I’ve been working on a new WordPress redesign for one of my sites this weekend because my head just hasn’t been in the place to get much writing done, and for whatever reason I somehow stumbled onto this article from a few years back that talks about the dangers of malware within a WordPress theme and why it’s so important to download your themes from trusted sources, or ideally directly from the free theme repository hosted by WordPress themselves…
I mean, I’ve come across the themes that use a little trickery to preserve the SEO spam links that they’ve sold and built into the footers where they typically create a function to look for those specific links that won’t display the site if it doesn’t find them, but reading through the example above, I never would’ve thought of something as elaborate as concealing a piece of code at the end of an otherwise expected preview image, then breaking it back out on the fly and searching for places to execute it to create a backdoor into the server that is triggered by the attacker setting a cookie and then simply visiting your site … it’s really a pretty crazy scenario if you’ve got a few minutes and you know enough about PHP to follow along!
I know that every so often when I notice something odd on my server, one of the first things my mind jumps to is whether I did something stupid that opened myself up to being hacked. So far I’ve kind of lucked out and they’ve been fairly benign – once I got a notice for sending spam because I had created a test email account a long time ago with “test” as the password (?!) and then forgotten about it … and somebody else found it. Another time I actually found a piece of malicious code in a random sub-directory that was a little creepy – again for sending out spam.
You like to think, “Bah – I’m nobody and my sites hardly see any traffic … who would bother targeting me?!” But a quick check of the logs is all it takes to reinforce that most web attacks aren’t really targeted at all … they’re just randomly scanning for machines that can be compromised, sometimes to be used for DDOS or spam boxes, and no doubt sometimes just as another notch in the bedpost to see who can infiltrate the most systems.
As if we didn’t have enough to worry about around this crazy, mixed up interweb! 😉