Trying to upgrade since the header file got hacked again today. Sorry for the interruptions. Hope to have things back to normal in a bit.
ETA: ok. turned the plugins back on for now. Things should look ok again. We’ll keep an eye on things and replace the header again if need be. Upgrades seem to be stalling out for no apparent reason.
Sorry, the comment form is closed at this time.
| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checkbox-advertisement | 1 year | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement". |
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
| Cookie | Duration | Description |
|---|---|---|
| lang | session | This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website. |
| __cf_bm | 30 minutes | This cookie is set by CloudFlare. The cookie is used to support Cloudflare Bot Management. |
| Cookie | Duration | Description |
|---|---|---|
| CONSENT | 16 years 4 months 16 days | These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video. |
| Cookie | Duration | Description |
|---|---|---|
| IDE | 1 year 24 days | Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile. |
| test_cookie | 15 minutes | This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies. |
| VISITOR_INFO1_LIVE | 5 months 27 days | This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website. |
| YSC | session | This cookies is set by Youtube and is used to track the views of embedded videos. |
| yt-remote-connected-devices | never | These cookies are set via embedded youtube-videos. |
| yt-remote-device-id | never | These cookies are set via embedded youtube-videos. |
| Cookie | Duration | Description |
|---|---|---|
| _ir | session | The cookie is set by Pinterest. We do not know the exact purpose of the cookies. |
hacked? wha?
There is apparently a vulnerability in WordPress which allows injection of spam into the header.php file. Some of the (many) links on it:
http://wordpress.org/support/topic/138376
http://robertogaloppini.net/2007/12/12/wordpress-spam-injection-goro-hacked-my-blog/
http://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/
So far it has happened to us twice in the last week, and may have been part of why the blog was broken last weekend.
There was a vulnerability to SQL-injection through version 2.1.1:
http://luiscosio.com/0day-exploit-for-wordpress-211
Upgrading will fix it, but if you were already compromised then you should change your admin password, first thing. I’ll wait here.
Ok, done?
You might still be at risk due to code in your database. Upgrading beyond 2.1.1 will stop it happening again, but it won’t remove any code already in there.
The link you posted to Roberto Galoppini’s page explains what to look for and how to delete it… mind, your malicious code isn’t necessarily the same malicious code that he got, so you really have to look for “stuff like that” rather than that, exactly.
Last, check you footers.php file, too. Or heck, check all the theme’s files, why not?
That and a WP install should do you. I definitely recommend the “delete all existing files except content, then ftp the new versions files over.” You could set your ftp client to “always over-write” (probably it defaults to “only if newer”), but in the event a file was removed from the project between your old version and the new one, you don’t want it hanging-around doing nothing.
If deleting wp_header() from your header.php file was part of your solution, you’ll want to put that back in there. Lots of plugins won’t work or won’t work right unless it is there.
…
This assumes none of your plugins were the actual source of the vulnerability. Being paranoid, I’ll likely go through them all line by line. Probably just as effective would be to Google for the plugin name and ‘vulnerability’ or ‘SQL injection’ or maybe even “+plugin-name +header.php”.
But since 2.1.1 and under were vulnerable and your cached page on Google reports version 2.1 – seems unlikely your vulnerability was not WP itself.
Simple little things you can do to harden your WP install:
1. Delete your ‘admin’ user, if you haven’t already (make a new user with a secret user-name and admin rights first).
2. Edit your header.php where there’s a comment:
<!– leave this for stats please –>
… remove the WP version number it is asking you to leave, and add your own comment there:
<!– Sorry, but no –>
You need to not be hacked more than anyone needs to know which vulnerabilities you are offering to hackers (aka your version number).
Besides, providing data for stats or anything should be an opt-in affair, not opt-out requiring php editing. So there’s that reason to remove it even if removing it for security reasons feels sleezy.
I mean, that only works because it is an obfuscated opt-out affair, meaning lots of people would leave it even without the “please”, meaning your benefit comes at their expense.
This conclude my being on-topic.
It’s sort of how home security stickers on your windows provides security by making your house seem relatively less vulnerable than your neighbors’.
They always say, “Sure, no system provides absolute protection, but if Joe Sixpack had an alarm system sticker on his window, maybe the victim of this crime would have been the next house down the road.” They say that without any shame, admit boldly that their alarm system works because your neighbor doesn’t have one.
I always think, “How do they know Joe Sixpack’s home wasn’t the next one down the road?”
They can’t possibly believe the robbers will move on indefinitely, have already confessed their service relies on your neighbors’ exposure, yet every single time they’ll chastise Joe as though he did something stupid, when their security depends utterly on guys like Joe.
If he’d had a security system, maybe the next house would have been robbed, but then they’d just be saying the same thing about that home’s owner, eh?
Also I am suspicious of them never talking about all the people with security systems whom have not been robbed. That’s what you really want it to do, right? Ok, we get it, people without it get robbed… but that only implies the people with it do not. They never say that.
What’s up with that? Since when is sufficient such a claim as “Not using my product has proven to be ineffective at improving your girth and length.”?
END OF COMMUNICATION
Thanks for the advice Jeff! The second time it happened, btw, the blog was already running 2.2.3; so it may be that the code is still in the DB. We’ll go looking!
[…] read the advice from Jeff Freeman in the last post on […]
[…] Jeff Freeman is nice, thanks. Although I’m linking to Raph’s blog for some reason. […]