This article is split into two parts for ez reference. First some information on the evil WordPress “Pharma Hack”, and then a recipe for protecting your site with a solid security lockdown. Choose your own adventure:
A few weeks ago, DigWP.com was hit with the so-called Pharma Hack. We discovered the hack after some Google results turned up all sorts of spammy pharmaceutical garbage littered throughout posts, links, and titles.
The tricky part about the hack is that it injects the spam garbage only when your site’s pages are requested by a search bot (e.g., googlebot). So when you view your pages in a browser, everything seems perfectly normal. Put simply, the hack is cloaked. We had no idea anything was wrong until about two weeks after the attack. During that time a majority of our search engine results were nuked with evil pharma spam. Ick.
Flash forward three weeks later and things are locked-down tight. The Pharma Hack has not returned, and most of the spam garbage in the search results has been filtered out and replaced with clean pages. At the time of the attack, DigWP was running WordPress 2.9/3.0 without any sort of additional site security. We were just using whatever “default” protection available from either WordPress or Media Temple. After detecting the hack, several days were spent cleaning it up and locking things down.
At first, it seemed like an impossible hack to fix – nothing seemed to work. We ran through the following routine, hoping to fix it:
- Locate and remove hacked
- Locate and remove hacked content from database
- Replace entire set of salt keys
- Upload new WordPress files
- Restore previous versions of other files
- Restore database to previous version
These actions alleviate the symptoms, but they don’t even touch the actual virus, which somehow regenerates the (base64) encoded spam script. As far as we know, the Pharma Hack works like this:
- Evil script gains access to your WordPress site
- Encoded spam script injected into database
- Script inserts spam garbage into pages requested by search bots
- Script makes no changes to pages requested by browsers
Within the database, the spam script is generated in any/all of these
If these fields are present and contain super-long strings of encoded gibberish, your site’s infected. You can assess the damages by examining the search results for your site (note: other spam keywords may be used):
site:digwp.com cipro OR meridia OR cialis
If you’re hit, hopefully you catch it before googlebot crawls along. But even if you have thousands of hacked pages appearing in the search index, it’s not too late to clean things up and secure your site. Here is how we did it..
WordPress Security Lockdown
This security strategy is best implemented on new sites. It just makes everything (like renaming table prefixes) so much easier. Either way, you want to start with a clean batch of files. Upload a fresh copy of WordPress, update your plugins, theme files, and so on. You may want to redirect visitors to a maintenance page while you work on your site. That said, here is our five-step Security Lockdown for WordPress:
1 – File Permissions
After uploading fresh files, the next step is to ensure proper file permissions. WordPress defaults to
644 for files and
755 permissions for folders. Make sure these are set properly. While cleaning up, we noticed some crazy permission settings for sensitive files. For example,
wp-config.php was set to
777 – executable and writable by the entire world!! Make sure you don’t see anything like that, and if you do, fix it.
2 – File Protection
In addition to setting proper file permissions, we can also lock down key files with
.htaccess. There are numerous files to protect, perhaps most importantly the
wp-config.php file, which contains your database login information. Place the following code in your site’s root
.htaccess file to protect it:
# SECURE WP-CONFIG.PHP <Files wp\-config\.php> Order Deny,Allow Deny from all </Files>
You may also want to password-protect your
wp-admin directory, but it may cause more trouble than it’s worth.
3 – Database Protection
Changing the default table prefix is one of the best ways to protect your database. Malicious scripts need targets, and default targets are easy to hit. Change
wp_ to something more like a password. Some random string like “
crUQZPadESeKSy8Q_” will make your tables difficult to hit. Like having a built-in password for your database :)
There are two ways to change your prefixes: the easy way and the hard way. The easy way is to add the following line to your
wp-config.php file before installing WordPress (important: change the random string to something unique):
$table_prefix = 'crUQZPadESeKSy8Q_'; // custom table prefix
Do that before running the install script and WordPress takes care of the prefix naming automagically when it creates the database. Going forward, there is no reason not to change default prefixes for all future WordPress installs. For existing sites, you can do it the "hard way" using a plugin or doing it manually.
4 – Essential Plugins
After exploring the vast crop of WordPress security plugins, we narrowed it down to four plugins that collectively do just about everything in the easiest way possible:
This plugin tracks changes made to your files. If/when anything changes, it notifies you via Admin Dashboard alert and/or email alert. So anytime a file is changed, moved, added, or removed, WP File Monitor lets you know. Here is a list of features:
- Monitors file system for added/deleted/changed files
- Sends email when a change is detected
- Multiple email formats for alerts
- Admin alert to notify you of changes in case email is not received
- Ability to monitor files for changes based on file hash or timestamp
- Ability to exclude directories from scan
This is one of my favorite plugins. It’s perfect for keeping an eye on things. If anyone gets in and messes around with your files, you’ll know about it immediately, and even better, you’ll know exactly which files have been affected.
This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. The scan report informs you of any problems with file permissions, system variables, and much more:
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
WP Security Scan also provides a nice summary of server information and latest scan information. Performing a new scan is immediate with the click of a button. Very easy.
Block Bad Queries (BBQ) is a simple, super-fast plugin that protects your site against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like
base64_, and excessively long request-strings. This is a simple yet solid solution for sites that are unable to use a strong .htaccess firewall. Features:
- Checks for updates
- Checks configuration file
- Checks if config file is located in unsecured place
- Checks presence of install script
- Checks server configuration
- Checks database
- Checks code
And quite a bit more. The best part about BBQ is that it’s so easy to use. No setup, no configuration, just plug-&-play. And for even more firewall protection, check out BBQ Pro. Full Disclosure: I am the author of BBQ and BBQ Pro :)
This plugin takes care of all those “little” things. Instead of installing a bunch of smaller plugins or custom functions for this stuff, the Secure WordPress plugin does it all for you:
- Removes error-information on login-page
- Adds index.php plugin-directory (virtual)
- Removes the wp-version, except in admin-area
- Removes Really Simple Discovery
- Removes Windows Live Writer
- Remove core update information for non-admins
- Remove plugin-update information for non-admins
- Remove theme-update information for non-admins
- Hide wp-version in backend-dashboard for non-admins
Having all of this (and much more) done with a few clicks in the WordPress Admin is easy and effective.
5 – Important Details
The previous four steps comprise the majority of our security lockdown, but there are some important details to consider:
- Keep your WordPress install, plugins, themes, and scripts updated with current versions
- Use strong passwords and change them often
- Disable user registration if not needed/used for your site
- Check roles and permissions for all users
- Clean up and consolidate old/loose files
- Remove unused plugins and themes
- Check permissions of
- Keep a backup of your site files
- Keep your database optimized and backed up
We did these things here at DigWP.com, but certain tips may not apply to every site. As a side note, despite our new security lockdown, I am still concerned/confused about how to handle the
backup directories. It seems dangerous to leave these folders set with
777 permissions, and for many shared hosts, that seems to be the required setting. I would be interested in hearing any ideas about securing these directories.
There is no such thing as perfect security. If someone wants in bad enough, they’re going to find a way, despite your best efforts at staying secure. Fortunately, most malicious scripts target the least common denominator, default WordPress installs.
At the very least, ensure proper file permissions, secure
wp-config.php, and use unique database prefixes. Together, these three steps will put your site out of reach for a vast majority of malicious scripts and other automated attacks.
Of course, there are many other ways to strengthen your site’s security, depending on how far you want to go with it. The lockdown strategy presented in this article provides strong security in the most efficient way possible, but there is always room for improvement, so share your ideas and help the community secure their WordPress.