Wordpress Hidden Link Injection Fix
- Date: 2010-03-21 - Word Count: 594
Share This!
The Wordpress Hidden Link Injection exploit has been the cause of concern for many users who use Wordpress on a daily basis. For those unfamiliar with the issue, the attack inserts links into the files of your active Wordpress theme mostly pointing to adult material elsewhere on the web. The lainks are completely hidden from view so you may never know about them and nor will your visitors. But the search engine spiders will certainly pick them up - and penalize you for it.
Detection
Seeing if your Wordpress install has been compromised is easy. Simply view the source of your homepage and look for any code that does not belong. Check near the top and near the bottom of the file as this is the place I've found the hidden links to mostly exist. They're also usually wrapped in HTML comments.
Some website 1
Some website 2
...
Some website n
If you see code like that, chances are, you are a victim of the Wordpress Hidden Link Injection exploit.
How are "they" doing this?
Apparently, there was a security hole in Wordpress versions 2.8.x that allowed outside users to hijack the /wp-admin/upload.php file and insert files on your server that could be used for all sorts of malicious purposes. One of those purposes is the hidden link injection. Wordpress 2.9 fixed this hole, however, simply upgrading is not enough. Outside users will no longer be able to hijack upload.php but the files that they have already inserted will still orchestrate the attack.
That's why simply removing the links from header.php or footer.php (the two places I've seen the links) is not enough. You'll notice that the links will simply reappear. We've got to treat the disease now, not just the symptom.
Fixing the problem
First and foremost, always keep your Wordpress install up-to-date! Updating could not be any easier. Simply click on the alert that appears at the top of your Dashboard and follow the instructions. It takes literally 10 seconds.
Next, change the admin Wordpress user's password. Also change your MySQL user's password.
Lastly, find the files that have been inserted by the exploit via upload.php. I have found two separate instances of these files, both located in the wp-includes folder. Check the permissions of each of the files in wp-includes and investigate any file that has 777 permission (that's your first clue that something is wrong). class-rss.php and feed-atom2.php are two files that I have seen cause issues. Cleverly named files. These two files are not native to the Wordpress codebase and can be safely removed. If you were to open either of these files and know a bit of PHP, you'll see that these files are certainly the culprit.
Going through these steps should safeguard your Wordpress installation against the hidden link injection exploit.
Stay vigilant
Just because we've fixed this does not guarantee that you'll be immune forever. Hackers are constantly looking for newer and better ways to tear stuff up. Wordpress has been exceptionally good at patching security issues, but someone somewhere has to be the guinea pig to get hit with an attack - and then report it to Wordpress.
One great plugin I've begun to use is Wordpress File Monitor. This plugin scans your Wordpress installation and reports if any files have been added, deleted, or changed. The plugin is customizable to run on a schedule that you set. You can also exclude directories from the plugin's reporting so that you're not alerted every time you upload a picture to insert into a post. I, however, recommend that you do not exclude directories as that directory may be the next location of the next exploit.
Detection
Seeing if your Wordpress install has been compromised is easy. Simply view the source of your homepage and look for any code that does not belong. Check near the top and near the bottom of the file as this is the place I've found the hidden links to mostly exist. They're also usually wrapped in HTML comments.
Some website 1
Some website 2
...
Some website n
If you see code like that, chances are, you are a victim of the Wordpress Hidden Link Injection exploit.
How are "they" doing this?
Apparently, there was a security hole in Wordpress versions 2.8.x that allowed outside users to hijack the /wp-admin/upload.php file and insert files on your server that could be used for all sorts of malicious purposes. One of those purposes is the hidden link injection. Wordpress 2.9 fixed this hole, however, simply upgrading is not enough. Outside users will no longer be able to hijack upload.php but the files that they have already inserted will still orchestrate the attack.
That's why simply removing the links from header.php or footer.php (the two places I've seen the links) is not enough. You'll notice that the links will simply reappear. We've got to treat the disease now, not just the symptom.
