20 Oct

2011

Has your WordPress site been hacked recently?

If you’re using WordPress as your favorite open source blogging platform, chances are pretty high you’ve already heard about the recent security flaw found in the TimThumb plugin fow WP. If you haven’t – you should, cause it’s pretty severe. Here is more info on that:

http://www.websitedefender.com/wordpress-security/timthumb-vulnerability-wordpress-plugins-themes/

The security flaw isn’t a core WordPress vulnerability, so you won’t be vulnerable for just using WordPress. However, the bad news is that a pretty big number of themes out there use the TimThumb plugin in order to operate correctly and therefore TimThumb is included in a lot of WordPress plugins and themes, both free and paid. The result is that there is a good chance you might have the vulnerable TimThumb installed and running on your WordPress even if you don’t really know about it or you don’t care.

The flaw itself is rather stupid – the TimThumb plugin allows uploading files from a list of so called “trusted domains”. Among those domains are “flickr.com”, “picasa.com”, “blogger.com”, etc – all of which you might find useful in case you keep your image gallery there and would like to get an image transferred to your blog at a glance. However, the check is flawed because you can bypass it by using a domain like blogger.com.hacker.com. This domain passes the check but belongs to hacker.com, making the script exploitable. Hackers have already been exploiting this vulnerability in the wild and many many bloggers suffered from it already.

In case you are a WordPress user and have TimThumb installed or even worse – you’ve already been hacked, you might wonder what to do to get things resolved? Well, the good news is there’s already a fix for the plugin available here:

http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

Along with the good and the bad news in this situation, there’s also a great news for you in case your WordPress is hosted at SiteGround — it should be secured without you doing anything! As always we’ve been trying to take care of our fellow customers without boring them with unnecessary details and overcomplicated technical stuff. After all you’ve entrusted us with your website and its security is our primary goal. So here’s what we did – the day after the exploit went live, which if my memory serves me well, was about a month or so ago – we checked how many people are using the TimThumb plugin. The number was devastating – around 15,000 WP instances had it installed and around 350 of those were already compromised. Obviously upgrading 15,000 WP instances was not an option – it’s a huge number and given the fact there were so many different versions of TimThumb and we needed to ask for customers’ consent prior to upgrading his/her website, it was simply impossible to accomplish. At least not in the short term. So, we decided to find an intelligent and efficient way to deal with the vulnerability before a much larger number of customers were affected. Well, most hosts wouldn’t even bother suggesting a fix as they would define the problem as “beyond the scope of the technical support”, but we try to do it differently and make sure we spare troubles and work to our customers where possible.

And then in just a few hours, one of our System Engineers found the solution, elegant, simple and fast – the TimThumb plugin uses a folder called tmp/cache to store uploaded files. What we did is suspend execution of files from that folder in all WordPress instances. In simple words – if you upload an image – it will work, but if you upload a script (e.g. badass hack script) it won’t. And that magically solved it all with no hassle whatsoever for our customers. We then modified our Apache security module (mod_security) by adding some rules that will prevent execution of the hack, so our customers could be protected by two layers, instead of just one. And then notified the unlucky 350 hacked guys what they should do to get things resolved – namely get rid of the hack and upgrade plugin version. We also offered the service of cleaning the hack and upgrading the plugin to be performed by the Super Heroes @ SiteGround Support Team for the people that felt uncertain how to do it for themselves.

So the answer to the question: “Has your WordPress site been hacked recently?” will disturbingly often be YES in the general case and will most probably be NO if you use SiteGround WordPress hosting.

Tenko
The SiteGround Mastermind

Author: Tenko Nikolov

The SiteGround Mastermind

For the last few years Tenko Nikolov has been one of the masterminds behind the success of SiteGround. He has come up with multiple successful strategies for overcoming technical problems and has achieved real business results for SiteGround. His vision and skills have made SiteGround a leading host in terms of technology and platform reliability.

