WordPress Security Vulnerabilities

WordPress Security Vulnerabilities

A few weeks ago, we noticed that someone had managed to insert a bunch of spam links into our WordPress header and footer. We quickly updated to the latest version (2.3.3 at the time), thinking it would fix the security hole. However, this happened again, and seems to be happening on WordPress blogs all across the Internet.

The hack in itself is very interesting. First, it attempts to be undiscovered by any human observer, but fully indexable and followable by search engines. The spam links are inserted into a block with the style: “position: absolute;overflow: hidden;height: 0;width: 0“. Second, the links point to legitimate blogs that have been compromised. These blogs not only have link spam inserted into their pages, but entire pages that are created within their WordPress themes directory as landing pages to host the spam-targeted content.

We have now upgraded to the newest WordPress 2.5 (which was released the very next day after we upgraded to 2.3.3). I haven’t seen any in-depth documentation of this security vulnerability. We hope this has been fixed in 2.5. To take extra precaution, we recommend that anyone running WordPress disable the online theme and plugin editor by removing the web server’s write permissions to the appropriate directories:

chmod -R -w wp-content/themes
chmod -R -w wp-content/plugins

This is just an example, and may vary depending on your specific installation and server setup. Also, be sure to check your directories for rogue files, and of course, fix your header and footer templates.

  • ian

    thanks for the tip. its sad though that security issues stemming from such simple style issues continue to plague the web. how is the hack itself getting in before it hides?

  • barnes

    jesus this was very helpful. i am going to fix those security holes. thanks, barnes.

  • http://www.workfromhome4real.blogspot.com Kara

    Thank you for this information. I have read about this happening to a few other people through out a couple forums. Hope you will let us know if that upgrade took care of this issue.

  • Mika

    Thanks for the information. I’m going to fix this.

  • Seth

    Thanks for the useful information Jason. As another victim of this stuff, was helpful to see some solutions.

    Out of curiosity, if the search engines were crawling through this could it negatively impact a sites SEO/reputation/status ….and if so, how do we correct that after the fact.

  • Jon Henshaw

    Seth, yes it will negatively affect your search engine performance. However, once it’s fixed, it should go back to normal within a few weeks.

  • E.D. Kain

    Three things:

    First: This is still messed up for 2.5.1.

    Second: You can use lynx to view your website in a text-only version to check on a regular basis if you’ve been hi-jacked. The junk will show up at the top or bottom of your site. SO ANNOYING!!!

    Third: How can I disable the theme editor in my dashboard???

  • http://www.iwebie.com iwebie

    I used to use WordPress, but I got sick of all the security holes and switched back to MovableType.