The way this denial of service attack works is that a random search string is sent to the search form of a WordPress based website. Caching plugins do not work against this because the search string is randomized. It’s quite simple but what I’ve been told is that this is not an issue for WordPress to handle. Instead, this attack should be dealt with by the webhost on a firewall level. At one point, a ticket was created by Scribu but has since been closed as won’t fix.

So at the end of the day, the best defense you have is a competent webhost that will do their part to prevent these attacks from happening. No reason to be alarmed.

While this particular version is relatively simple, the power behind the script and the MySQL database allows the attacker to distribute the attacks not only by sites, but also by passwords tried as well.

The article goes into detail explaining how the script works and suggests the typical security precautions such as using strong passwords, changing the admin username and limiting the admin login page to only your IP address. Brute force attacks on WordPress are nothing new but it’s interesting to see this approach using a distributed technique.

Hat tip to WPVibe.

WordPress is a complex web application that comprises more than 200 .php files. When you open any page, WordPress loads index.php which, in turn, loads many other .php files using the require() function. WordPress admin interface also relies on multiple .php files. In all cases, WordPress loads wp-config.php file which contains database credentials and other important information required for normal operation.

So what happens if both index.php and wp-config.php are infected with the gumblar backdoor scripts? Since Gumblar injects identical backdoor scripts into files on the same site, they’ll have declarations of identically named functions, which PHP doesn’t allow. Hence the “cannot redeclare zsmh() …” error.

One thing not mentioned in the Unmasked Parasites post is information regarding which specific versions of WordPress are at risk or are safe to use. I’ve left a comment on the blog post to try and get an answer but until then, Denis Sinegubko provides detection and removal instructions while also suggesting the use of the WordPress Exploit Scanner which scans for WordPress files for signs of suspicious activity.

Based on the reports of infection, this does not appear to be a WordPress centric issue pointing to a problem with the software.

Unfortunately, the blame game has come back in full force with those affected generally blaming WordPress, and those not affected blaming users who failed to upgrade in a timely fashion. The bottom line is, the issues that lead to this worm attacking older versions of WordPress was fixed in WordPress 2.8.4 which was released on August 12th. When it comes to a security release of WordPress, I take it seriously and don’t mess around with upgrading my site. I think Matt Mullenweg puts it best in his article which explains how to keep WordPress secure.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

While WordPress has lowered the bar of entry to publishing content on the web, one constant remains, the responsibility of running your own website. This responsibility includes making sure that your webhost is doing its job, that the various layers and technologies which make WordPress tick are fairly up to date and locked down. These layers include but are not limited to PHP, MySQL, folder-file permissions, etc. Dave Coveney also brings up the point that security is more than just WordPress.

Even if you have the very latest version of everything there are, out there, what are known as zero day exploits. These are vulnerabilities which are kept secret by the hackers who have found them. They cease to be secret if they become widely used in a large scale attack. Like the current one against WordPress.

You can’t just upload WordPress, perform a bunch of customizations, install 50 plugins, 50 themes, and think everything will be fine from that day forward. WordPress along with the associated technologies are always evolving. That means your site must evolve as well.

One of the commonalities between most of the comments I’ve read regarding the worm attack consisted of upgrades breaking themes or plugins. Based on experience, I have never experienced a problem with a plugin or a theme completely breaking my site thanks to an upgrade. Sure, I’ve had times where some of the theme or plugin functionality broke because of a deprecated function or changed behaviour, but that’s about it. Generally if an upgrade breaks a site, it’s because of a poorly coded plugin or theme. I can’t believe this attitude that functionality trumps security. There are hundreds of plugins within the repository, if you’re afraid of one breaking or feel that it is not compatible with the upgrade, deactivate it until an update for it is available or use a replacement. Missing a small portion of functionality is better than having your entire site compromised.

But I Didn’t Know

This is by far the lamest excuse I’ve ever heard. When a new version of WordPress is released, here are the following ways you can find out.

Log into your dashboard and look for a colored message in the top center of your screen which says something like WordPress X.X.X is available! Please Update Now. The link will take you to the one click auto ugprader.

Activate the WordPress Development Blog dashboard widget. This will show you the latest posts from the WordPress development blog. If there is a new update, there will be a new post saying so.

In the bottom right corner of the administration panel, there will be the text Get X.X.X. This is a link to the one click upgrader letting you know you’re running an out of date version.

Follow the WordPress blog account on Twitter. @wordpress this account is managed by the WordPress team and usually will contain links to blog posts regarding new releases.

Follow blogs that report on the happenings within the community. The WordPress community does a great job spreading the word when a new version is released.

WordPress does maintain an announcement mailing list that you can subscribe to by checking a box in your WordPress forum profile but in my opinion, they have done a terrible job utilizing that list.