Comments (98):

  1. Clarke Nelson says:

    My WordPress Blog was hacked within the last week. The robot is creating about 25 new posts/day which I’m constantly deleting. I’ve changed the password five times, and it’s already too late. It won’t stop. At any moment, the hacker can delete hundreds of my posts. What can I do to remove it? Anything?

    Thanks, Clarke Nelson

  2. Hristo says:

    I have checked our database and it seems that you are not our customer. Otherwise I would recommend you to use our security audit service but since you are not hosted on our servers our support team won’t be able to help you.

    I can advice you, however, to temporary lock your site to be accessible from your IP address only. You can do this by adding these lines to the .htaccess file in your root folder:

    deny from all
    allow from ***put your IP address here***

    Once you do that, clear your site from all the unnecessary content. If there is data lost, you can contact your hosting provider to restore your database from their backups. Once your website is clean and everything is in place, you should update your WordPress application and all the plugins you are using to the latest version. Especially, make sure that the TimThumb plugin is updated and you are not using vulnerable version in any of your templates.

    Finally you should change all your account passwords including your WordPress, database, control panel and FTP credentials.

    I hope that this helps and you won’t have such issues in the future :)

  3. David Pascoe says:

    I have quite a few wordpress sites at siteground so I’m happy that you guys have my back if a vulnerability is found before I can get in and fix it.

  4. John Horn says:

    This article published by SiteGround makes me feel much confidence, knowing you guys are always on your watch for the latest holes…
    Keep up the ogod work!

  5. Riaaz Mohammed says:

    Siteground….HOST ON ! *thumbs up*

  6. Charles Rice says:

    Siteground’s dedication to insuring its customers security is truly reassuring. Thanks!

  7. Jesus Cuadra says:

    I’m glad to hear that! I just suffered one of this vulnerability issue but it was very annoying. Please keep doing it so well. You are the best!

  8. Dianne Hayward says:

    I have been with Siteground for several years now and have just yesterday utilized the Website wizard. My friend who is the computer GEEK loves your site and plans to refer it to people. I appreciate the ethical moral values demonstrated by you all. Keep it up. Please don’t be tempted by the dark side of greed and more greed that permeates corporations these days. Oh and I wanted to see how a blog worked because I want to use one in my website.

  9. Ritu says:

    Mine hasn’t (knock wood). Hope it wont… -Ritu

  10. Paul Wallas says:

    My personal blog www.paulwallas.com recently got hacked. It was a php script that got inserted into the footer of my site which reset my login to a really long character password. Required a brand new install unfortunately.

  11. Yaniv Nagar says:

    Awesome news, nice to see you’re taking the security issues very seriously, so all we have to do is… be creative ;)

  12. CurtinsCreations.com says:

    Thanks so much for such an elegant solution to this!!

  13. Mia says:

    Haiku Comment:

    My wordpress was hacked
    Siteground team to the rescue
    No Loss, Biz Good, Thanks

  14. pete thatcher says:

    So far, so good, I have not been hacked yet. But, it’s not for lack of trying. I’ve had to turn off comments. Most were not, all kinds of code coming in. Thanks for the great work Siteground.

  15. Barry Dahl says:

    Getting hacked to death on Halloween is almost expected. I appreciate SiteGround being there to protect me.

    As Shakespeare said:
    “Eye of newt, and toe of frog,
    Wool of bat, and tongue of dog,
    Adder’s fork, and blind-worm’s sting,
    Lizard’s leg, and owlet’s wing,
    For a charm of powerful trouble,
    Like a hell-broth boil and bubble.”

    Yummy!!!

  16. Marc Cram says:

    This is one reason I trust Sitground for all my websites.

  17. David Wilkin says:

    Not as far as I know or can see.

  18. Manoj Gurnani says:

    Great blog reaffirming my faith in Siteground!

  19. Joseph Goldberg says:

    Here’s my silly comment to win an ipad:

    There once was a host named siteground
    They had the best hosting service around
    My sites never crash
    And for this Halloween bash
    I hope that this comment is found

  20. Chris Coburn says:

    Haven’t had the issue, but thanks for the detailed info.

