I have been thinking to write this post for long time, although, couldn’t get time to write details about this major security issue. From my experience, I have seen a big percentage of users are using WordPress and a certain percentage always face some sort of Web Injections (Iframe for example) with any shared hosting provider. This post would go into deep to study why these web injections are occurring and how can you protect your wordpress blog from these sort of issues.
Lets see why these web injections occur. There are couple of factors when someone can inject something in your blog pages. Two most common factors are javascript bugs and the bad permission bits. I have seen some people advise when someone complaints about the iframe injections, were done with hacked ftp password. I would probably say, if the person had the ftp password, why would he simply inject something instead of replacing? But, yes, it is not the same case all the time, but most of the time, those two factors play the vital role on web injections.
Now, one can say, he hasn’t done any change on the permission bit, he simply uploaded the theme and started using it. Eventually, that is what you are doing wrong. WordPress itself is a very secure system. People are not going to be able to inject codes using wordpress vulnerability. Rather, they are injecting codes/iframes using the vulnerability in your 3rd party theme or plugins. Most of the time, I have seen users nominating and selecting themes and plugins from publishers who are pretty amateur or have no well known presence on internet. These amateur developers are eventually leaving javascript bugs for you in their themes and plugins. Later on when you upload the files and allow the owner to write the files, those bugs get incorporated with the writing permission of suphp and injects craps. If the script which contains the bug is forced to use no write permission, then probably you are going to protect your wordpress blog from web injection along with those javascript bugs. I have always been suggesting users who are complaining this is a server issue, to make sure their scripts are not granted with write permission until it is essential for his script. You have to understand, if this is a server issue, then all the users pages in the server should be injected, it shouldn’t be just yours. Mellowhost maintains latest mod_security rules from gotroot (http://www.gotroot.com) although, new injections are developing every day, and simple mod_security can not really protect every sort of injections.
How can you protect your wordpress blog? Couple of things, one, try to make sure, scripts which don’t need write permission (Like configuration file/includes files) set with read & execute permit (555) only. You can do this using file manager or ftp with the “Change Permission” or “Chmod” option. If you see one your worpress blog is injected, then you would probably want to change your theme first to see if it gets injected again. If it does, then the issue should relate to some plugin which you have to verify one by one.
This seems a pretty clumsy process to verify and work with the above options. There are couple of more investigations and solutions you can apply. There is a “Raw Access Log” option in your cpanel. You can check your last 24 hours access logs of your site if you download that file. But this would only work if you are certain that the injection was does within last 24 hours and aware of how the requests are being handled by your wordpress. But the last part can be concluded assuming you are at least able to understand the unusual requests to your blog (for example running javascript commands through the url).
Alternatives? Yes, there are 4 pretty important wordpress security plugins you would probably want to use. Here are they:
1. WordPress Firewall Plugin: http://wordpress.org/extend/plugins/wordpress-firewall/
2. WordPress Antivirus Plugin: http://wordpress.org/extend/plugins/antivirus/
3. Secure WordPress Plugin: http://wordpress.org/extend/plugins/secure-wordpress/
4. Wp-Malwatch Plugin: http://wordpress.org/extend/plugins/wp-malwatch/
All of them are perfectly working and the easiest way for a shared hosting user to detect and protect their wordpress blog from web injections automatically. What they do, is protecting your files from being written or watching how they are being edited. They are doing the very similar thing I suggested above but in realtime. I would probably recommend the wordpress firewall plugin, as you can configure it to load first out of your all other plugin and help you to test if one of your plugin is vulnerable.
Now, my readers will definitely ask, why didn’t I just let them know about those plugins which would help their blogs from web injection in the easiest and fastest way, I would probably say, it was my intention to let you understand how this is happening and what are the basic steps you can perform to prevent this. Merely using the plugin may not solve the issue, rare but not impossible 🙂
Just a quick reminder, we at Mellowhost maintains the best protective security for your blog. But everything has a limitation. These sort of injections are a part of limitations. It is pretty hard to understand developer’s mind and apply a patch to protect his fault at the server level. This is why, it is advised to to take precautionary measures all within your range. You should have no worries about the server as long as you are hosted with Mellowhost 🙂
Happy reading.
Wondering if those security plugins you mention won’t kill the shared hosting. But will give a try 🙂 Great read!
They won’t! These plugins are pretty light weight!
Thanks for the post, I recently had this happen to me.
I was wondering with Web Injections like this can the hacker gain access to personal information or are they limited to replacing pages/code.
It depends on what sort of access they are getting. If it is a sql injection, then yes, it is possible to change the personal information.
Good luck
thank you for your useful information.
i have a question. my blog was defaced yesterday ( index.php and header.php of theme was changed) . i found a script (Locus7s) in theme root directory. it is like a file browser. i think the hacker changed my files using this script. but permission of my files is 644 and i am using cpanel.i though with 644 only my cpanel user has write permission but i don’t know how did hacker change file content by running that php script.
I only do have Secure WordPress Plugin. I will try the other 3. But could you please fix my hacked website? The domain is http://www.dentistrynewstoday.com .
I have been using the WordPress Firewall 2 in order to protect my blog from hackers for quite some time. I installed it out of caution and forgot about it. Only when there was an update did I remember it was installed. Does it work? Last night I get an email on my phone stating that someone tried to hack into my site…the IP was blocked and my site is untouched. If you have a blog on a shared host, use Dave’s advice.
Nice information , but can you assure about the above mentioned plugins ? I am victim of java script injection , how can we assure secure plugin or theme kindly guide me as I am newbie to wordpress
Can you suggest some up to date plugins?
I explored a lot of websites and this was the best.