The Decisions You Make Today Shape Your Tomorrow

One question you should ask yourself before installing any theme or plugin is whether or not it will prevent you from upgrading. The same holds true for custom development work. A theme or plugin that is custom developed which does things in such a way that makes upgrading a pain means they developed it wrong. For starters, no one should ever hack any of the core files. Secondly, developers should use hooks and existing APIs to achieve functionality. If the functionality does not exist, they should create a ticket in Trac and request that a particular hook or API be added to core so core edits do not take place.

WordPress Can’t Do It All

WordPress has made it incredibly simple to upgrade with the addition of the one click upgrader yet so many still don’t seem to upgrade in a timely fashion. I realize the auto upgrader does not work for everyone but there are alternatives. It’s getting to the point where it seems as though the only way to curb irresponsibility is automation of upgrades. However, I believe this would create more problems than solve. Since automation is not likely to occur, the responsibility falls back on you, the individual. Take that responsibility seriously.

Please upgrade your WordPress blog to the latest version ASAP. Our own PluginBlog was vulnerable and was compromised (shame on me for not having upgraded from a really old version). Our blog had registration turned off.

After upgrading your blog and changing your password to a strong one, you can visit Lorelle’s post to find more ways to secure your install and remove the extra admin account that might have been created as part of the attack.

I removed the extra administrator account through phpMyAdmin and it was the last account created. You could also find the last account created and if it does not look familiar, could delete it and see if the number of Administrators in the user control panel is reduced to the original amount you expect to see.

a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Thus WordPress 2.8.4. However, there are certain ways in which to respectfully report security vulnerabilities. An article on the vulnerability published by Programmerfish.com in my opinion did more harm than good. The article discusses the vulnerability, explains how to put it in practice, then goes on to show some examples of the vulnerability in action which the author performed on sites they didn’t own. The author tries to justify his/her actions by stating that it was just a proof-of-concept. The author has taken plenty of heat from folks in the comments which I believe to be appropriate.

The Correct Way:

If you discover a security problem with WordPress, this is the correct way to go about it. If you believe you’ve found a security problem in a release of WordPress please send mail to security at the WordPress.org domain and we’ll do our best to address it as soon as possible.

It is standard practice to notify the vendor (the WordPress developers, in this case) of a security problem before publicizing so a fix can be prepared and public damage due to the vulnerability minimized.

If you would like to see this method put into practice, check out the report time line from CoreLabs, a research and development company that discovered the privileges unchecked in admin.php problem which lead to the release of WordPress 2.8.1. They notified the WordPress team on June 6th of the problem. By communicating back and forth, the issue was resolved by July 8th. A day after, the new versions of WordPress and WordPress MU were released to the public to minimize damage of the exploit. In this situation, everyone wins.

Well today Ryan Boren has just posted at the WordPress.org blog about the release of the WordPress 2.8.3 Security Release.  As he mentions in the posting this fix is related to the privilege escalation issues in version 2.8.1.

What he says next is the real reason why WordPress is so popular and well supported:

Luckily, the entire WordPress community has our backs.  Several folks in the community dug deeper and discovered areas that were overlooked.  With their help, the remaining issues are fixed in 2.8.3.

Ryan is right – it is the community that looks after each other.  Where else would you have such a diverse and talented group who points out any issues instead of just taking them public even though it would draw a lot of attention and maybe fame for themselves?  How easy might it have been for someone to just point out those additional areas/issues for someone to exploit and get all the traffic? 

Well, it could have been very easy – just send that info to the web instead of into the hands of the developers of WordPress.

This site is another great example of the community around WordPress and the help everyone provides each other to make their understanding of WordPress even better and to share their experience.  I think there are many places that could look at what happens in the WordPress Community and see the positive impact an open environment can do for things.

Thanks to all of you here at WLTC and your willingness to be frank with us on each and every post and to assist each other in the comments and forums. You all definitely rock!

So the next question is – how do we make it even better?

Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.

It is recommended that you upgrade your version of WordPress either by downloading the newer version or using the automatic upgrade feature in the admin dashboard.

Anti-spam WordPress Plugins

Akismet – One of the best plugins to protect your WordPress blogs against spam comments, this plugin has worked like a charm for many users, saving then time and effort while moderating and managing comments.

WP-SpamFree Anti-Spam – An extremely powerful WordPress anti-spam plugin that eliminates blog comment spam, including trackback and pingback spam. Includes spam-free contact form feature as well.

WP-Hashcash – WP Hashcash is an antispam plugin that eradicates comment spam on WordPress blogs. It works because your visitors must use obfuscated JavaScript to submit a proof-of-work that indicates they opened your website in a web browser, not a robot.

WP reCAPTCHA – reCAPTCHA is an anti-spam method originating from Carnegie Mellon University which uses CAPTCHAs in a genius way. Instead of randomly generating characters, reCAPTCHA uses a combination of these words from digitalized books and  further distorts them to construct a CAPTCHA image.

