This is what a 10-day roller coaster of nerves looks like:
Yes, Of Zen and Computing was hacked, and our traffic was hijacked.
If by some chance you have not heard about the recent outbreak of WordPress security issues, allow me to inform you. A recent backdoor was discovered in the popular blogging software that allowed unauthorized access to many, many blogs, including this one.
Traffic disappears, overnight
I awoke one Thursday morning in late May to find traffic in the trenches. My first thought was that Google hit me with the banhammer, but a talented colleague in the search marketing business took a look at my logs and my indexed pages, and we concluded that such was not the case. I could not see how that could be the case anyway, since the only promotion I do for OZaC is writing articles I think others would find helpful… nothing wrong with that, right?
After a few days, traffic returned to normal. I breathed a sigh of relief… and then it took another nosedive. I took a closer look at the site’s database, and got to the root of the problem with the help of this article. As it turns out, some criminal had placed a faux image file containing hidden PHP code on OZaC’s web server, and then inserted a reference to that image file in the site’s list of active WordPress plugins.
How the hack works
With his hidden code injected into this site, the hacker was able to redirect all incoming search engine traffic. The foreign image file did not appear in WordPress’ list of active plugins, but the blogging software did indeed execute the hidden code on each and every page load. The OZaC web server would receive the request and record it in the HTTP logs, then execute the unauthorized code. At this point, any search engine visitors would be redirected to a spam site. Devious, and despicable to say the least.
Plugging the hole
Removing the malicious code and plugging the security hole involved:
- Deleting all unauthorized files placed on the Of Zen and Computing web server.
- Removing the unauthorized plugin entries from the database.
- Upgrading WordPress.
- Changing all passwords known to man.
We are now functioning at full capacity once again… with apologies to all the visitors searching for technology-related articles who were unwillingly forwarded to meaningless spam.
How to secure your own blog
There are a number of variations on this security breach — most of them involve somehow placing unauthorized code on your web server. If your blog is powered by WordPress, it is very important to keep the installation up-to-date. And if you have been breached, you need to clean out all unauthorized files and access points, and reset all your passwords — WordPress accounts, shell access, database access… everything. This article on the WordPress security breach was a huge help in identifying the problem and implementing the solution. Read it word-for-word, and follow its instructions step-by-step.
