WordPress Security: Tackling Backdoors, Pharma Hacks and Redirects

Every now and then, a story pops up about a WordPress website being compromised. The reasons for such security issues can be many — ranging from a flawed plugin to an outdated version of WordPress or a Pharma attack. All said and done, if you are running a WordPress website, it becomes your task to ensure that your site is in good health and safe from malicious hackers.

However, when it comes to security with WordPress, there are many steps that you need to take, and still many things that need to be kept in mind. In this article, I shall be taking a look at some common security issues, malware infections and security tools for WordPress users.  

Overview

Often, WordPress is criticized for lacking security features. While you can argue either for or against this statement all you want, at the end of the day, a software is only as secure as the user’s ability to keep it secured and safe. It is the end user’s responsibility to ensure that WordPress is updated and the themes or plugins being used are not shady or spammy.

So, why exactly is WordPress the victim of so many security attacks?

First up, like I said above, not everyone is enthusiastic when it comes to keeping WP updated. Forget casual users, even big names and industry leaders are not the best at updating WordPress. Need an example? Reuters was hacked last year, and it was later on revealed that the website was running WordPress 3.1.1 (instead of 3.4.1, which was the latest updated version back then).

Fact is that as and when security flaws or hacks are discovered, the WP team rolls out a security update. Following that, it becomes the user’s responsibility to update his or her WP installation.

The second bunch of security issues in WordPress are born out of shady themes and plugins. There are several themes in the official repository, followed by many premium ones provided by reputed names. Such themes are good from the security perspective — clean code, regular updates, and so on. However, problem arises when you install themes or plugins downloaded from, well, evil sources. Also, themes obtained from reputed providers have a distinct advantage over the shady ones: the former are often updated by the developers in order to ensure compatibility with the latest security fixes. Obviously, keeping themes and plugins updated is very important.

The third, and probably the biggest reason, is the popularity of WordPress. Considering the fact that WP is the world’s most used CMS, it is an easy and natural target for malicious hackers. The logic is simple: if you are the bad guy, you will obviously prefer to break into the software that powers millions of websites. If you master the software, you have millions of sites at your disposal! This is also the reason why Windows and Mac users encounter more viruses than Linux and UNIX folks.

Where Do We Begin?

The main aim behind this article is not simply to provide you with numerous ways to harden your WP installation and modify weak parts. We shall also be trying to walk our way through some of the most common types of attacks and security issues: what they are, how they occur, tools that can help you to avoid them and/or clean them, and so on.

That said, if you are looking for a starting point for your security campaign, or would be interested in ensuring that you have not left any back-doors open, I would suggest this article on the WordPress Codex that talks about hardening WordPress from a security perspective. Furthermore, if you are worried about the importance of keeping WordPress updated, having good passwords, and wish to learn how to tweak your table prefixes as well as restrict access to your admin directory, check out this awesome security guide.

Securing WordPress: The Preamble

It is not easy to talk about security issues with a sense of certainty or absolutism. Just as web technology keeps evolving over time, so do security attacks. Malicious hacking can have various reasons behind it: political motives (which may mean your website is supporting causes without your knowledge), sheer fun (yeah, some people do actually find joy out of it; they have the word “sadist” in the dictionary not without a reason), or, more commonly, financial gains (the DNS Changer malware earned over $14 million for its masterminds).

Plus, most of the time, certain security issues tend to spread rapidly and infect millions of users within a limited amount of time. The Blackhole Exploit Kit, for instance, accounts for 28% of all web threats detected by Sophos and 91% of those detected by AVG.

The above general remarks — evolution and popularity — can be applied to WordPress threats as well. We shall now be taking a look at three of the most common security issues for WP sites: backdoors, pharma hacks, and malicious redirects.

Backdoors

What?

A backdoor is what a malicious hacker uses to gain access to your website, by means of FTP, SFTP or even wp-admin!

Obviously, backdoors can prove to be disastrous — they can affect your website and any other sites that you may have on your server, thereby resulting in multi-site damage.

Most of the time, backdoors are encoded or encrypted, though nowadays, certain backdoor vulnerabilities may even look like legitimate code. Sometimes, WP-only backdoors can be hidden in your database.

How?

Backdoors are caused, generally, by using outdated software or shady scripts. Remember the TimThumb script fiasco? Yes, that was a backdoor attack that affected numerous WordPress websites.

The easiest way to locate a backdoor infection is to look for files in your WP installation that should not really be there: you know, the ones named php3.php or crucial-wp.php!

You should know that if you find a .php file in your /uploads directory, it is, in all likelihood, a backdoor attack.

However, sometimes backdoors may conceal themselves within an otherwise legitimate file. You can figure out by taking a look at your files, though often, encrypted/encoded backdoors are not the easiest to detect. However, online tools such as Sucuri SiteCheck (discussed later in this article) can detect a good number of backdoor threats.

Prevention and Cure

Luckily, prevention or removal of backdoors is easier than detection. You can minimize the chances of backdoor attacks by limiting access to your website’s core files: using two-factor authentication or restricting access to admin on the basis of IP address is a wise choice. Both of these methods have been described in the security article linked to above.

