Automated WordPress Hacker Alert and What To Do

by John Hoff on August 30, 2011

Below is a copy of an article I sent out a few weeks ago to a segment of my list of people who purchased my WordPress Defender ebook.

The reason I’m posting it here is that both myself and the super cool chick over @RedHeadWriting woke up to a large number of hack attempts to our blogs. For me, they tried hitting 3 different blogs I own.

Check out my Inbox this morning (and I’m still getting more alerts):

It appears to be all automated, so be careful and get your blog secured now. Make sure you’re using the WordPress Firewall plugin to block hack attempts like these.

Here’s a quick video I just uploaded showing you my Inbox and how I banned the IP address from hitting my site further (sorry about the blur, this account hosts a number of niche websites I own… and I don’t want you discovering those now, do I?).

Note that this video was taken when I used a different hosting account than BTC Hosting.

Here’s the code you need to ban an IP address in your .htaccess file:

order allow,deny
deny from 66.147.244.81
deny from 74.220.215.65
allow from all

The two IPs above were ones which tried hacking my blogs, so you might want to include those for now.

———— Start Newsletter Copy —————-

So there are two threats going around lately which I’d like to make you aware of.

1. Timthumb.php

Timthumb.php is a file which is included in many (but not all) free and premium WordPress themes and is a program which deals with resizing images.

You can see if you’re using Timthumb.php by heading over to your Dashboard | Appearance | Editor and looking at the list of files you have on the right.

If you see Timthumb.php there, you’ll want to either delete it (make a copy first) or update the code using the most recent update.

The issue has to do with the fact that the code wasn’t written securely, which means a hacker could exploit this script to infect your blog with a virus.

You can read more about this threat here and here.

2. Google Image Search

From time-to-time I’ve used Google Image Search to look for images I can use (like arrows, buy now buttons, etc.) and it didn’t really hit me until today just how big of a problem viruses and WordPress are here.

Every now and then the anti virus program on my computer (Avast) would pop up a “Warning: Threat Detected” message when I’d view an image. I’d of course click back immediately and am always thankful I have a good anti virus installed.

But then just today I found this article online about Hacked WordPress Blogs Used to Poison Google Image Search.

That headline immediately caught my attention as I have had some experience with this.

At this point there’s not much we can do about it other than keeping ourselves as safe and prepared as possible. If you’ve gone through my ebook then you should be well equipped to handle and block such threats.

Okay so enough of the super interesting stuff. I know how much we all love reading WordPress security reports ;-)

{ 38 comments… read them below or add one }

Keith Davis August 30, 2011 at 12:47 pm

Hi John
That firewall plugin is fantastic – appreciate you bringing it to my attention.

I did have timthump.php but my theme has been updated and no longer uses it. That’s a relief.

I’ll add the two IP’s to my htaccess file – thanks for the heads up.

Just given you a +1 for all your effort.

Keith

Reply

John Hoff August 30, 2011 at 1:07 pm

Thanks Keith.

Make sure if you have that file to go ahead and delete it if it’s not being used.

No sense it keeping it. Just make sure to make a backup of it first, or you could just rename the file to something else, like timthumb.old or something.

Reply

Keith Davis August 30, 2011 at 1:47 pm

All deleted John.

One thing I did read is that even a non active theme is a threat if it contains the timthumb / thumb.php.

Fortunately the 2010 and 2011 default themes don’t use it.

Reply

John Hoff August 30, 2011 at 3:14 pm

Good point. This is a huge issue.

Reply

Natalie August 30, 2011 at 1:12 pm

Hi John

if my .htaccess is set up to

Order Deny,Allow
Deny from all

Do you recommend still blocking individual IPs?

if so would it read?

Order Deny,Allow
Deny from 192.168.0.10
Deny from all

Thanks!

Reply

John Hoff August 30, 2011 at 3:26 pm

Hi Natalie,

I would assume that directive is not in your root .htaccess file since you aren’t denying every visitor to your blog (so in that case use the code in the article).

But to answer your question, no you would not have to deny via IP address in that instance because nothing could access whichever directory that is located in.

Good question.

Reply

Melinda August 30, 2011 at 2:41 pm

I’ve had over 200 of those emails today as well *rolls eyes*.