  21. Daniel Chou says:

    I use blogger.com, and I have never had any issues with security. I would be interested in reading an article about the security features compared between these two. Maybe it’s just that blogger isn’t as popular, who knows.

  22. Riley B. says:

    I have one client that is not on siteground that got hacked. My portfolio site on Siteground has never had a problem. Happy Halloween Siteground!

  23. Steve Clark says:

    Thanks for the heads up Siteground! Your hosting services always make it easy to set up and maintain WP sites.

  24. neil spurgeon says:

    MY God, only this afternoon I installed TimThumb as part of the wordpress user-avatar plug in becuase I was expecting lots of new desirable avatars based on spidrs to arrive for Hallo’een. However, I see that Siground, as so often before has solved the problem before I even knew it was a problem. Well done guys and if there is a spare spider cake going for hallo’een, include me in please !!

  25. Ivica Panic says:

    If your website get hacked, check your logs to see if you can discover how the hack took place. Open source tools like OSSEC can analyze your logs and point to where/how the attack happened. Or better yet ask Site Ground customer service for help. They are the best!

    Happy Halloween

  26. Stefany says:

    This is a great article. I have 3 websites hosted here, all of them using WordPress, this is helpful.

    Trick or Treat, Happy Halloween!

  27. jessica says:

    This is a good post! Thanks for keeping us up to date on what is going on. I haven’t been hacked but this allows me to take precautions for the future.

  28. Amy Cluck says:

    Yikes! That is scary, thanks for letting us know. Luckily I am not using that particular plug-in on any of my sites!

  29. Will says:

    Our site was hit as all the folders with .htaccess files in them. What a mess! We couldn’t just install an updated theme because of lots of customization. However, installing the updated timthumb did the trick!

  30. Liang says:

    A wonderful hosting site.

  31. Joel V. says:

    Thanks alot for this. My site was taken over by some Russian/German hackers last week. Couldn’t read or understand anything but, thanks to Siteround tech support; they flushed out my server and gave me a brand spanking new one so now im back up and running!

  32. David Brailsford says:

    Yet again shows you just can’t trust those gosh darn robots.

  33. Donald Cherry says:

    No one’s been uploading pictures or anything that I can tell to my site. I HAVE noticed, however, that every once in the while my Moodle install will go all haywire. The appearance will get all funky, and the site will be unusable. If I leave it alone for a bit, then come back to it later, it seems to sort itself out, but it’s a little scary. I rely on this for about 100 university students.

    • Hristo says:

      It seems that part of your Moodle application is timing out at some point. It would be the best to post a support ticket in your Help Desk so our support team can check what’s the exact issue and provide you with an adequate advice and assistance.

  34. Fabiane Folker says:

    two of my own sites (wordpress) were hacked in few months time. I know how much headache you have when that happens. Thanks for sharing this article! Good to know more about those things.

  35. sharon says:

    It may be the season for scary, but I’m grateful for the elegant solution to this hack! Happy Halloween!

  36. Ken Boldt says:

    I’m not sure if my site was hacked or not, but recently when I would view my site from work, my anti-virus would say that it quarantined something. I couldn’t find anything out of place, but I recreated the site from scratch anyway, and just imported my database. Didn’t take too long and now I don’t get any warnings.

  37. ChadTHX1138 says:

    My sites were recently hacked because of this. I had to start over from scratch. Hope this doesn’t happen to too many more folks.

  38. Phil Hovatter says:

    My sites have been high and dry. Thx, SiteGround, for having my back.

  39. cybernuns.com says:

    You are the best
    To heck with the rest
    When it comes to Joomla
    You be da boomah…

  40. t says:

    I send a lot of business to you even though I thought you were HQd in teh UK for some reason. Not sure where the h I got that from. But now I see that you’re at the edge of town. Cool.

  41. Juliw says:

    Rock on Siteground!

  42. chol70 says:

    OK Ok not not been broken yet. But that’s not due to a lack of trying. Comments have been disabled. Most do not have any code shortly. Thank you for your Great work Siteground.

  43. Yariv Dror says:

    Not just in Halloween – SiteGround is the best hosting service any time of the year!

  44. muk says:

    This is worrisome. I also worry about email..I wonder what options are available to eliminate more spam and email based viruses..
    Happy Halloween!

    • Hristo says:

      As mentioned in this blog post http://blog.siteground.com/more-great-extra-services-from-siteground/ we have a high end anti-spam protection enabled for all our customers. However, we provide an extra layer of protection named Spam Killer as an extra feature. If you want to improve your anti-spam protection, you can order it from your Customer area. It will scan your emails for spam profiles and decrease significantly or even eliminate the spam you are receiving :)

  45. Paul-Marc says:

    We fell into that category, a couple of weeks back.
    The bad thing was that our website was brought down.
    The great thing was that the support were fast enough to work with us through the issue, to bring it up again!
    Thanks SG-support!

  46. Thomas Pastinsky says:

    Glad I read the Halloween special e-mail.. This post might save a certain number of people I know more money than what the prizes offered are worth :D Heppy helloween evlybuddy!

  47. vijayabalaji says:

    best customer service i have ever seen….i have used many other hosting ,but site ground provide best hosting for really low rates..they are the best..they helped me in many ways..i personally recommend siteground to everyone…once you join with them, everything will go fine for your site…thank you site ground for everything

  48. MustafaSemih Gökce says:

    i have wordpress sites and i have the same problems with my sites not hosted in siteground. And after i move my site to siteground wtih clear backups, problem stop, no auto adding or deleting posts.

    So thanks for perfect services

  49. Viet Hoang says:

    Interesting press release. I’ll pass this on to my friends who use wordpress.

  50. Daniil Luss says:

    I do like 1-2 websites monthly on wordpress for my client and host them on siteground. He never got hacked, guess thanks to hostgator. I also host my web on siteground and I’m very happy with your service and help you provide. Many people using also fame ******tor, but their prices are so high and service is so low, so I always reffer my clients your hosting. You are the best!

  51. Levi says:

    What do i need to do to make sure that this does not happen to my word press site? Hope i win the ipad 2 :-). But seriously what do i do to secure my wordpress site from this hake?

  52. Othmann Badaoui says:

    To be hacked, I need to be known first, so I don’t have to worry about this news. ;)

  53. Hassan says:

    Well yes this is true, Siteground is giving the best services and some times they offer free services as well, i am not worry about hacking because my site is save and i guess my clients’ web sites also.
    GO GO Siteground :)
    And Happy Halloween to all members and staff.
    Wish you all the best.

  54. Mushima Ngalande says:

    Way to go Siteground!!! Thanks for protecting us from the timthumb attack. You’re the best. I feel more secure having my website hosted by siteground.

  55. PETER GINDO says:

    THE SITEGROUND SERVICES ARE OUTSTANDING, AFFORDABLE AND VERY FRIENDLY TO USE.

    I LOVE THE 24X7 LIVECHAT SITEGROUND SERVICE, I HAD NEVER BEEN HACKED. YOU GUYS ARE GOOD AND WELL SECURED.

  56. PETER GINDO says:

    SITEGROUND FOR LIFE

  57. Dave Simpson says:

    I have “crawled” around many different hosting and service companies… It always felt like I was floating around aimlessly in the “clouds” …

    FINALLY, my site was grounded into a permanent home I could count on…

    THANK YOU SITEGROUND!!!!

  58. Sastry says:

    Good to hear that you have our backs.

    As a security conscious professional, I am always looking for services that include security – without making it “optional / add-on”. While I understand that it is a function of costing=>pricing, I am still a wee bit dissatisfied that security is still “not automatically built-in” in the most basic services of siteground. I look forward to a day when it will be.

