More Wordpress Hack Problems

11 replies
After reading through a few long threads about Wordpress Security I think it is safe to say it can be a huge problem for a lot of us using Wordpress. Especially for the people who aren't technical savvy. I came across a post about another issue you have to worry about for your Wordpress sites.

Now, this kind of issue is a scary one. You could have your install locked up like Alcatraz and you still aren't completely safe from exploits. Although this has probably been discussed before here I think it is worth bringing up again.

If you are downloading themes and plugins you have to be careful who you are getting them from. A site called WPSphere (I am not going to link to it you can Google it to check it out) is releasing free themes with a nasty little twist. They are injecting malicious code into the header files.

I think the potential for abuse of this script is huge. I see it as a covert channel to setup Word Press enabled sites as thin zombies. The code being sent back to the server and eval'd could be a mailing script for spam or phishing.
This quote is by a guy named Paul Carrol who is a coder who found the exploit in a theme he downloaded.

The lesson in all of this is you need to know what the normal default coding looks like for Wordpress if you want to stand a chance at not having this happen to you. You don't need to be a programmer to go through the files to see if you have anything suspicous in the coding. The malicious code might not always stick out like a sore thumb like this does but get an idea of how Wordpress works to keep yourself safe. You might want to check your sites if you downloaded any themes that weren't from the developers site.

I included a screenshot of what this code looks like.
#hack #problems #wordpress
  • Profile picture of the author Joe721
    Very helpful image there - you can just search all php theme files for "base64_decode", but use an editor to do this.
    Signature
    OptinPlayer: www.optinplayer.com
    The most Interactive web video player with
    events, a
    nalytics, security & much more
    Advanced DHTML Popup www.dpopup.com
    WordPress Popup Plugin www.wordpresspopupplugin.com
    {{ DiscussionBoard.errors[164817].message }}
  • Profile picture of the author mikeyh
    Thanks for this,
    Is there a script we can use to protect from this or should we always check the header?
    {{ DiscussionBoard.errors[164818].message }}
    • Profile picture of the author Michael D
      Originally Posted by mikeyh View Post

      Thanks for this,
      Is there a script we can use to protect from this or should we always check the header?
      I don't know of any scripts that will do this although there may be one out there. This isn't just limited to a header file either. Also, this isn't the only exploit out there. The best thing you can do is get a fresh default Wordpress theme and just study it a bit. Look at how the coding works. You don't have to be a programmer to do this. More often then not when you get the themes straight from the developer you shouldn't have to worry about malicious code. Although, a very well known theme designer was including his own Google Analytics and Feedburner coding in a free theme he realeased. Although he claims it was an oversight we will probably never known.

      The point is to just be cautious of what you are downloading and adding to your Wordpress installs.
      {{ DiscussionBoard.errors[164828].message }}
  • Profile picture of the author edynas
    Banned
    I agree that there may be themes out there used for hacking purposes. And you should use proper causion

    But what you show here is an encrypted part of code. There are perfect ligitamate reasons why a developer wants to use a piece of encrypted code.
    Fi the code to make that enoying non blocking popup, corner link (like a page curling) creditlinks that should stay intact etcetc

    It's an indication at best that there might be something fishy and when you see this kind of code you have to look at your theme and see if you can logicly explain why it's there.
    {{ DiscussionBoard.errors[164831].message }}
    • Profile picture of the author Michael D
      Originally Posted by edynas View Post

      I agree that there may be themes out there used for hacking purposes. And you should use proper causion

      But what you show here is an encrypted part of code. There are perfect ligitamate reasons why a developer wants to use a piece of encrypted code.
      Fi the code to make that enoying non blocking popup, corner link (like a page curling) creditlinks that should stay intact etcetc

      It's an indication at best that there might be something fishy and when you see this kind of code you have to look at your theme and see if you can logicly explain why it's there.
      I realize that some themes have encrypted code in them. But, in this particular case if you download the original theme from the author's site this code is not included. I don't think many people will come across this issue but there could be some that will and that is why I was pointing out the issue.

      Honestly, if I see any kind of encrypted coding like this in a theme I want to use I won't use it. Call me paranoid. It is fine that a developer wants to keep a link intact in the footer for credit but with the right coding they can actually use your site footer to link to any site they want and change it at anytime.
      {{ DiscussionBoard.errors[164851].message }}
  • Profile picture of the author mikeyh
    That's true Edwin, I often see this type of code in footers which I presume is to protect the developers links.
    {{ DiscussionBoard.errors[164840].message }}
  • Profile picture of the author edynas
    Banned
    If the original and the copy are not the same that should get you worried yeh.
    But what I wanted to soften was your way of putting things. You start with making these statements as if we all should abandon Wordpress because it's the most risky thing out there.

    Compare it with downloading software from torrents and afterwards complaining you got a trojan.

    You just need to use common sense and either download the themes from respected places or maybe start looking for commercial themes.
    {{ DiscussionBoard.errors[164893].message }}
    • Profile picture of the author Michael D
      Originally Posted by edynas View Post

      If the original and the copy are not the same that should get you worried yeh.
      But what I wanted to soften was your way of putting things. You start with making these statements as if we all should abandon Wordpress because it's the most risky thing out there.

      Compare it with downloading software from torrents and afterwards complaining you got a trojan.

      You just need to use common sense and either download the themes from respected places or maybe start looking for commercial themes.
      Can you please help me understand how I was saying we should all abandon Wordpress? I never made any kind of statement like that. I love Wordpress and will continue to use it. I really don't understand how anyone could have come to that conclusion from my post. Just because we disagreed on something doesn't mean you have to start to put words into my mouth.

      In fact, I was saying exactly what you said said in your last sentence. Be careful who you are downloading from and I provided a legitimate example for people to look out for. If you don't care about it don't worry then - no skin off my back. I was just trying to shed some light on a certain issue with 3rd party download sites.
      {{ DiscussionBoard.errors[164903].message }}
  • Profile picture of the author TheRichJerksNet
    The exact reason why I offered warriors a solution, which many have been very happy with ...

    James
    {{ DiscussionBoard.errors[164899].message }}
  • Profile picture of the author edynas
    Banned
    It was the overall feeling I got from your post
    -huge problem
    -locked like Alcatrez
    -not safe from exploit

    That was the genral part before you started talking about the specific problem with WPsphere. You did pointed that it was a good thing to compare but the intro was what made me think like i did.

    So if I read your point wrong I am sorry and I did not intend to lay words in your mouth.
    {{ DiscussionBoard.errors[164931].message }}

Trending Topics