Just to confirm, if the thumb.php or timthumb.php file doesn’t show up in the Editor screen then the theme doesn’t use it? It won’t be a hidden file at all?

Reply

John Hoff August 30, 2011 at 3:41 pm

Sounds like a group out there is really targeting WordPress with some kind of automation script. I noted in my alerts that it just randomly tried a number of themes which were susceptible to the hack.

That’s a hard question to answer with 100% accuracy.

The best answer to give you would be to contact your theme developer and ask them (or Google your theme along with “timthumb.php hack”.

The problem is that themes like StudioPress hide key template files because of functionality and ease of use for the user. StudioPress says that they use a modified version of the program and that it’s immune, by the way.

Sorry for the crappy answer, but I don’t want to tell you one thing when there’s no way for me to really know for sure.

Reply

Melinda August 30, 2011 at 4:06 pm

Thanks John.

I searched the theme files on my hard drive and couldn’t find timthumb, so I’m assuming that Studiopress/Genesis don’t use it.

Out of seven sites that I manage only one had timthumb on it. So it’s now updated, although I assume that if/when the theme next has an update I’ll need to check it again.

Reply

John Hoff August 30, 2011 at 5:02 pm

If it’s a reputable theme creator then it should be updated, but wouldn’t hurt to check.

StudioPress uses a modified version of the TimThumb script which does not include the vulnerable parts. I too own a StudioPress site and checked their forums… so you’re good there.

Reply

Dale Fahrney August 30, 2011 at 4:54 pm

John. thanks for the email. We got hit early last week. Our host caught it before I did and took the site down before I did to protect us and them. This bug really hits their servers hard as well. We updated the file and all is well again.

Can you or would you go through the set up steps of the monitoring program you used to catch this one so we all can be a little more proactive ?

Dale

Reply

John Hoff August 30, 2011 at 5:29 pm

Hi Dale,

Actually I did a video overview of it on one of my video blogs.

The video showcases where my blog use to be located, just FYI so you’re not confused. Also, the part where I mention to visit whatismyipaddress.com is not needed because the plugin’s settings area now tells you what your IP is.

For some more security tips, I suggest you sign up for my security mini course (it’s the link in my sidebar where WordPress Defender is).

Don’t worry about giving me your email address again in order to get the mini course, since you’re on my list you won’t be added “double”.

Let me know if you have any questions.

Reply

Lillea August 30, 2011 at 5:11 pm

Hi John,

The firewall has protected some of my sites today and recently from these attacks, so thank you.

Security question: is it possible for a hacker to figure out which websites a person owns if the WHOIS for all of the domains are protected and different pen names are used on the sites? Hostgator tech people told me no, that isn’t possible, but I want to ask you because I’m not sure what to believe.

Reply

John Hoff August 30, 2011 at 5:36 pm

Hi Lillea,

I live by the rule that if someone really wants to hack you (and they know what they are doing), then they can hack you.

I would say this rule applies to finding you as well.

The problem is that we use these online tools which we have very limited control over.

How much control do you have over your theme’s core files? What about plugin code… or your web hosting for that matter? What about your account on Facebook or Twitter?

If someone hacked Google and gained access to your Google Analytics account, would they be able to see what domains you own?

What if a hacker hacks your FTP account? Or the web host and discovers your different domain names? What if they gain access to one site which leads them to hack your email account?

Anything is possible.

Can you make it more difficult for them, absolutely – and that’s what we’ve been doing this whole time, right?

Reply

Lillea August 30, 2011 at 7:51 pm

Thanks, John. Great points. And thanks again for writing WordPress Defender!

Reply

Tiffany @ Arma Communications August 30, 2011 at 10:34 pm

This timthumb issue is a real mess. Most of the themes I use have it in there somewhere. Ugh.

Regarding the plugin, there is also a Firewall 2 out that is supposed to be an updated version of the one you mention — but not totally be SEO egghead. Is it just as good? The egghead version hasn’t been updated since 2009
http://matthewpavkov.com/wordpress-plugins/wordpress-firewall-2.html

Thanks for all your insight, John!