  59. Samlal Mannie says:

    It is with a conviction so sound
    I have chosen “siteground”
    A web provider, so profound
    Nowhere else can be found

  60. Marian Librarian says:

    I read information like this and I am reassured how safe our library’s web site is. Our library’s site has been hosted by SiteGround for over 3 years. I don’t have time to worry about how safe our website is. I have been recommending SiteGround to my friends from the beginning. Good Job SiteGround!

  61. Anghel Bogdan says:

    Well I have a vBulletin hosted so now, it was not hacked but if you had the feature of Siteground that allow you to make automatically backups activated, it shouldn’t be a problem.
    Hackers are the main reason why we all should get it activated.

    Siteground allow you to activate many features that are important and usefull for your site this is why I recommend it to all my friends that are asking me from where to get a good hosting.

    I can say that Siteground is awesome and I can’t say anything negative about the hosting and the features !

  62. Pete Marsch says:

    I have had various sites hosted elsewhere and one of the reasons I moved to Siteground was its reputation for affordability and security!

  63. Mario says:

    Great Web Hosting. i did lot of research and finally i m convinced in Siteground which has everything to succeed in creating a wonderfull web. Thanks you guys just keep on going

  64. Yu-Chiang says:

    Yeah,its really lucky we have siteground to be protected because there are people that does not have knowledge about security and website. My 2 cents: organize your website WELL (delete unused documents, organize your pages) and you should be able to get an better idea about how your website should be protected!

  65. Joseph the Certified Online Instructor says:

    I test a lot of WordPress sites, and don’t know if any outside of SiteGround are vulnerable. I feel comforted, knowing that the four or five WordPress sites hosted within my Siteground account are secure.

    For any future template customizations, I recommend using a “Child Theme” instead of hacking the original theme. This ensures that theme customization remains safe from cracking attempts or upgrades.

  66. Steve Wood says:

    I was not aware of this WP security hole till just now. Good thing Site Ground was on top of it! I have since gone thru all my WP sites and closed the PHP hole. thanks for the help and HOPE I WIN THE iPAD! Did I mention the IPAD? I’d take any of the other prizes too but for someone who cannot afford an IPAD…it would truly be a blessing to WIN AN IPAD from SiteGround! Rock on!

  67. Chris says:

    I also was not aware of this security hole until I read the site-ground blog. While I don’t host my WordPress site on Siteground, I do host other sites, and will be setting up another site over the next month that will be using both site ground & wordpress. It’s awesome to know Siteground has my back.

    Fortunately my WordPress site was built using using RapidWeaver, so no vulnerability for me. *Phew*.

  68. Grant Sherson says:

    I have referred several people to siteground and have helped 4-5 of them set up wordpress sites with you. Just goes to prove recommending siteground was a good move. Keep up the good work. (http://www.shersonmedia.com/grant/cv/portfolio.php?category=websites – siteground sites – cinemas of nz, animation symposium, history of tv in nz, mediarenacentre, nouveaumanagement…)

  69. Anthony Consillio says:

    Fortunately I havent had any issues but thank you for keeping us posted. Thank you Siteground for your service and have a happy Halloween.

  70. Bob says:

    Wish all webhosts were this nice.

    On a side note, also wish I didn’t have to look at light blue font to type this comment. Sort of hard to read…

  71. Duane says:

    Thanks for “having my back” and taking care of this pesky problem!

  72. Dean Lucas says:

    Thanks for being one step ahead of this! For those of you who don’t know the TimThumb PHP Script is a custom image-sizing script, that allows you to produce a cropped and sized version of an image.

  73. Fiachra says:

    Thanks for all the help you gave me when I set up my first site.

  74. Md Rashid Ashraf says:

    I didn’t faced any issue but the dedication of siteground to insure their customers for security is truly reassuring. Their support team is also too helping in case of any vulnerable activity.