Plus, you can disallow unauthorized writing or execution of PHP by appending the following to your .htaccess file:

<Files *.php>

Deny from All

</Files>

Also, if you have access to terminal on your server, you can search for instance of “eval” command — if such commands are hidden within a “base64_decode”, it’s a backdoor. Canton Becker has an example of code that is affected by a backdoor hack.

Pharma Hacks

What?

A Pharma Hack is more of a spam menace than malware. The spam is generally about viagra, Levitra and other “pharmaceuticals.” Regardless, being accused of spam distribution is not good, and search engines can penalize your website too.

What makes a Pharma Hack even more dangerous is that it is visible foremost to search engines only. If affected, your website may be tagged in Google search results as, “This website may be compromised.” CrackUnit.com, a rather popular site, once suffered Pharma Hacks (notice the “Zopiclone” pharmacy title):

CrackUnit was once a victim of a Pharma Hack.

Also, many Pharma Hacks focus only on the most popular pages of your website. As a result, if you view your website, you will not notice anything abnormal. Spam messages will be injected mainly in your search engine results.

How?

So, how do you detect if your website is affected by a Pharma Hack?

Most of the time, a Pharma Hack has two separate parts: the malicious code within any of your WP plugins, and then a hack in the database. Just like backdoors, Pharma Hacks often rely on eval() and base64_decode() functions, though in the case of Pharma Hacks, such functions are stored in the WP database as encoded strings.

Thus, a Pharma Hack makes use of two backdoors: one inside any of your plugins, and another in the database. In the database, the spam hides itself within the wp_options table.

Prevention and Cure

Since a Pharma Hack targets two separate areas of your website, the cleanup will also be two-fold.

First up, you will need to ensure that your plugins are clean. Most of the time, a Pharma Hack targets Akismet (simply because almost every WP installation has it, active or inactive). While any of your plugins can be at risk, it is worthwhile to start the search from Akismet. Look for files with suspicious names, especially ones with a pseudo-extension, such as .akismet.cache.php or akismet.old.php Similarly, other malicious naming conventions include class-akismet.php and so on. Eliminate any suspicious files, and repeat this step for all your plugins.

If you are really paranoid about it, you can even consider eliminating all your plugins (you can re-install them later, once you have cleaned the DB too). Cleaned plugins will ensure that the immediate danger is gone, and this brings us to part two.

Step two is cleaning of the WP database (yeah, let me warn you: create a backup). The most direct way is as follows:

Navigate to phpMyAdmin, and select the infected database.

The table you are looking for is wp_options.

Select the option_name field.

Now use the Search function to locate malicious strings, such as:

  • wp_check_hash
  • class_generic_support
  • widget_generic_support
  • ftp_credentials
  • fwp
  • rss_[string]

For the last one, spare rss_use_language, rss_excerpt_length and rss_use_excerpt — these are legitimate WP entries.

If the above classes are present, and contain weird gibberish, go ahead and delete them.

Sucuri has a slightly dated, though still helpful, guide to help you clean your database.

Another cleanup option is to employ the terminal commands such as grep to search for spam terms, but this works only with non-encrypted hacks, so the chances of success are fairly small.

Malicious Redirects

What?

As the name suggests, a malicious redirect “redirects” the user to a different website. It is worth noting that such redirects can affect both your primary domain, as well as the sub-domains. Furthermore, while it is often mistakenly assumed that such redirects take you to only malicious websites or sites with harmful content, it is not entirely true. Often, a malicious redirect might redirect users to a website that is simply full of advertisements — maybe even adult content — but in such cases, the target website is just a placeholder for ads or other unwanted stuff, and may or may not have malicious content or code in it. Still, losing your traffic is not a good thing, is it?

Furthermore, most of the time, the redirection is rather simple: visitors to your website named wordpressblog.com may be redirected to wordpressblog.com/new.php — in this case, the contents of new.php might just be adverts or even malicious code that you never placed there.

How?

Most malicious redirects occur due to old versions of WordPress with security flaws that allow malicious hackers to gain access by means of backdoors. Once again, such backdoors could be created by using anything — FTP, SFTP or even your WordPress admin. Once access is gained, it is fairly easy to place redirection code on your website.

Detection is not much difficult. Most of the time, such redirects can be found in your .htaccess file. Try to look for something that resembles this:

RewriteRule (.*)$ http://site-url.com/something

Beyond that, it may also be located in your WP core files: primarily index.php, header.php, footer.php, and so on. In such cases, by the way, most of the malicious redirects are encoded.

Prevention and Cure

The easiest solution to ascertain whether or not your website is a victim of a malicious redirect attempt is to use Sucuri SiteCheck. In fact, SiteCheck not only checks for URL redirects but also scans your website for many other malware hacks: backdoors, trojans, Pharma attacks, etc. It will also give you details about your website’s blacklisting status for all major security checks: Google Safe Browsing, Sophos, Norton Safe Web, McAfee Site Advisor, Phish Tank, and several others.

