Management Portal

Keeping your Wordpress blog updated and finding exploits

Keeping your WordPress blog updated and finding exploits

One of the most common tickets I see is from WordPress blogs being exploited through one of their modules. This article will go over making your WordPress installation easily updatable as well as some useful Firefox modules to help track down the location of an exploit.

What you will need on your server:

  • Subversion
  • rsync

You will need to do this through SSH. Further, in order to make this easier, we’re going to create a new directory within your web root. For this example we’re using: /home/user/public_html/, and I have just created the ‘blog’ directory.

Change your path to: /home/user/public_html/blog and run this command: `svn co http://core.svn.wordpress.org/trunk/ .`. What does this down? Let me break down this command for you: ‘svn’ is ‘subversion’, the program I had you install first. ‘co’ means ‘checkout’, it pulls the most recently copy of http://core.svn.wordpress.org/trunk/ and places it in ‘.’.

This may take 30 to 60 seconds and when it’s done, the owner of the files will be whatever user you ran the command under. Since this server is cPanel I’m going to make them my user user/group with: `chown -R user:user /home/user/public_html/blog/`. For the authors’ safety I am using the ENTIRE path instead of simply ‘.’ as I’m certain there will be people that try copy/paste throughout this.

Now, you can visit http://www.yourdomain.com/blog and configure your blog from there OR you can move all these new files down to /home/user/public_html/. When you move these files you will need to take care to move the .svn files along with everything else. For this you can use rsync, and this is the command you will run: `rsync -avP /home/user/public_html/blog/ /home/user/public_html/`. After that you can run `rm –rf /home/user/public_html/blog` (BE VERY CAREFUL!).

If you already have data on your website you can do the same except for a couple steps. The first one being a BACKUP. In order to back up your blog/website please do this PRIOR to starting: `mkdir ~/backup-site && rsync -avP /home/user/public_html ~/backup-site/`. After this is done, which may take a LONG time you should be able to follow the above steps.

Finally, you’re using the svn copy of WordPress an upgrade is as simple as running `svn up` from /home/user/public_html/ then visiting the blog’s http://www.yourdomain.com/wp-admin page and following any steps it requires. The primary example being an update to the MySQL schema.

If you’re stuck in any of these steps customers can ALWAYS open a support ticket and we will do what we can to assist you. If you’re a managed customer we’ll do it for you unless you wish to do it yourself.

Wait! Don’t go yet, I’m not done! Remember what I mentioned about exploits in WordPress (and its plugins) causing blogs to be hacked? Of course you did. Well, some helpful addons for Firefox to TRY to locate the exploit are:

  • Firebug
  • Adblock Plus (Wait, really?)

First, let me say, these in no way will PREVENT exploits from occurring. Only keeping your blog AND plugins updated will do that. These will help you in certain cases to find the exploit on the pages as seen by the web browser.

In configuring Adblock Plus you will want to disable it on yourdomain.com, we’re going to be using the ‘Open blockable items’ portion of this utility to show ALL objects pulled by the browser on page load. This usually helps you locate pages you aren’t familiar with and can help you find the specific script that was exploited.

In Firebug the easiest item to use is the ‘Search’ bar on the top right of the utility. Within this bar you can try entering the URL of the exploit, for example: ‘cjrjyxkr.co.cc’. Otherwise you can search for some common strings used to obfuscate code which some are eval and base64_decode. You will likely get a LARGE number of false-positives. You will want to investigate all of these. In the case of jquery.js it is usually wiser to completely REPLACE that .js file with a known-good one, usually located with the plugin that’s using it.

Of course, if you updated your blog via svn you can quickly see any modified files that are different from the ‘svn up’ copy that you already have. To see this run: `svn diff`. New files, like plugins won’t show up so you will need to check those manually. If you want to replace any files that changed simply run: `svn revert path/to/file`. Hint: The path is located on the line ‘Index: wp-admin/options.php’, in this case: wp-admin/options.php.

That’s it for now.