Reply

John Hoff August 31, 2011 at 4:27 am

Hi Tiffany,

Last year when the Firewall 2 plugin came out I contacted SEO Egghead about it because to me it looks like nearly an exact copy of the plugin. The minor bug fixes really aren’t anything that special. And what are those bug fixes? They aren’t listed. I’ve tried both plugins and I really don’t see a difference.

When I emailed SEO Egghead a year ago they hadn’t even heard yet that someone “forked” their plugin.

I think you can go with either plugin, that’s fine but from what I see, the Firewall 2 plugin hasn’t really grown in the last year and I really don’t know anything about this person.

Where is their website? What are their qualifications? How do I know he knows all about WordPress security? How do I know the code he added to the plugin is secure?

At least with SEO Egghead there is a website you can visit and look at their knowledge to gain a little credibility. Also, they were the ones who came up with the super cool code which blocks hackers.

I mean no disrespect to the guy who forked the plugin, but it looks to me that he got himself a nice little plugin, called it “version 2″, and is accepting donations for his work. Heck I could of done that.

Again, you can probably go with either plugin, but I’m sticking with the original.

Reply

James August 31, 2011 at 5:12 am

Thank you again for writing WP Defender. WP Firewall was the first plugin I installed on every blog I have and it has blocked so many hack attempts, it’s crazy. Every time it happens, I use my host’s IP deny option in my Host’s control panel. Since it covers all of my domains, I thought it would be quicker than doing it for each site. Would that be wrong? The attacks seem to stop after I block, so I think it is working.

Too bad that WP Firewall wouldn’t automatically deny an IP after a specified number of hack attempts and release the block automatically after a specified amount of time. It would be a nice feature.

Also, thanks for the heads up on the Timthumb. I updated all of the timthumb’s that day. :)

Reply

John Hoff August 31, 2011 at 5:18 am

Hi James. That is a great suggestion. It would be nice if it would lock out an IP for, say, 3 days or something. Hopefully after that the bot will have moved on to other sites and leave yours alone. I think I’ll contact SEO Egghead and ask them if they could do that.

Blocking the IPs like you said should work just fine. Remember though, when you block an IP you’ll be blocking everyone who shares that IP address from accessing your site. Also, many times these bots try one IP and then a different one. So my suggestion then is to block it for awhile and then down the road some time perhaps consider releasing it… just in case you’re blocking legit people from accessing your site.

Reply

James August 31, 2011 at 5:31 am

Sounds like a good idea. They could even add a grey list. Where if after 3 days the IP is found hacking the site, it could ban it for a longer period of time.

And even show a report of how many times each IP has been used to attack, has it been banned, when it was banned, when the last attack was from that IP, how many attempts so far, etc.. Just some small statistics. The admin could use it to determine if they want to ban an IP for longer or release it prematurely.

Reply

John Hoff August 31, 2011 at 6:19 am

Good stuff, James. When I get a chance, I think I’ll email them.

Reply

Ovidio DeJesus August 31, 2011 at 6:29 am

The timing of this post was perfect. I woke up this morning to the 300 emails from one of my customer’s websites. I had implemented the firewall using the info from your book, and it worked great!

One thing I noticed looking at the path used for the attacks, they seem to look for a set of themes from companies such as Elegant Themes. I know this because I use their themes, so I know their names. Knowing this, would it be a good idea, when installing a theme, to change the name of the theme directory so that it makes it a bit more difficult to find?

One other thing, the offending IP for my attack was 95.173.183.230.

Again, thanks so much for keeping us up to date with this information.

Reply

John Hoff August 31, 2011 at 6:38 am

Hi Ovidio DeJesus,

I noticed that as well. The bot just randomly takes a shot in the dark that you’re using a weak theme as far as TimThumb is concerned.

I don’t think renaming the folder will do much. My directory path is changed and the bots picked up on that. Also, it might make upgrading your themes a bit of a pain.

Glad you were ready. I always preach that WordPress security is all about prevention and preparation.

Reply

Keith Davis August 31, 2011 at 12:26 pm

Hi Ovidio
Yes Elegant Themes did use timthumb, but the latest versions of their themes don’t.

Nick Roach over at ET has a good article warning you of the problem and giving you a range of solutions.

Initially I used the latest version of timthumb but have since updated my theme and got rid of it altogether.

