter & JetPack to remote publish to your blog. (Alternatively you can add the snippet of code to your htaccess file to “deny all” to your XML-RPC file, but that’s mighty techy.)
Do it anyways! Because the alternative is either (a) hacked or (b) server/hosting disabled due to the impact of a DOS attack on your site as this is used to try to guess your passwords.
Chris Wiegman, the chief iThemes Security developer, has stated that they hope to have a solution by Monday that will enable XML-RPC to be protected while still enabled. I’d be on the lookout for that update if you NEED the file. Otherwise, leave it disabled!
Please stay tuned for further updates as this situation evolves and we learn more. I would expect to see a patch available for several of the security plugins to enable us to better mitigate this. However, due to how vulnerable XML-RPC will always be, I doubt we’ll be re-enabling it in the future without risk.
(That said … if you link to me, please send me an email or PM so I can appropriately thank you, as I have not had trackbacks enabled for months.)
Your “Other” Sites & Your “Neighboring” Sites
Remember that you need to do this for every single installation of WordPress in your cPanel/hosting, as even one single vulnerable site can lead to the infection of all the others.
This includes your forgotten blogs, abandoned sites, beta site, test installation, and more.
Need Help Or Want To Learn More?
I have a WordPress security course coming out soon (almost done updating it) that will help you learn how to head off a lot of the trouble sites are facing today. We also offer a comprehensive security audit and assistance with security cases if you would like to get your site reviewed by a professional.
Thoughts, Questions, Concerns?
Let me know in the comments below! I want to see you stay safe!
~ Kim ~
Simple Tech Tips For Marketing