Wordpress Latest 2013 Hack vulnerability!

wordpress hack 2013This is 2013, and it is Wordpress 3.6 by the time I am writing this..So, do you really need to care about this topic??

If you are using Wordpress, yes you should…

I wanted to write this and share one of my bad experiences with Wordpress, and this time it was really touching me.

This happened to me in the last week. I had to use Wordpress to create a web site for one of my friends and together we uploaded wordpress and setup everything nicely. Within less than an hour, we had a fully functional website with all the content management requirements he needed. That is all because of this powerful and elegant CMS, Wordpress. I knew that wordpress is the best option to select when I heard my friends requirements. But we never thought about the vulnerabilities in wordpress. (Though I had some previous bad experiences). It was because I thought that all the bugs would have fixed since this is the latest release of Wordpress. Let’s see what happened :)

So, by this time we had a nice Wordpress website, and we wanted to give it some more attractiveness, and my friend decided to buy a template from a popular Worpress template seller. It cost him just only less than USD 10. It was a very nice template and it had many useful options to edit and customize the template and to manage the content.

He was really happy about the final result he got, and the rest of the day we worked on adding content and planning on optimizing the pages and content.

On the next day, while we were cross checking the site, we noticed some unusual thing on the site. Some pages appeared to be hacked. And no sooner, the other pages was also got hacked. The only text on the page was “Hacked by {some hacker guy’s name}”. We were shocked, but acted very fast and put the site offline immediately. I should mention that my friend’s website was already a popular one, it’s PR was 04. He had some good traffic by that time as well. So we had no much time to keep it offline, since it doesn’t make any good.

I took a backup of the hacked Wordpress website to analyze later, and I restored the original files into the server. The site was setup back to its original status. But still the threat was there. Hence I started to work on finding a solution for this.

What I initially did was I went through all the hacked files looking for a clue for the backdoor. When I opened the templates folder, I realized that all the template files have been hacked. The hacker has edited the files and put his phrase in each of the files.

I was wondering how it happened……..

Then I opened the wp-config.php file, and it was the spot which I noticed how the hacker has got in. Somehow, this hacker has got access to the Wordpress config file and edited it, so that he could get the database details from it.

Then using those details, he changed the admin password and logged into the admin panel, and has changed / edited all the template files.  That was so tricky. Anyway I couldn’t figure it out how the hack was done, and I neither cared about it. All I did was blocking the hacker from accessing our important Wordpress files.  

Once I realized that it was done through the wp-config file, I blocked direct access to that file using .htaccess. and it protected the site from that hacker. We looked for another few days whether the hacker will come and hack it again. But it didn’t happen again. So we decided we are safe.

I learnt a very good and a very important lesson after this incident. Wordpress is really nice because it has all these content management ability and the vast amount of useful plugins. But still, Wordpress is so vulnerable to hacks. As I noticed, it was not a direct fault of Wordpress. The backdoor was opened as a result of the template which my friend used. So it is very important to think before you install any third party template or plugins in your Wordpress website or the blog. Use plugins which you can trust. And always read the good and bad reviews about it. It will save you from unexpected hacks or attacks.

Finally, If your Wordpress website got hacked, never get panic! It is so important that you keep calm and work on a solution to fix it. Also do not trust on Wordpress very much. Always apply your own ways of protection to it. Specially protect your wp-config.php file using a htaccess.

Thank you for reading my article. Please do not forget to share your thoughts on this. I know you definitely have something to say about wordpress :)

Happy and safe Wordpressing :D

Wordpress hacked fixing