An Apology – & A Lesson In How To Secure WordPress Better

wordpress malware   An Apology   & A Lesson In How To Secure Wordpress BetterLast week, in the early hours of Friday morning, some malicious code was injected into the MakeUseOf theme, and began redirecting visitors to a Spanish malware site, reporting to be a Flash update. We took the site offline as soon as we had identified the issue and began rectifying the changes. We heard from a few concerned users about the obvious malware, but we have had no reports of anyone actually downloading it.

Regardless, we’re sincerely sorry for the risk we exposed you to. We pride ourselves in being a trustworthy site for all of your computing needs, and we let you down. We’ve been targeted many times in the past, and ridden the waves of extreme DDoS attacks to domain hijacking. We thought our defences were sufficient, but they weren’t.

So What Have We Done About It?

  • We immediately upgraded WordPress. We had been holding off on the latest update due to concerns about changes to the file uploader, but this left us exposed.
  • We reduced the number of editors with admin-level access, as it’s possible one of our editor’s computers was compromised. We also immediately enforced a password change for everyone.
  • We removed theme editing functionality from the WordPress admin panel. Any changes will now only be possible over a secure FTP connection.
  • We installed 6Scan Security, which identified a few vulnerabilities in plugins and core WordPress files, all of which have since been fixed. If you’re using WordPress on a standard server setup, you might want to try WP Security Scan too.
  • We removed the “admin” user, a rookie error we had thus far overlooked.
  • We removed the readme.html which exposed our WordPress version number.
  • We enforced HTTPS for all logins.

As you can see, we’ve decided to be overly cautious. The hack involved the theme editor within WordPress, so disabling that alone should be sufficient to prevent any future¬†occurrences, but we’ll be erring on the side of caution from now on.

Again, our sincerest apologies. Even the experts get hacked sometimes.

Check out more about:

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

5 Comments -

1 votes

JS

I think experts would have removed the admin login a little more quickly, especially considering the recent news: http://www.bbc.co.uk/news/technology-22152296

1 votes

James Bruce

The admin account wasn’t hacked, and is only vulnerable with a weak password; the password was strong. FWIW, I personally always change the admin account; in this case, it was my bosses account – not in use by me to manage the site – and it never crossed my mind that it might still exist.

0 votes

Aibek Esengulov

There is nothing wrong with having “admin” account as long the password is secure. It’s as good as any other admin account with some other username.

1 votes

Shamsi

Frankly, I find it almost unbelievable that you had done little or nothing to secure your WP site. But I’m glad to see the apology and the lesson on hardening WP sites.
Thanks for coming clean.

1 votes

macwitty

First, I understand it has been a hard time and I’m pleased that you are open with what happens.

Then, I had to smile when I read about the admin account. When we heard about the last attacks on WordPress I took a look at the one I’m involved in. Just to be sure as I know none of the admins use an account with log in name “admin”. I was right about the use but not about account. On two of them there was a not used “admin” account – luckily with a better password than standard installation.

“removed theme editing functionality from the WordPress admin panel” was interesting – will think about following you in this