I had about 15 / 20 warnings of attacks today on a different IP.
I added it to John’s list.

Looks as though they just keep changing the IP!

Reply

Barbara Swafford September 7, 2011 at 3:44 pm

Hi John,

I came in search of you today. I had forgotten I had installed the “Limit Login Attempts” plugin on a blog I’m building and today I received an email stating someone was trying to access the blog. Had I not had that plugin activated, I would have never known.

Anyway, I landed here and just read this post plus watched the videos- good stuff. Ironically within minutes of installing the WP Firewall on all of my blogs, I received an email which showed 18 potential attacks within minutes of each other. Like James I used my “IP Deny Manager” in my cpanel to block the IP address. I made note your what you said about others using the same IP address, as well.

Whoever said “blogging is easy” doesn’t realize what goes on behind the scenes. Thank you for being the go to guy for security. You rock, John.

**waving “Hi” to Keith**

Reply

John Hoff September 7, 2011 at 4:59 pm

Hi Barbara, nice to hear from you but sorry it’s in regards to a bad circumstance.

They sure are trying out there, aren’t they?

Glad you’re protected. Just remember nothing is 100%, so part of WordPress security is also being prepared for when and if it happens.

Reply

Keith Davis September 10, 2011 at 10:31 am

Hi John

“…so part of WordPress security is also being prepared for when and if it happens.”

Never considered that before, but now you mention it, it seems obvious.

Presumably you mean regular backups of database and site files and having a plan of action for the fateful day… like jumping out of the window. LOL

I do back up regularly but not sure (actually, no idea) what my plan of action would be.

Any good articles covering that side of things John?

Reply

John Hoff September 10, 2011 at 9:11 pm

Yeah you know… I think I’ll write that one and post it to Problogger so that it can be in front of more eyes.

Basically if you do the WordPress Defender stuff you should be good.

– File Monitor
– Firewall
– Backups
– Upgrades, etc.

I’ll let you know when (and if) it gets posted.

Reply

Keith Davis September 11, 2011 at 1:49 am

Look forward to it John.

Keith Davis September 10, 2011 at 10:25 am

Hi Barbara
I’ve had a very lazy Summer as far as Blogging…. but I’ll be back on full throttle shortly.

Great to see you over here on John’s new site.

Reply

John Hoff September 10, 2011 at 9:07 pm

Barbara and I go way back. Even though I have never met her, she somehow feels like a second mom to me. She’s awesome, isn’t she.

Reply

Keith Davis September 11, 2011 at 1:48 am

Second mum John?
Surely you mean younger sister. LOL

I think that you and Barbara were the first two bloggers I started to chat with – a good choice as it turned out.

Reply

Barbara Swafford September 13, 2011 at 12:21 am

You’re making points Keith. LOL.

Seriously though, John is like family to me, and you’ve been welcomed to the fold, too.

How about a group ((hug))?

Dale Fahrney September 8, 2011 at 4:10 am

John: A good friend of mine sent this to me and it works very nicely… Maybe others may find it of value…..

http://codegarage.com/blog/2011/09/wordpress-timthumb-vulnerability-scanner-plugin/

It’s a free timthumb scanner and it also helps in replacing the file if needed.

Dale Fahrney

Reply

John Hoff September 8, 2011 at 9:46 am

Hi Dale. Hey that’s pretty cool and makes it easy.

One word of advice would be to delete the plugin once you’re done using it. No reason to keep plugins around and activated/deactivated which aren’t being used.

Thanks for sharing.

Reply

Dale Fahrney September 8, 2011 at 9:47 am

Absolutely…. Done and Done…..

Dale

Reply

Nicholas Scott@Writing a Killer Press Release September 12, 2011 at 5:30 am

Unbeknownst to most people who set up a WordPress powered website, they are also putting up a big banner saying, “I am ripe for hacking.” While the situation is better than it was two years ago, WordPress is still a major target for hackers and some of the problems like lack of proper escaping (relatively simple to fix) seem to have been forgotten about.

Reply

Aman Arora @ Tech Bloh October 3, 2011 at 8:39 pm

OMG you really got alot of attacks, and I didn’t even knew that there is a firewall plugin for wordpress. thanks for that mate

Reply

Leave a Comment

Previous post:

Next post: