Last week, in the early hours of Friday morning, some malicious code was injected into the MakeUseOf theme, and began redirecting visitors to a Spanish malware site, reporting to be a Flash update. We took the site offline as soon as we had identified the issue and began rectifying the changes. We heard from a few concerned users about the obvious malware, but we have had no reports of anyone actually downloading it.
Regardless, we’re sincerely sorry for the risk we exposed you to. We pride ourselves in being a trustworthy site for all of your computing needs, and we let you down. We’ve been targeted many times in the past, and ridden the waves of extreme DDoS attacks to domain hijacking. We thought our defences were sufficient, but they weren’t.
So What Have We Done About It?
- We immediately upgraded WordPress. We had been holding off on the latest update due to concerns about changes to the file uploader, but this left us exposed.
- We reduced the number of editors with admin-level access, as it’s possible one of our editor’s computers was compromised. We also immediately enforced a password change for everyone.
- We removed theme editing functionality from the WordPress admin panel. Any changes will now only be possible over a secure FTP connection.
- We installed 6Scan Security, which identified a few vulnerabilities in plugins and core WordPress files, all of which have since been fixed. If you’re using WordPress on a standard server setup, you might want to try WP Security Scan too.
- We removed the “admin” user, a rookie error we had thus far overlooked.
- We removed the readme.html which exposed our WordPress version number.
- We enforced HTTPS for all logins.
As you can see, we’ve decided to be overly cautious. The hack involved the theme editor within WordPress, so disabling that alone should be sufficient to prevent any future occurrences, but we’ll be erring on the side of caution from now on.
Again, our sincerest apologies. Even the experts get hacked sometimes.