Full Post:

Last year on August 1, this WordPress blog was hacked. Thankfully I caught it quick enough to stay of Google’s malware list. I retraced the hacker’s steps and discovered a zero day vulnerability in many WordPress themes and plugins in the form of a popular image resizer called timthumb.php.

So I rewrote timthumb.php and worked with the author of timthumb and some of the WordPress team to merge my code into timthumb and we launched it as timthumb version 2.0.

But getting hacked made me realize that as awesome as WordPress is, it can do security better.

So I dropped everything and spent the last few months writing what I hope will be the last word in WordPress security.

A few days ago I quietly released Wordfence into the WordPress plugin repository. Since then I’ve been working with some amazing WordPress publishers to make Wordfence even better and I’ve been rapidly rolling out improvements, enhancements and (yes, believe it or not) a few bug fixes. I’d say Wordfence is getting close to finishing Beta testing at this point.

Except for two (rather minor) features, Wordfence is completely free. It is also backed up by a cluster of cloud based scanning servers that do most of the heavy lifting to keep your site running super fast.

Here are some of the more notable ways Wordfence enhances your WordPress security:

• Scans your core files against a reference copy which I maintain in our cloud servers.
• Lets you see what has changed, how the file has changed and even repair it.
• Scans your comments, posts and all files including core, themes, plugins and everything else under your WordPress root directory for malware, virus signatures, vulnerabilities and (very importantly) URL’s that are known to host malware or viruses.
• I want to re-emphasize the last point. Wordfence keeps known dangerous URL’s, including ALL URL’s that are on Googles’ safe browsing list, out of your comments, pages, posts and files. This is by far my favorite feature because it’s virtually gauranteed to keep you off the dreaded red-page-of-death-malware-list that Chrome and Google use to ban sites.
• Wordfence comes with a complete firewall that lets you set up rules based on the type of traffic and either throttle or block offenders with an SEO safe 503 (come back later) HTTP message.
• Another favorite feature of mine is that you can block fake Google crawlers. I actually added this after I tested Wordfence on this site because I couldn’t believe how many scrapers were pretending to be Googlebot. So now they are all instantly blocked.
• Wordfence uses Google’s recommended reverse-forward DNS verification to sift the fake Googlebots from the real ones.
• It includes login security against every form of brute force attack out there including abusing your lost-password form.
• And what’s the point of having all this awesome security if you can’t see who is visiting, who’s getting blocked and what humans and robots are doing? So Wordfence includes real-time traffic that wait..for…it…
• …Includes crawlers, scrapers, robots and all non-human traffic. Something you can’t get from Google Analytics or any other Javascript based analytics package.
• I’ve even broken out Googlebot, other crawlers, 404 errors, humans and there’s an All Hits view.
• And of course it includes commercial grade city-level geolocation which is another feature that comes from our cloud servers.
• Wordfence is also built using much of the knowledge I’ve gained building Feedjit’s real-time analytics so it is careful to minimize any impact on network, website and mysql database performance and keep your website running super-fast.

Most importantly, Wordfence comes with a commercial license if you prefer first-class support and support forums for free users including a generic WordPress security forum where I’m happy to answer general config questions.

Improving WordPress security is going to be a marathon, not a sprint. I’m in this for the long haul. So check out Wordfence now by installing it on your blog and work with me to make the Web and WordPress more secure.

In web server admin parlance, a VPS is a Virtual Private Server and a VHost is a virtually hosted website. There were a few questions regarding security on VPS’s and VHosts in my previous post on “Seven ways I could hack into your WordPress website“, so I thought I’d clarify what the difference is between WordPress hosted on a Virtual Private Server (VPS) vs WordPress on a Virtual Host (VHost) and what the security implications are of each configuration.

A Virtually Hosted Website (VHost)

In the early days of the web, you would have a single physical machine running a single operating system running a single web server. That web server would serve up a single website.

HTTP 1.0 introduced the optional “Host:” header and HTTP 1.1 made it mandatory with any web request that a browser sends. The effect of this is that when a web browser sends a request to any web server, it lets the server know which website it wants to see. Because web servers know what website a browser expects, they can now host an unlimited number of websites. This is called virtual hosting.

When you have a virtually hosted website, you are sharing a single server and operating system with many other websites. Your files and the files of other websites are stored on the same operating system. You all share the same web server and the server chooses which of your websites it needs to serve based on what a web browser requests when it connects to that web server.

