A few weeks ago, we noticed that someone had managed to insert a bunch of spam links into our WordPress header and footer. We quickly updated to the latest version (2.3.3 at the time), thinking it would fix the security hole. However, this happened again, and seems to be happening on WordPress blogs all across the Internet.
The hack in itself is very interesting. First, it attempts to be undiscovered by any human observer, but fully indexable and followable by search engines. The spam links are inserted into a block with the style: “
position: absolute;overflow: hidden;height: 0;width: 0“. Second, the links point to legitimate blogs that have been compromised. These blogs not only have link spam inserted into their pages, but entire pages that are created within their WordPress themes directory as landing pages to host the spam-targeted content.
We have now upgraded to the newest WordPress 2.5 (which was released the very next day after we upgraded to 2.3.3). I haven’t seen any in-depth documentation of this security vulnerability. We hope this has been fixed in 2.5. To take extra precaution, we recommend that anyone running WordPress disable the online theme and plugin editor by removing the web server’s write permissions to the appropriate directories:
chmod -R -w wp-content/themes
chmod -R -w wp-content/plugins
This is just an example, and may vary depending on your specific installation and server setup. Also, be sure to check your directories for rogue files, and of course, fix your header and footer templates.