Wordpress Slick Hack

One of our friends site that we help setup on wordpress just got hacked this morning. It was running wordpress 3.28. The weird thing is the site gets like 10 visitors a day and has no backlinks. The hack was one of those fire and forget ones. The hacker came from a Google search, targeted a file that he posted the payload to, then prepended every .php file with a base64 encode php script that looked for referrals from search engines. It always cloaked so none of the search engine bots would see it. So in essence to the owner of the website all would appear as normal unless you came from a search engine to the site. And to the search engine the content would look normal also so it would continue its ranks (until discovered). So just some friendly reminders to mitigate your risk of being hacked:

1. Keep up to date (DUH)
2. If at all possible do not use Apache as a webserver. Instead use nginx that will not execute code like that.
3. If you have to use apache run mod_security that will not allowed payloads like this to be distributed.

  Because this site had such a low amount of traffic their was not many things to detect it. If your site has traffic though there are a few things that can show you instantly pretty much when you have been hacked: Chartbeat will alert you if there is a sudden influx or drop in your traffic. Google analytics will show a drop off instantly. Especially with time on your site. I love wordpress, its fantastic software. The only issue is that because its opensource hackers have full access to the code. And when wordpress issues a upgrade they go in detail where the security issues are... which obviously is a hackers wet dream.