Usually on a virtually hosted website, you won’t have access to other website files and they won’t have access to yours. This is usually done by giving you a unique username that you use to sign in and your username only has permissions to view your files.

A Virtual Private Server (VPS)

A VPS is a little different. Normally when you install any operating system, you install it directly on a machine like a server or workstation. With a VPS, you first install a base operating system like Windows or Linux. Then you install a virtual machine hosting platform called a Hypervisor. Examples of Hypervisor’s are VMWare and Xen.

Within the Hypervisor you can then install multiple virtual machines. These pretend to be physical hardware and when you boot them up you get a BIOS message similar to when you boot up a physical machine.

Within these virtual machines you can then install an operating system like Linux or Windows. Using this config you can have potentially hundreds of virtual machines running on a single physical machine.

So to summarize, you have a physical machine running an operating which runs a hypervisor which runs multiple virtual machines and each virtual machine runs its own operating system. Within these operating systems you run your own web server, have the files for your website and do anything else you feel like doing. It’s impossible for someone on another virtual machine to access your virtual machine.

Linode is one of the most popular virtual machine hosting providers and they use the Xen Hypervisor to host Linux virtual machines.

So which is more secure?

By now you’ve probably already figured it out: Running your own virtual machine that is completely segmented from everyone else is usually the more secure option. Here are a few reasons why:

1. If your web host messed up the machine configuration or permissions, then other users may be able to access your files.
2. If another user’s WordPress installation gets hacked, it may be possible for the hacker to gain read or in rare cases read and write access to your files.

Another thing I like about having a VPS instead of a VHost is that you have your own IP address. On the Internet, IP addresses can get blacklisted, particularly if you’re sending email. If your web application sends email e.g. if you’re using the WordPress “Subscribe to Comments” plugin, then your emails may be flagged as spam if another user on the same server is sending a lot of spam.

With a VPS you have your own IP address, so as long as the IP address wasn’t already black-listed when you got it from your web host (I’ve seen it happen) then only you are responsible for how that IP address is perceived on the Net.

In conclusion: While VPS’s tend to cost slightly more (about $20/month from Linode), they are well worth the extra cost when it comes to protecting your website and your reputation. As always please post any questions in the comments and I’ll either answer them directly or in a future post.

Caveat: I have generalized greatly when it comes to VPS and VHost configurations. There are many variants including Type I and Type II Hypervisors, shared hosting where a single OS hosts one web server instance per website and many more. I’ve described two common VPS and VHost configs above for illustrative purposes, however the VPS config I describe is probably the most common configuration used by VPS providers.

I’m getting emails from people who are interested in securing their WordPress blogs or websites. If I was going to hack your WordPress blog or website, here are the first seven things I would try and how you could prevent me from getting in:

1. Upgrade to the newest version of WordPress

I would look up known vulnerabilities in old versions of WordPress. Then I would scan the web looking for sites that are running an old version of WordPress that I know has a hole in it. I would automate the whole process. Once my automated script finds your blog running an old WordPress version, I would simply drop right in through the hole that security databases have known about for months or even years.

You can stop me from doing this by upgrading to the latest version of WordPress which is version 3.2.1 at the time of this writing.

2. Upgrade all your themes and plugins to their newest versions

In case you’re running the newest WordPress, I would look at your themes and plugins. I would try to find an old version of a theme with a known hole in it. Then I would drop right in and have my evil way with your server.

You can stop me by keeping all your themes and plugins up to date and upgrading immediately when a new version is released.

3. Get rid of the ‘admin’ user

If your WordPress core files, themes and plugins are up to date, I would try to guess your ‘admin’ password. I know the ‘admin’ user exists on most WordPress sites, so I would write a script that keeps trying to log-in using all the words in my dictionary.

You can stop me by creating a new user with “administrator” privileges. Then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.

4. Make sure all your passwords are strong

OK so your site is a little more secure than I thought. But I’m not out of tricks yet. When you publish a blog entry, I will look at the name of the user who published the post. Then I will use my good old automated password guessing script to throw a whole dictionary at your login page using the username that I saw authored your newest blog entry.

You can stop me by making sure your password doesn’t exist in a dictionary and uses numbers and a mix of upper and lower-case letters.

