How Hackers Hijack WordPress Blogs -- and How to Stop Them
CREDIT: katalinks /Shutterstock.com
Your favorite blog got hacked. Worse, it infected the computers of thousands of people who visited it.
Such a scenario played out earlier this year with the Flashback Trojan, a piece of malware that used such "drive-by downloads" to infect 600,000 Macs, mostly in English-speaking countries, that had visited corrupted blog pages.
The Flashback outbreak got attention because it attacked rarely infected Macs. But it was also the latest in a series of security headaches for WordPress, one of the most popular blogging platforms in use. Those Macs got infected by Flashback because they'd visited WordPress-based blogs that had been rigged, without the knowledge of their operators, to distribute malware.
Since it debuted in 2003, WordPress has become a favorite target of hackers and cybercriminals. That's not all the fault of its developers, and WordPress bloggers can take steps to avoid being vulnerable.
Open source, but open to attack
Strictly speaking, WordPress is a free, easy-to-use content-management system and blogging tool. The website WordPress.org hosts the software itself, which anyone can download and use at no charge.
For those people who want to set up a blog but don't have much technical expertise, there's WordPress.com, a commercial hosting service similar to Google's Blogger that has both free and paid options.
As a content-management system, WordPress is used on such high-profile sites as CNN and TechCrunch.
WordPress software offers a lot of useful features, plus the ability to run plug-ins to add even more functionality. WordPress.com’s paid users get additional features not available to the free users.
WordPress is not only free, but also open source, which means anyone can look at the underlying programming code and create new themes (the software that gives a site or blog its "look") or plug-ins that anyone can use.
All these aspects make WordPress very popular. The CMS tracker Builtwith estimates that it's used on at least half of all websites. That popularity makes the platform a big, juicy target for hackers and cybercriminals.
Since anyone can make themes and plug-ins, it’s not surprising that fake or corrupted versions of those small pieces of software are the two avenues hackers usually use to attack WordPress.
Anatomy of a WordPress attack
The Flashback Trojan started unsuccessfully in September 2011 as a fake Adobe Flash update targeting Mac OS X.
By March 2012, Flashback had changed into a drive-by download using a multi-stage infection process, which was later outlined by Moscow-based security firm Kaspersky Lab.
First, thousands of bloggers, mostly in North America or Britain, were duped into installing a free WordPress plug-in called ToolsPack, which claimed to unlock features normally available only to paid users.
ToolsPack was actually a Trojan that installed a "backdoor" on WordPress sites — a secret way in that let the creators of Flashback administer the blogs.
The second step was for the Flashback creators to install hidden links on the blogs. Those links waited for Mac browsers to visit.
If one did, the third stage took place. The hidden links would upload a second Trojan that exploited a security hole in the Java programming language.
That Trojan installed itself not on the blogs, but on the visiting Mac itself. It would quickly scan the Mac for anti-virus software.
If it found none, it would activate the fourth step and download and install the core Flashback malware.
The fifth and final step was for Flashback to hijack Mac-based Web browsers’ search results and online ad links, redirecting them to sites and ads that generated money for the criminals controlling Flashback — part of a "click-fraud" or "clickjacking" scam.
It could have been much worse
As far as online criminal activity goes, click-fraud scams are pretty small stuff. They don't generate a lot of money for the criminals, nor do they actively harm the end user.
But the capabilities of the Flashback downloader went far beyond that. It could have been used to download and execute any code — for example, a banking Trojan that hijacked the user's online bank account, or an information-stealer planted by identity thieves, or a botnet herder that hijacked the computer itself to mail out spam.
The Macs were vulnerable to Flashback in March because Apple didn't release a patch to fix a known Java security hole until April. (Windows machines had been patched in February.)
The WordPress blogs were vulnerable because hundreds of thousands of WordPress users, especially amateur bloggers, don't, or don't know how to, keep their WordPress software updated and secure.
Keeping ahead of the hackers
Andrew Nacin, a developer at WordPress.org, says that the platform's core software is always patched and available.
"What we've been seeing is that the local [WordPress] software is secure," Nacin said. "Either a plug-in or theme is the vulnerability, and therefore the target site or plug-in was malicious."
Flashback is one example of this: The initial stage of the attack wasn't made possible by WordPress itself, but by a rogue plug-in that wasn't hosted by WordPress.org or WordPress.com.
Can anything be done to prevent future attacks along such lines? Yes. Beyond the simple fact that you can't stupid-proof the Internet — someone will always install software they shouldn't — there are some precautions a WordPress blogger or site administrator can take to reduce his or her site's vulnerability.
For example, many WordPress setups come with an account called "admin" installed by default. It's best to delete that account, or at least to change its username, since an experienced WordPress hacker (and by extension, a script written for the same purpose) can look for it and guess its password.
Avoiding plug-ins from any but trusted sources might seem obvious in hindsight, but it's worth repeating: If you see a plug-in from anyplace except WordPress, which has a system similar to iTunes for vetting code, then it's a risky install. (WordPress developers scan plug-in code for sets of instructions common to malware and pull suspicious themes and plug-ins.)
Perhaps most important is making sure that the WordPress software is updated to the latest version. One problem, said Sean Sullivan, security advisor at Finnish security firm F-Secure, is that many people who set up blogs using third-party service providers never update their blogging software.
"The webmaster is not contracted to provide ongoing service and the WordPress.org software becomes dated — and therefore, vulnerable to being hacked and used for crime," Sullivan said.
Sullivan suggested one solution might be to "delist" WordPress-powered blogs that use older versions of the platform. Such a move would reduce the usefulness of an exploit such as the initial Flashback attack, and would provide an incentive for bloggers to keep their blogs' software updated.
Out of their control
Nacin noted that WordPress' problems can sometimes be traced to third-party software, such as Java or Flash, which are also the main avenues to exploiting otherwise secure software such as Apple's Mac OS X.
WordPress runs code called PHP, a programming language that generates the HTML that goes to the browser, and which is the source of many vulnerabilities.
"It's really hard to sandbox [isolate] that," Nacin said.
It's also worth noting that any platform with a sufficiently high number of users will be a target of cybercriminals, and that may be even more true of tools such as WordPress that are designed for simplicity. Odds are the person using it won't be an expert.
"Not a lot of people are familiar with going into a server and looking for things from the command line," Nacin said.