A few weeks ago, we noticed that someone had managed to insert a bunch of spam links into our WordPress header and footer. We quickly updated to the latest version (2.3.3 at the time), thinking it would fix the security hole. However, this happened again, and seems to be happening on WordPress blogs all across the Internet.
The hack in itself is very interesting. First, it attempts to be undiscovered by any human observer, but fully indexable and followable by search engines. The spam links are inserted into a block with the style: “position: absolute;overflow: hidden;height: 0;width: 0“. Second, the links point to legitimate blogs that have been compromised. These blogs not only have link spam inserted into their pages, but entire pages that are created within their WordPress themes directory as landing pages to host the spam-targeted content.
We have now upgraded to the newest WordPress 2.5 (which was released the very next day after we upgraded to 2.3.3). I haven’t seen any in-depth documentation of this security vulnerability. We hope this has been fixed in 2.5. To take extra precaution, we recommend that anyone running WordPress disable the online theme and plugin editor by removing the web server’s write permissions to the appropriate directories:
chmod -R -w wp-content/themes
chmod -R -w wp-content/plugins
This is just an example, and may vary depending on your specific installation and server setup. Also, be sure to check your directories for rogue files, and of course, fix your header and footer templates.
April 8th, 2008 at 4:48 pm
thanks for the tip. its sad though that security issues stemming from such simple style issues continue to plague the web. how is the hack itself getting in before it hides?
April 8th, 2008 at 4:49 pm
jesus this was very helpful. i am going to fix those security holes. thanks, barnes.
April 8th, 2008 at 4:53 pm
Thank you for this information. I have read about this happening to a few other people through out a couple forums. Hope you will let us know if that upgrade took care of this issue.
April 9th, 2008 at 9:56 am
Thanks for the information. I’m going to fix this.
April 27th, 2008 at 8:00 pm
[...] scale than just my site (PsionMark writes about his attack, GoogleLady writes about her attack and Jason Tan writes about his attack). But as others have pointed out this hasn’t been making any [...]
May 11th, 2008 at 10:27 am
[...] before it happens to you, upgrade to WordPress 2.5 and follow these extra guidelines. Precaution is never [...]
May 13th, 2008 at 2:43 pm
Thanks for the useful information Jason. As another victim of this stuff, was helpful to see some solutions.
Out of curiosity, if the search engines were crawling through this could it negatively impact a sites SEO/reputation/status ….and if so, how do we correct that after the fact.
May 13th, 2008 at 2:48 pm
Seth, yes it will negatively affect your search engine performance. However, once it’s fixed, it should go back to normal within a few weeks.