5. Know what other web applications you have installed

Hmmm. You’re a tough customer. But I’m not done yet. WordPress isn’t the only application I could use to get in. Many websites also have forum software, helpdesk software and other applications installed. Security holes are regularly discovered in these applications, so I will scan your site and find out what other apps you have and see if any of them are old versions with known security problems.

You can stop me by making sure all your other applications are up to date and don’t have any known security holes in them that the vendor may have released fixes for.

6. Make sure all other public services running on your web server are secure

Your site looks secure so I’m going to fight dirty. I will use a tool called ‘nmap’ to scan for open ports on the machine that runs your WordPress installation. Ah I see you have an email server running IMAP along with an FTP server. I’ll try to log in to your email server and FTP server by guessing your passwords. I’ll also check to see if the server software or the operating system is an old version that has known security holes I can exploit.

You can stop me by making sure your blog host keeps your WordPress server secure and up to date. They should be running a new version of Linux or whichever operating system you are using. The operating system should have the latest patches and all services running on the machine should be known about, should be necessary and should have hard to guess passwords. Don’t be afraid to quiz your blog host about this.

7. Make sure you don’t get social’d

Well, your site seems too secure for me to hack in using my tech skills. So I’m going to use my charming personality. I’ll call you up, pretend I work for your hosting company and try to get any information from you that might be useful. Passwords would be first prize, but I’ll take anything I can get: Staff names, your favorite pet, internal phone numbers, products and services your company uses, your birthday, anything that might help me guess passwords or find juicy targets that give me a way in.

You can stop me by making sure you never give out passwords over the phone and don’t give out information unless you’ve verified who you’re talking to. A good tactic if someone has called you is to simply ask them for a call-back number. Then verify who the company is, that the number belongs to them and call them back.

Social engineering is the number #1 tactic hackers use to get into secure networks. Read the second comment on this recent Hacker News post (posted a week ago) for an example of how you might call up a company and get the last four digits of someone’s credit card. You might also find this story interest about how css-tricks almost lost their domain a few days ago.

Now that you know most of my sneaky hacker ways, you might want to read this WordPress article on how to further secure your WordPress site and keep hackers out.

I’m reposting this again because many of the emails I’m getting say “if you’re still interested”. Please contact me at mmaunder at gmail.com if your wordpress installation has been hacked. I need you to send me any files the hacker left on your system. To return the favor I will include you in a free beta program we’ll be launching within weeks that will solve your WP security problems for the forseeable future.

Email any compromised WordPress files, malware, WordPress backdoors or trojans to mmaunder at gmail.com. Thanks.

I’m driving through Europe for the next week so am not very available online. Currently in awesome Andorra. So if I’m not very responsive to your WordPress security needs I apologize. However, I have been working on a permanent fix to help with the recent spate of WP hacks and will be making it available as soon as I’m back at work. So apologies for the delay and thanks for your patience.

http://example.blogspot.com/b/post-preview?token=<long-encoded-string>&postId=532662776851272&type=POST

One would assume that Blogspot knows you are “you” because you are signed in to Blogspot and it identifies you using a cookie. So it shouldn’t be possible for anyone else on the Net to view your unpublished blog post right? Wrong.

If anyone else sees that link with the token, they simply paste it into their browser and they can view your unpublished blog entry.

I thought that this would present a problem if you’re previewing a blog entry and you click an external link you included in your blog post. This would send your “preview” URL to that external site as a referrer, which means that external site can access your unpublished blog entry. Google seem to have anticipated this and they prevent you from clicking anything on the page by putting a DOM overlay on the preview page.

However, all widgets on the page load. That means if you’re using a Facebook Like button, a stats widget, popular pages widget or any other external javascript widget that logs the current URL (pretty much all of them) then those external sites can access your unpublished blog entry. More importantly anyone who those external sites share the URL with can access your unpublished blog entry.

I thought perhaps if I logged out of Blogspot, that security token would expire and no one would be able to access my unpublished blog entry. Nope. It’s still accessible.

Providing security through the hope that no one will discover a hidden URL in a world where URL sharing has become a deep part of everything we do is not a good design. Blogspot team please fix this. Thanks.

Walking into ADF-C we had to leave all cellphones, cameras and electronic devices behind and produce two forms of ID to get in. Once inside, there were a wide variety of military personell mixing with civilian contractors. What has surprised me about Buckley on previous visits and again today is the international presence including Canadian and Australian military personell.