Fixing the problem
First and foremost, always keep your Wordpress install up-to-date! Updating could not be any easier. Simply click on the alert that appears at the top of your Dashboard and follow the instructions. It takes literally 10 seconds.
Next, change the admin Wordpress user's password. Also change your MySQL user's password.
Lastly, find the files that have been inserted by the exploit via upload.php. I have found two separate instances of these files, both located in the wp-includes folder. Check the permissions of each of the files in wp-includes and investigate any file that has 777 permission (that's your first clue that something is wrong). class-rss.php and feed-atom2.php are two files that I have seen cause issues. Cleverly named files. These two files are not native to the Wordpress codebase and can be safely removed. If you were to open either of these files and know a bit of PHP, you'll see that these files are certainly the culprit.
Going through these steps should safeguard your Wordpress installation against the hidden link injection exploit.
Stay vigilant
Just because we've fixed this does not guarantee that you'll be immune forever. Hackers are constantly looking for newer and better ways to tear stuff up. Wordpress has been exceptionally good at patching security issues, but someone somewhere has to be the guinea pig to get hit with an attack - and then report it to Wordpress.
One great plugin I've begun to use is Wordpress File Monitor. This plugin scans your Wordpress installation and reports if any files have been added, deleted, or changed. The plugin is customizable to run on a schedule that you set. You can also exclude directories from the plugin's reporting so that you're not alerted every time you upload a picture to insert into a post. I, however, recommend that you do not exclude directories as that directory may be the next location of the next exploit.
Brian Onorio is the President and CEO of O3 Strategies, a Raleigh web design and development group. O3 provides strategies that help small businesses nationwide successfully launch and maintain web presences and online brands.n
n Your Article Search Directory : Find in Articles
Recent articles in this category:
- Using Keywords Effectively For an SEO Campaign
Keyword research is one of the most crucial parts of an SEO campaign. If you end up choosing the wro - Search Engine Optimization Copywriting Tips
SEO copywriting is not as technical as it sounds but is different from traditional copywriting for t - 3 Tips to Make Money Using Videos
For the last five years video has been a real success in the internet. Now you can find video in alm - Is Social Media Networking Your Next Strategy For Your Online Marketing?
When you try to work on online promotion and online marketing, social media especially social media - Submitting a URL of Your Website
People who make a website usually do research on how to improve not only the quality of their websit - 5 Bad Habits of Article Marketing
There are many ways to advertise your company but having a highly ranked website is the best. Most p - Facts About SEO Services Company
SEO services companies are becoming very popular in the internet marketing world but there are some - 4 Ways Search Engine Optimization Can Be So Powerful
Whether you are an affiliate marketer, small businessman or a large organization, your first step wh - A List of 3 Options For Internet Business
The trend of making money through online business has become trendy now a day. People are shifting t - Getting the Best Affiliate Products For Your Site
Making money online was never so difficult before. There are numerous ways through which you can mak
Most viewed articles in this category:
- The Revolutionized Ebay Etailsolution Software
With the help of eBay, the auction business has received a new meaning. With the help of the many eB - Internet Millions - by Ryan Orrell - Honest Review
REVIEW: "Internet Millions", by Ryan Orrell, is a refreshing new kind of internet marketing e-bo - A Google Adsense Addiction
54% of all Google Adsense publishers admit addiction to click income. A recent online study conducte - Lead Generation for Top Residual Income
At the heart of any good residual income business is a person who knows how to generate leads. Lead - Make Money With Information Ebook Products: The Other End
I don't like thinking of myself as the kind of person that has made it rich on the internet, but in - Repeat Business Equals a Residual Income Stream
Residual income comes from other people reacting to a single action by the business owner. What bet - The NFL & United Way
There are many ways that NFL players help with the United Way. First of all, they donate a lot of th - Seo - Making Money Writing Seo Reviews
If you are a reviewer or critic you are likely to find work writing reviews of products and services - Understanding Perfume Types
Understanding the various varieties of perfume can help to cut through the difficulty in selecting a - Ecommerce Basics: Three Things To Avoid
When you decide to put your ecommerce website together there are a few mistakes that are easy to mak