Recent WordPress-Based Website Hacks: The Panama Papers, The Redirect Hack, & More

Not a month goes by – sometimes not a week – without news of a hack into WordPress sites. With WordPress security, the suspected actors may change, as do the victims, but more often than not, the hack itself boils down to the bad guys either exploiting a new vulnerability or taking advantage of lax admin security.

Several high- and low-profile hacks this year caught our attention. We want to review three of them – to remind users of the WordPress security steps they can take to ensure they also don’t wind up in the news.

The Panama Papers

The prime minister of Iceland resigned in disgrace. A $2 billion trail of hidden loans and offshore deals led directly to Russian President Vladimir Putin. In all, 143 politicians from around the world took advantage of offshore tax havens, and the only reason we know about it is an unpatched WordPress platform.

That’s right: an anonymous source acquired 11.5 million private documents from the world’s fourth biggest offshore law firm, Mossack Fonseca, and then shared them with a German newspaper. The newspaper then handed them over to the International Consortium of Investigative Journalists, which then put the pieces together for a detailed exposé that was published in April.

It was initially believed that the documents were snatched from a hacked email server – and that may still be the case – but further investigation showed the anonymous hacker broke into the law firm’s system through unpatched versions of WordPress and Drupal CMS. One strong theory floated by the security firm WordFence is that the Mossack Fonesca website ran on WordPress and was using a version of Revolution Slider that is vulnerable to attack.

The vulnerability grants remote attackers a shell on a web server, and would have made the law firm’s site easy to attack. As WordFence believes, the firm’s web server was not behind a firewall, and it was on the same network as the hacked email server, potentially letting the hacker access all email.

WordPress Security Tip: Update Plugins & Themes

The moral of the story is – aside from not participating in off-shore tax dealings – is to regularly update your WordPress themes and plugins. If they have a security vulnerability, the creator will update a patch. But remember to first double-check the origin of themes and plugins and make sure they’re from reputable sources before downloading.

Hack Redirected Visitors to Malicious Sites

In May, the security firm Sucuri found several WordPress sites with the same infection that randomly redirected visitors to malicious sites. The malware injected 10 to 12 lines of code at the top of the header.php file of the WordPress theme in use.

The header code wasn’t complex. As a visitor hit the site, the script placed a cookie to track returning visitors for one year, while also checking to make sure the visitor isn’t a search engine crawler or other bot. It then checked the user agent header to see if the browser is vulnerable to infection and redirected non-bot visitors to a malicious site if it was their first visit after the initial infection. If Internet Explorer was detected as the browser, the redirect went to a website that pushed out a fake Flash or Java update, which could actually have been a known malware that visitors might download.

Sucuri found that in many cases the infected WordPress sites had multiple vulnerabilities. In other cases, the infection was the only one but it was in the active theme’s header.php file, meaning the hackers had access to the WordPress admin interface and could edit theme files from there. With such access, hackers could cause damage even after the original infection was removed.

WordPress Security Tip: Change Passwords and Inspect WordPress after a Hack

The moral of this story is even if you discover malware and remove it, you should nonetheless change all passwords and check for rogue admin accounts that may have been introduced. Granted this seems like advice for when the horse has left the barn, but not really: There still may be more dark horses lurking with control of your WordPress site.

A Trove of Attack Tools

When investigating a large WordPress infection in February, WordFence found a trove of attack tools that pointed to a single “meta” script that was only two lines long, but powerful enough to become what the security company called an “attack platform.”

In a nutshell, the script was downloading its full source code from pastebin.com, a site where anyone can post any text anonymously. The attacker, likely a member of a hacking group in Vietnam, posted the source on pastebin and the script could then be downloaded from there and executed. Once installed, this attack platform could give a hacker 43 attack tools they could download to manage the WordPress site filesystem, access the database through a SQL client, view system information, mass infect the system, and many other bad acts. This attack platform infection was a tough one to detect, and demonstrates the inventiveness of hackers. Not only did it need to be detected early, but it also was comprehensive. Professionals would be best at cleaning this kind of attack up.

WordPress Security Tip: Use Best Practices & Lean on Expertise for Help

The moral of this story is that WordPress administrators should always be implementing best practices to prevent the attacker from gaining access, but can’t be expected to know every security measure. The good news is that a managed hosting service, like Liquid Web, offers a level of support that takes care of WordPress security so you can worry about other business functions.

These are only three examples of recent WordPress hacks – there are plenty more we could dissect. However, hopefully the lessons learned in the above attacks can help you protect your site.

Want WordPress without the hassle? Check out WordPress Without Limits, a managed WordPress solution, with one-click staging, one-click backup restoration, automatic updates, automatic backups, and free SSL.