WordPress Security Breach – First Response Steps
Word gets around on Internet quickly, but apparently not quickly enough for me. I do recall noticing somewhere a word about small security breach in WordPress 2.8.2 few days ago, but it wasn’t clear to me that all earlier WordPress versions were affected, so I did not rush and act right away.
Big mistake, after reading today what happened to Scobleizer (top of Techmeme, so thanks to both for heads up), I rushed to make the most recent backup of my blog and upgrade it to 2.8.4 wordpress. The upgrade itself was quick and painless (as usual with wordpress), and it actually much improved, as auto upgrade of plugins worked flawlessly in this latest edition (haven’t tried full upgrade yet).
I thought I was out of the woods, but reading people’s comments, they mentioned an Admin account, that hackers create for themselves. Not seeing anything in the Users list, I was not worried at first. But then, someone mentioned “hidden” in their comments. So I went to WordPress tables in mySQL and FOUND A HIDDEN ADMIN account created there! Complete, with evidence of crime! The darn trick is as simple as inserting malicious JavaScript which elevated the user to Admin, into their own First Name field!!! I promptly deleted the invader’s account, and hopefully this is the end of that (read below about other things I checked).
I must say I am disappointed with WordPress security, although it remains the easiest to use and very fast/flexible framework for blog/site. But, haven’t we learned from all SQL injections in the past? Validate Field Lenghts on the Server Side!!! Especially for any input/fields or account registrations that are in World Visible unsecure area!
I know the hack was fixed in 2.8.4, and I haven’t taken the time to review how it was fixed. But, I truly hope this is something they go back and double check elsewhere, as much as possible.
I don’t know if this breach left any other backdoors on my blog, I certainly hope not. Here are some steps I took to review site integrity after following standard WordPress Upgrade instructions:
- If you do find phantom Admin user in your wp_users table that you don’t recognize, check if that user has wp_user_level of 10 in the wp_usermeta table (same user_id) – Record the offending user_id or IDs (if you have multiple breaches). Promptly remove all records from both tables for that user_id, obviously.
- Review all other tables, especially wp_posts, for found user_id above (called post_author in the wp_posts table). It also helps to review any old posts and check their post_modified field, to check for any recent modifications that you didn’t perform yourself.
- Review your file system for any new files. I presume that you upgrade as per instructions and completely wipe your old wp-admin and wp-include directories before placing new ones there. But, what about wp-content with your Theme, plugins, widgets and uploads? Review these directories as much as possible!
- I have no idea how to review wp_options table and whether anything suspicious may be lurking there – If you have suggestions on this one, post in Comments!
Here are some more links to review from experts and fortify your site as much as possible. Of course, you may also reconsider moving into relative safety and simplicity of hosted blog, such as WordPress.com and others.
Me, I prefer the “fun” of messing with my own site, and having complete control, seemingly.
UPDATE: Found another older post, but more good suggestions there. For example, I did review my .htaccess file and found it a bit suspicious, so I replaced it. I just forgot to explicitly mention it above. Better stay alert!
UPDATE2: I am still lurking around the Net and reading up on this. Seems that latest vulnerability could also allow someone to reset Admin password of the “default” initial WordPress account. So, I also took the precaution of resetting that password to something new ASAP. Read up more here.