Being the most popular content management platform, as WordPress is, means that it also is a favorite target for hacker attacks. Also the fact that the core application is open source (i.e. free to download) means that hackers can get their hands on the source code and look for backdoors (i.e. ways or holes in the code to get into the installation on the server). As a website becomes more and more popular, it can easily end up on the radar of a WordPress hack. Some hack into sites for some weird sense of personal accomplishment or notoriety, others do it to insert spam links and affiliate links to adult sites for a quick buck.
The latter is the situation that one of our clients found themselves in. It was hacked with the goal of injecting spam links. Thankfully it was not to crash the site so content was not harmed outside of some posts having links added into the text. Files were also uploaded attempting to create fake headers to redirect the client’s site to porn sites. At TCK Media we went through the site files and database forensically to remove all malicious injections and restore original content while increasing security. This allowed us to see how the hackers tried to exploit the site.
As already mentioned, the hacker installed files such as default.php and others in an attempt to redirect to porn sites. This did not work and only created “headers already sent errors”, fortunately. However, the inserted files also prevented admin from being accessible via http.
A new user was created maliciously with admin permissions in order upload files via media uploader and also insert links into very old posts. The links were inserted within <div> tags and CSS to prevent them from being visible in the visual editor of WordPress admin, only in the text editor (where code is exposed) could they be seen. This would make the links hard to spot by the site owner unless he goes back to revisit old posts and only in editor set to text view. Also the links have ‘nofollow’ tags in order to prevent Google from flagging the sites as dangerous. All of this explains why hackers target high traffic sites. Obviously, the hacker knew that the old posts would be indexed in Google and was hoping that visitors from search queries would see the spam links and click on them.
Through forensic review of all files and database we were able to isolate the illicit user, files, and injected links. Core WordPress files were re-installed and original content restored with added security.
Even though WordPress is a free open-source application, building a large site with high traffic using this tool requires a lot of different considerations to make it secure and able to withstand hack attacks. Premium themes, plugins, customization, hosting, etc., will make the cost add up.