    Thanks

  75. Marc says:

    Been with you guys for about 6 years now, and had this happen only once in all that time due to some plugin. Glad to get it resolved in super quick time as had no idea why it was happening. A free plugin called wordpress backup was also recommended which gives peace of mind as creates a backup automatically. Great info in this post too. Cheers siteground :)

  76. Sheikh says:

    I am linked with you guys since months… and i am really happy with your services.. i had really terrible experience with my previous web hosting company and my wp site was hacked… but its after an year that i am in peace… no hacking, no cracking.. its safe and faster then the previous one…
    also your customer services is too cooperative ..
    after all.. as final words… i’m in peace with siteground.

  77. jg says:

    Glad site ground step up and took care of it on their servers

  78. Meena says:

    Thanks for this article will help us to be careful.

  79. Mr Xingfu says:

    Glad you guys have my back!

  80. Anne S says:

    This article made me look at my wordpress blog only to discover it’s gone. Not a big loss as it was only set it up for my master’s program so I may have closed due to neglect. However, when I do re-open it I will make sure it’s supported by SiteGround.

  81. Elizabeth says:

    Happy halloween

  82. Jason Killgo says:

    Happy Halloween and thanks for keeping everyone informed of issues like this. Often times when I run into errors and poke around the internet for answers it leads me right back to my hosting home at siteground. Keep up the great work!

  83. Wes Grogan says:

    Great news and Happy Halloween! Thanks so much for the update and the secure environment you provide for us

  84. Tony says:

    SiteGround — all the bells & whistles for an unbeatable price!

  85. JoAnne says:

    We love SiteGround! Been with our business since day one and counting!

  86. Pete says:

    On the eve of Halloween,
    Take the leap and be seen,
    Make Siteground your host of choice,
    Doing so will make them rejoice.

  87. En Noticias says:

    i love SiteGround they help with tips and hacks too,what esle can we ask.

  88. Jeannette says:

    Wow!

  89. Michelle | Bleeding Espresso says:

    As always, thanks for keeping our sites safe, Siteground! And Happy Halloween :)

  90. Ines Muller says:

    Still learning, but with Siteground I feel at home!
    From Portugal!!!

  91. Chris says:

    As a developer for a decent volume of WordPress sites, I always try to research vulnerability of a plugin before installing it for my clients. Of course that won’t always work as sometimes vulnerabilities aren’t always instantly discovered – so I also always back up my client’s database once every two weeks.

    Then again sometimes clients update the plugins without letting me know and get themselves into vulnerable plugins that way – so now I just mostly assign clients user roles that cannot install/update plugins. Of course that means that I’d have to update all their plugins but it’s better than knowing that they could get hacked from vulnerable plugins..:)

  92. Charlie says:

    This is why I’ve always used siteground to host my websites. Thank you Siteground!

  93. Daniel says:

    You can easily scan your WordPress for outdated and vulnerable TimThumb scripts using this WP plugin:

    http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

  94. Adil says:

    Hi,

    My food blog has been getting spammed for ages. It was becomign labourious to delete the entries especially from my email account which would sent me a notification every time a new one was made. They have slown down of late which was good. However I did not realise that my site was being used to somehow send out spam to other sites too?

    My site has been temp suspended by SiteGround. I have replied to a ticket regardign this problem. Also I think due to some update my ip address has changed and I have been asked to make appropriate changes via my Control Panel for the site however I cannot access this as I don;t know how to as my site is down.

    Can anyone help me get my site bakc up and running and also how to combat the spam in future?

    Thanks

    • Hristo says:

      Hello Adil,

      Our team will be of course glad to help you. As I see there is already a ticket posted in your HelpDesk on April 10th where our team recommends you to set up a captcha for your contact form. Please take a look at ticket 1018801 to learn how to do that and to get response to your other questions.

      Please do not hesitate to contact us about technical issues through our official support channels which are available 24/7:

      Help Desk: https://ua.siteground.com/support/choose_category.htm
      Phone: 1.866.605.2484
      Chat: https://newchat.siteground.com/hcl/live/main.php

Favorite Tweets

Facebook

Archive