The base colonel did an impressive speech on opsec and the importance of the work done on Buckley including the sacrifice families in secure jobs make. “Hi Honey, what did you do at work today?”. “Oh nothing.”. Most families I know, including my own immediate family, talk passionately about our jobs among each other, debate decisions we made, discuss colleagues and work events and so on. Families in secure jobs, including many of my extended family, can never discuss things they work on now or worked on many decades ago. This includes military contractors. Maintaining that discipline is an impressive sacrifice that I don’t think many people appreciate.

Walking into the base, there were many areas we could not access. But they had put together an impressive display for us. The first desk absolutely blew me away. The National Geospatial-Intelligence Agency is based at Buckely. I’ve been using their data for years and recommending it to others and I walked up to the young sergeant behind the desk and literally shook the guys hand and thanked him for the awesome data they make available to the public. Any online business, world-wide, that provides a city or point of interest radius search, uses the NGA’s data and probably dont’ even realize it.

Next up was AGI that makes software to track objects in orbit. The demo they had up was impressive, tracking items in low and medium earth orbits in real-time. The guy was telling me they provide API’s in .NET and Java for developers and as I was listening I looked over my shoulder and totally lost interest because….

The National Security Agency had a booth there. My wife and I immediately headed over and the three people behind the desk were incredibly friendly and forthcoming about their work. But the real treat was that they had a working original enigma encryption machine from WWII. The engima created the strong awareness of the importance of cryptography we have today and it’s one of the main reasons the NSA exists today. Most of the folks behind the desk were mathematicians or worked with, or are married to mathematicians. They have a presence on Buckley and they told us that post 9/11 they diversified beyond Fort Meade (Maryland).

Next up was the National Reconnaissance Office or NRO. These are the guys who actually launch and operate the spy satellites that the NSA and other agencies use. I picked up these cool postcards of a few of the 2010 and 2011 launches they’ve done:

I also chatted to folks from a software division in Lockheed that have designed a 3D walkthrough app that uses real-world photography taken from a reconnaissance aircraft to create a model of an environment. Imagine a Quake walkthrough game of Vegas with actual footage taken at an instant in time of the city. That’s what they had on a demo system. It’s designed to take battlefield intel and provide a walkthrough for folks planning an operation.

We went back to the NSA booth later to play with that enigma some more. It has 3 sets of numbers that are synchronized when two machines are together. Then before a transmission is sent, the sending station will broadcast how much the receiver needs to increment their machine’s numbers by in order to receive the code. The NSA person I spoke to told me that was one of the weaknesses that helped the Polish cryptanalysts (and then Blechley Park) crack the code. That transmission containing the increments always contained no data.

Next up, we took a tour of one of the base radome’s, but on the way I spotted an interesting plaque on a wall in the hallway. It said “Echelon” with a coat of arms and the slogan “Acta Non Verba”. I went back and did a double-take. One the way back I did a triple take. Some amazing history there if you know anything about signals intelligence.

I always thought those Radome’s contained radar systems for local aircraft, considering it’s an Air Force base. But they contain 85 ft diameter satellite dishes that weigh almost 200 tons and rotate at 2 degrees per second when they’re moving. The dome’s are constructed out of a material that seems similar to mylar (main sail material) and are kept at a positive pressure to strengthen them. They can handle winds up to 125mph. If you live in Colorado you’ll know they dot the landscape for hundreds of miles in the Denver and Colorado Springs areas.

I chatted to a bomb tech for way too long about a display they had. Did you know you can fire a rifle into C4 and it won’t detonate? Or the most time consuming explosive to dispose of is sweaty dynamite? My wife chatted to a hostage negotiator. They had a glider and pilot from the civil aviation patrol and we chatted to him for ages about local gliding conditions and riding thermals into Wyoming and back.

They had a cool karate demo at the end of the day – a full contact style I did briefly some time ago called Ken Po. The acrobatics were matrix-like and the base commander broke a pile of 8 bricks and didn’t even flinch when I shook his hand as we were leaving. Cool guy and he seems to be an inspirational leader.

Thanks to all the volunteers at Buckley for spending your Saturday morning letting us civilians peek behind the curtain.

