WordPress iframe Redirect Hack!

I was just reading up on a new hack going around for WordPress. Sure enough a day later I find

this on my site. It is a nasty little script that will redirect the visitor to another site. The

script gets embedded on the Header.php file of your wordpress theme, right after the </head> tag

and right before the <body> tag.

I have the most recent version of wordpress too. I had heard of some security holes in the

previous version, so I did like any other good developer and upgraded the software. However, my

theme was still attacked. The code looks like a long line of javascript between two script tags.

It is pretty hard to miss when you open your Header.php file.

I have seen another one that hit wordpress blogs. That hack look similar to this one, however it

targets the index files on the server and injects a similar line of script to the end of your

index file. Another wordpress hack was to add a file to the root of your theme directory which

would allow the hacker access to your server.

If someone wants to get to your files bad enough, they will, but you don’t have to make it easy

for them. Here are some changes to your site that you can make if you have been hacked or even if

you just want to update your WordPress!

1. Upgrade your version of WordPress.

2. Exploit Scanner - There are several scanner tools, but this is the one I liked. You can

download and install a WordPress plugin that will scan your wordpress files, db tables, and

plugins for anything out of the ordinary. It will not remove any files for you, it leaves this to

the user. You can even allocate how much memory the scan can use if youre on a host with limited

access. Run this scan on your site.

3. Change your .htaccess file – There is a hack that adds new items to this file. Original

htaccess should look like this
# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPress

Hacked addition
<ifmodule mod_security.c>
<files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</files>
</ifmodule>

4. Check that there are no new users added to your WordPress. Changing your passwords should be a

must. Having a hard time coming up with secure passwords? I love this site for creating long

crazy passwords.

5. Update or add the SECRET_KEY in your wp-config.php file. If you have never done this, you can

open the wp-config.php file in your wp root and follow the comments on where to get this updated.

WordPress does have some security updates they promote. You can find them here for more information.

You can also go to WordPress site. They have an article about Hardening WordPress.

Best wishes and keep on blogging!
Cheers :)

Leave a Reply