Pinterest Stumbleupon Whatsapp

Last week, in the early hours of Friday morning, some malicious code was injected into the MakeUseOf theme, and began redirecting visitors to a Spanish malware site, reporting to be a Flash update. We took the site offline as soon as we had identified the issue and began rectifying the changes. We heard from a few concerned users about the obvious malware, but we have had no reports of anyone actually downloading it.

Regardless, we’re sincerely sorry for the risk we exposed you to. We pride ourselves in being a trustworthy site for all of your computing needs, and we let you down. We’ve been targeted many times in the past, and ridden the waves of extreme DDoS attacks to domain hijacking BREAKING: New Gmail Security Flaw. More Domains Get Stolen! BREAKING: New Gmail Security Flaw. More Domains Get Stolen! Read More . We thought our defences were sufficient, but they weren’t.

So What Have We Done About It?

  • We immediately upgraded WordPress. We had been holding off on the latest update due to concerns about changes to the file uploader, but this left us exposed.
  • We reduced the number of editors with admin-level access, as it’s possible one of our editor’s computers was compromised. We also immediately enforced a password change for everyone.
  • We removed theme editing functionality from the WordPress admin panel. Any changes will now only be possible over a secure FTP connection.
  • We installed 6Scan Security, which identified a few vulnerabilities in plugins and core WordPress files, all of which have since been fixed. If you’re using WordPress on a standard server setup, you might want to try WP Security Scan too.
  • We removed the “admin” user, a rookie error we had thus far overlooked.
  • We removed the readme.html which exposed our WordPress version number.
  • We enforced HTTPS for all logins.

As you can see, we’ve decided to be overly cautious. The hack involved the theme editor within WordPress, so disabling that alone should be sufficient to prevent any future¬†occurrences, but we’ll be erring on the side of caution from now on.

Again, our sincerest apologies. Even the experts get hacked sometimes.

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. macwitty
    May 9, 2013 at 12:25 pm

    First, I understand it has been a hard time and I'm pleased that you are open with what happens.

    Then, I had to smile when I read about the admin account. When we heard about the last attacks on WordPress I took a look at the one I'm involved in. Just to be sure as I know none of the admins use an account with log in name "admin". I was right about the use but not about account. On two of them there was a not used "admin" account - luckily with a better password than standard installation.

    "removed theme editing functionality from the WordPress admin panel" was interesting - will think about following you in this

  2. Shamsi
    May 8, 2013 at 7:37 pm

    Frankly, I find it almost unbelievable that you had done little or nothing to secure your WP site. But I'm glad to see the apology and the lesson on hardening WP sites.
    Thanks for coming clean.

  3. JS
    May 8, 2013 at 6:27 pm

    I think experts would have removed the admin login a little more quickly, especially considering the recent news:

    • James Bruce
      May 8, 2013 at 8:41 pm

      The admin account wasn't hacked, and is only vulnerable with a weak password; the password was strong. FWIW, I personally always change the admin account; in this case, it was my bosses account - not in use by me to manage the site - and it never crossed my mind that it might still exist.

      • Aibek Esengulov
        May 14, 2013 at 3:48 am

        There is nothing wrong with having "admin" account as long the password is secure. It's as good as any other admin account with some other username.