Browse: Home / WordPress / WordPress Code Injections – A New Threat

WordPress Code Injections – A New Threat

By • June 12, 2010

Code InjectionOne of my clients has a rather popular sports site on based on WordPress. The site is up-to-date and running on DV server. A few weeks ago malicious code starting to appear on the site setting off warnings from anti-virus programs that monitor websites.

Sometimes, entire files are uploaded that contain malicious scripts. Most of the time, however, JavaScripts are appended to existing PHP or HTML files. One of the favorite targets is the WordPress index file (index.php). A self-executing JavaScript is added after the closing ?> tag. How they append the file is a bit of a mystery as permissions are correctly set at 644. The purpose of the malicious code seems to vary. Some code attempts to spread worms/trojans, steal passwords, or re-direct to spam sites (meds).

The best defense is a good file monitoring plugin such as WordPress File Monitor. This plugin monitors the file system for added/deleted/changed files and sends you an email when a change is detected. You can exclude certain folders or files. Still, you will get notification emails when you update plugins or work on a theme. This is a small price to pay for the knowing when a file has been changed by someone else.

WordPress File Monitor will not tell you if you have infected files already. You need to use it to prevent future attacks. If your site is already infected, you can re-install WordPress. Then, replace your plugin files and possibly theme files. If your site is clean now, it’s much easier to keep it that way with WordPress File Monitor.

Powered by Gregarious (42)
Share and enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • YahooMyWeb
  • Slashdot
  • Reddit
  • blogmarks
  • Furl
  • SphereIt
  • StumbleUpon
  • E-mail this story to a friend!
  • LinkedIn

Categories: WordPress
Tags:

4 Responses to “ WordPress Code Injections – A New Threat ”

  1. Tejas Ramakrishnan Sept. 23, 2010 at 2:41 a.m.

    Also, another good idea is using security plugins like invisible defender, and also, try security scan. It scans each file to make sure they are in the correct state and form.

    I think, they might have got a server access using XSS or SQL injection. Getting the site rescanned from organisations with more experience in these type of issues will be a good idea.

  2. potenzmittel Nov. 18, 2010 at 1:11 a.m.

    It sounds like you’re creating problems yourself by trying to solve this issue instead of looking at why
    their is a problem in the first place

  3. blogging resources Dec. 17, 2010 at 3:34 p.m.

    What does the above commenter mean..? Is he referring to my comment or the post..?

    If it is to a problem in wordpress, then i would like to say that my is a good one, as security is concerned. WordPress script is one of the most secure ones, and this post shows some rare failures the script has. Actually, the post is very good one. think the above poster was just for the sake of commenting.

  4. Louvenia Stoot Dec. 20, 2010 at 2:50 p.m.

    No, it means we screwed up the weather system so badly that its cold rather than hot. This just means its going to be hot where its supposed to be cold…

« »