If your WordPress blog has been hacked, please email me. I’m collecting data on intrusion methods and backdoors. If you’ve been hacked, I’ll examine your server free of charge, share what I find with you and will make recommendations on how to repair your site, all at no cost. Please note that I will need “Shell” access to your machine. In other words I’ll need a username and password and will log in via SSH to examine the server that hosts your WordPress blog.

If you’re in dev or ops and have an attack vector you’d like to share, please zip it up and email it to me with as much technical detail as you can.

Email me at mmaunder at gmail.

Thanks!!

I spent some time yesterday reaching out to folks I know to try and get some input on WordPress security, avoiding getting listed as Malware and how to get removed from the Malware list. Rand Fishkin, the founder of SEOMoz and all round SEO God was kind enough to introduce me to Justin Briggs who is an SEO consultant and guru. Justin quickly came back with the following advice:

WordPress is certainly more susceptible to malicious attacks due to its popularity and the large number of sites that can be compromised with an exploit.

The best preemptive solution is to keep up on updates and increase security associated with WordPress.

Here are two good articles on ways to improve WordPress security.

WordPress offers an article on hardening WordPress:

http://codex.wordpress.org/Hardening_WordPressAnd Matt Cutts wrote a few tips on his personal blog:
http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/

If a site is compromised, Google will make an effort to get in touch with you. They outlined these details of how they attempt this here:
http://www.google.com/support/webmasters/bin/answer.py?answer=163633#3

They also offer some additional tips:

http://www.google.com/support/webmasters/bin/answer.py?answer=163635

Once a site has been cleaned up, you can send a request to Google:

http://www.google.com/support/webmasters/bin/answer.py?answer=168328

I’ve had a friend’s site who was exploited several months ago. It was a bit of work to get it cleaned up, but the warning was removed relatively quick after submitting the request to Google.

I contacted friends who are current and former Google employees but no luck getting in touch with the Malware team. In general it’s hard to connect with folks inside the big G with questions that are usually handled by support teams. [As I've been politely told in the past].

I’ve had two reports in the last 12 hours of WordPress blogs that were compromised via the Timthumb hack being listed as malware by Google. If you try to visit either site, you are confronted with the following:

These sites are listed with the warning that “This site may harm your computer” in Google’s search results and Google blocks access to the site with a warning forcing you to manually type the URL into your location bar if you really do want to visit the site:

One of the site owners sent me the detailed info that Google Webmaster Tools was giving her:

This malicious code is appearing intermittently on this author’s WordPress site. I’ve seen this same pattern recently in blogs I’ve repaired and the way it works is that the site is periodically downloading new PHP code from a remote site run by the attacker and re-injecting it into the wordpress code. That allows the attacker to add, remove and update whatever code he/she is executing on your blog. So they could for example update any spam links every few hours.

To prevent your site being listed as malware clean it as fast as possible

The fastest way to do this, although it doesn’t gaurantee a complete clean, is the following:

1. Remove all old plugins and themes you aren’t using.
2. Upgrade all your plugins and themes to the latest versions and make sure none of them use an old version of Timthumb.
3. Clean any Timthumb cache directories.
4. Upgrade your entire wordpress installation, even if it’s at the latest version. This overwrites all wordpress files.
5. Search your directory tree for any remaining suspicious files that contain base64_decode wrapped in an eval() statement or URL encoded data. More info on how to do this search here. Delete any files you find. NOTE: If you don’t find any additional infected files in this step, it’s highly likely that your site is not clean. Every attack that I’ve seen so far using Timthumb gets in by uploading a file into the cache directory and then uploads an additional file into a writeable directory on the blog to ensure continued access once the cache is cleaned. Make sure you find that additional file.
6. Make sure the only directory that is writeable in your wordpress installation is wp-content/. Directories like wp-admin and wp-includes should be read only by the web server.

If you are already listed as malware by Google, here is what to do

Potential long term impact of this vulnerability

The fact that I’ve seen the same domain being used by attackers on multiple blogs suggests this attack may be partially or fully automated. The worst case scenario is that we end up with a WordPress botnet with thousands or tens of thousands of servers on high bandwidth links compromised and able to send spam emails or launch a huge DDoS attack.

Keep in mind that most botnets are compromised windows machines on relatively slow home broadband connections. Their uplink speeds are around 512kbps. These WordPress servers are on links that are a minimum of 10 Megabits per second each, so they have plenty of firepower for a coordinated attack. One WordPress server is equal to at least 20 infected PC’s in terms of pure bandwidth firepower.