Math Comment Spam Protection – Probably the most simplest way to thwart spammers robots from posting comments on your blog, it adds a new field to the comment form asking users to enter a sum of two numbers, you will have to edit your contact template to include the comment spam field to it.

Security Related WordPress Plugins

WP Security Scan – Scans your WordPress installation for security vulnerabilities and suggests corrective actions. It allows you to generate strong passwords, check improper file permissions, database security, version hiding, admin panel protection and more.

WordPress Exploit Scanner – This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

AskApache Password Protect – You can set up Password Protection for your blog using HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication.

TTC WordPress Security Tool – This plugin blocks cross-site script attempts, ip numbers of ill behaved people and bots and bans bad user agents.

Secure WordPress – Little help to secure your WordPress installation: Remove Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.

WordPress Firewall – This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks.

Did I miss anything out? Do you use any plugins for optimizing security and protecting against spam comments? Do share them with others by commenting here.

I personally follow a few simple rules to make sure that I never fall for a social engineering or covert code trap on my blogs.

• Always download core WordPress code from http://WordPress.org. Type the link into your browser address bar rather than following a link from another blog or site. This includes updates and security fixes. If your web host offers one click installs or upgrades through their control panel, they are probably safe (they are safe if they are on a current version). I still suggest either installing a fresh copy from WordPress.org or using WordPress.com, but I do understand that one click installs are convenient.
• Try to download plugins and themes only from the official WordPress Extend. There are way too many themes and plugins (though much less plugins) that contain convert code and new WordPress theme download sites seem to be popping up everyday. We have covered shady themes many times on this blog.
• Never download “hacks” or “patches” to WordPress from anywhere. If you are unfamiliar with PHP, I would suggest that you ask people in the WordPress forums for help or contact us through our form on this blog for help. Always download official patches, updates and installs from the WordPress.org site.
• If you find a cool new trick, theme, plugin or hack for WordPress via a Google search, please be careful. I know the following is a cliche’, but if it looks too good to be true, it probably is.

Do you have any suggestions for our other readers? Have you found strange code on your blog or theme?

According to the bulletin that was published by Chxsecurity.org version 1.4.3 contains the following vulnerabilities:

• SQL Injection: caused by unsanitized variable “p” in the ajax_comments.php file.
• Cross Site Scripting: This affects authenticated and unauthenticated users.
• Cross Site Request Forgery: the form generated through wpcr_do_options_page lacks the WordPress wp_nonce security function.

These vulnerabilities are considered HIGH risks however, the latest version (1.4.4) apparently addresses these issues. If you are using this plugin on your blog, be sure to upgrade it to the latest version.

If you have open registration on your blog, the WordPress.org team recommends that you upgrade your install to WordPress 2.6.2 A handful of other fixes are also included in this upgrade. Here is a list of changed files.

For more information in regards to securing your WordPress installation, be sure to check out the Hardening WordPress article on the Codex.

Just so that everyone is aware, WordPress 2.5 is the latest stable version and this should be the version that everyone should upgrade to. Any older versions leaves you vulnerable. [EDIT] As mentioned on the legacy 2.0 page, WordPress 2.0.11 is the latest stable download with all the latest security fixes for the 2.0 branch. However, WordPress 2.5 is still the latest and the greatest and should be everyones upgrade target.

As for themes, if you feel that the theme you are using might be suspect of something strange, just disable it and get something else. I suggest you download themes from the original author’s website/blog and stay away from any theme that has an encrypted footer (though that would be hard to determine without looking at the code). At weblogtoolscollection.com we try our darnest to link directly to theme authors for the download.

Technorati is just the beginning. If your blog has spammy links, has covert hidden pages or links, is used for nefarious purposes, even without your knowledge, you are being penalized by the search engines. We are going to put together a post on how to figure out if your blog is hacked/exploited, clean up your blog if it is hacked, get your blog back to order, find spammy pages if they do exist and how to get your blog re-indexed. In the meantime, if you know of a good resource, please let us know and we will add it to the post.

Today is a good day to upgrade to WordPress 2.5

Multiple vulnerabilities have been identified in Photo Album (plugin for WordPress), which could be exploited by remote attackers to execute arbitrary SQL queries. These issues are caused by input validation errors in the “wppa.php” script when passing user-supplied parameters (e.g. “photo” or “album”) to certain functions (e.g. “wppa_album_name()” or “wppa_photo_name()”), which could be exploited by malicious people to conduct SQL injection attacks.

Multiple security advisory services places this round of vulnerabilities as a Moderate Risk. For example, FrSIRT describes the Moderate risk as being:

Remotely and locally exploitable flaws, which could lead to denial of Service or privilege escalation.

Versions 1.1 and prior of this plugin are vulnerable. As always, it is recommended that you disable this plugin until a patch for it is released.

[EDIT] Version 1.1 is a fix for this vulnerability. Versions 1.0 and prior might be vulnerable.