If your .htaccess file is compromised, you will need to remove any redirects that you did not add to it yourself. The most direct way to do it is to scroll through the file, look for rewrite rules such as the one above, and delete them. To make your life easier, Paul Maloney has a guide about securing WP using .htaccess.

Useful Tools and Resources

Now that we have covered the major security issues, how about we take a look at some useful tools and plugins?

Apart from Sucuri SiteCheck, a very helpful online tool that you can use to check the health of your website is Unmask Parasites.

Unmask Parasites Website Scan

Unmask Parasites can give you detailed info about potential malware that may be hidden in your WordPress installation, as well as show the blacklist/whitelist status of your website with the likes of Google Safe Browsing and other such services. Plus, Unmask Parasites also has a handy guide to help you understand Google’s various security warnings.

WordPress Plugins

1. Sucuri Security: SiteCheck Malware Scanner

Sucuri Security: SiteCheck Malware Scanner is a WordPress plugin to help you scan your website using Sucuri’s online scanner, right from your WP admin panel itself! Apart from the standard online checks, it can also help you detect website-specific issues and potential red flags such as IP cloaking, PHP mailers, drive-by downloads, etc.

WordPress-specific features include verification of WP version, protection of /uploads directory, restricting access to /wp-content and /wp-include as well as checking for the latest version of PHP.

2. Duo Two-Factor Authentication

Duo Two-Factor Authentication adds a two-step authentication to the login process. The first step can be the password, whereas for the second step your users will need to signup with Duo Security (you can specify which users have to go through the process: admins, editors, writers, etc).

Once done, your users can generate one-time passcodes to login to your website, or use the mobile app or even have a call-back with a passcode — this is comparable to Google’s two-step verification process.

3. WebsiteDefender WordPress Security

WebsiteDefender WordPress Security helps you monitor the security settings for your WP site. It can remove the WP version from public pages, add or hide meta tags, hide WP update info from non-admin users, and even disable PHP or database error reporting. It can also rename the table prefix for your database and comes loaded with a password generator. For advanced features, you can signup for a paid account with WebsiteDefender.

Other security plugins from the same developer include WP Security Scan and Secure WordPress.

4. Theme Check

Theme Check can help you verify that your theme meets the latest WordPress Coding Standards.

5. Plugin Check

Just like Theme Check, Plugin Check verifies the coding authenticity of your plugins.

What do you think of the above mentioned security issues and tools? Got a WP-related security tip of your own? Share it with us in the comments below!

Image credits: JermJus Iain Tait Fristle Salavat Khanov

Tags

Comments (15)

  1. May I recommend the Wordfence plugin?
    It does roughly what Sucuri does and more. I.e. blocks logins after X attempts, compares themes/plugins with the originals from the wordpress DOT org repository, etc.

  2. I like Wordfence as well. I didn’t see a significant increase in load but I’m sure there is some. You can set it to run specific times or even throttle back the amount of bandwidth it uses. I haven’t played with every feature, but it’s found and blocked a few attacks already for us.

    • The ajax maxed out my CPU. Something is buggy with this script. There are many posts about it in the forum. I’m not sure if it’s a sever-specific problem, or what. I’ve also seen reports of it maxing out memory. I can’t verify that one since it isn’t an issue on my VPS.

      Unfortunately, it appears to be largely unsupported. The author hasn’t responded to anyone in almost two weeks via the forum.

      Too bad. I love the plugin (when it works), and I was going to buy a pro license for it.

      • I’m the author, Mark Maunder. Wordfence is actively being developed, improved and supported.

        http://wordpress.org/extend/plugins/wordfence/stats/

        The Ajax issue you’re mentioning has been reported to us by someone running a Windows server which is unfortunately not a platform officially supported by us. We haven’t had any reports from Linux users with the same issue.

        However, we listen to all our users, so a release 2 weeks ago allowed you to modify the refresh rate at which these AJAX requests occur to reduce load – in case you are running Windows.

        Our Pro customers receive priority email support from us. The forums are a community supported resource.

        Regards,

        Mark Maunder.
        Wordfence creator and Feedjit Inc. CEO.

        • Hi Mark,

          I’m on a Linux VPS and have experienced the ajax problem. I did leave a message in the forum about it, but I was unaware that it was essentially community support.

          Glad to hear that it’s still being developed though. =)

          It really is a great all-around plugin.

    • I used to Use Login Lockdown but after seeing that it not been updated in 2 years I went looking for a newer plugin and found Wordfence. After talking to another developer I was assured that Login Lockdown was still a great option and just because it had not be updated did not necessarily mean that it was any less effective. I’ve since gone back to Login Lockdown and have been happy with it since.

  3. “This is also the reason why Windows and Mac users encounter more viruses than Linux and UNIX folks.”

    This is a common misconception, but it’s totally wrong. Yes, personal computers are usually running Windows or Mac. But Unix accounts for ~64% of webserver operating systems, with about half of that being Linux.

    If you want to hack into computers, make viruses for them or whatever, webservers make a very attractive target, so it’s simply not true that there are less viruses for Unix because it doesn’t present an attractive target to attackers.

Participate