Example of a WordPress Website Hack Attack
Clients with WordPress sites often come to me with questions like ‘How did my site get hacked? How did this spam get sent from my server? How did this phishing page that looks like a PayPal login get buried deep within my website?’
If you are using WordPress and have not upgraded it to at least version 4.0 then your website is probably already compromised. Contact me if you have questions.
A Description of the Hack Attack
If the WordPress blog has not been updated for awhile, the hacking technique that I have seen most often uses this procedure…
- The attacker posts a comment on one of your blog posts that contains a special combination of characters that hides the malicious payload code using base64 encoding.
- When the mouseover is triggered by someone logged in as an administrator, any malicious code in the comment is executed as if the adminstrator executed it.
Let’s Hack a WordPress Blog
- Okay, so I know how to make a malicious comment.
- I know how to write a 20 line snippet of jQuery code that opens the Add User form and creates a new Administrator user in a blink of the eye that no one will notice.
We find a blog running WordPress 3.5
Before we attack, here is what the list of users looks like.
Here I am entering my malicious comment
Subsequently, the real administrator logs into his dashboard and looks at the comments. He moves his mouse over the comment at some point and logs out thinking nothing weird is going on. He has no clue that he triggered my jQuery code that created a new administrative user as if he had done it himself.
Notice how the comment looks normal except the tiny ‘[a’.
If he had taken time to click EDIT and looked at the comment that way he would have seen this instead.
Here is what the list of users looks like now.
and here I am later that night logging in as the new administrative user that was created.
Now I’m hiding pages for spam and phishing all over the website.
These are real pictures. This is a real WordPress 3.5 blog that I set up and that is real hack code that I used to do this. It should make it very clear that it is neccessary to keep your WordPress up to date.
I understand that stuff happens and if you think you are in trouble, contact me or leave a comment (no hidden code in comments please 🙂 ) and I’ll try to answer your questions and help you determine what you should do next.