Recently slashdot posted this:
Massive Number of GoDaddy WordPress Blogs Hacked
A nasty little exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won’t easily notice. Clever and devious.
Immediately, with out reading any more of the sources for the article I had my suspicions that this was nothing new. The part where they say “only executes when referred by Google” (or refered [sic] :) is what tipped me. This was an old hack for old version of WordPress, topics I’ve written about before.
Digging deeper and looking at the source article, I see that that an enterprising hacker has gone the extra step of trying to turn your computer into a virus filled bot computer (or some other nefarious sounding term). The write up, with breaking news current as of today, is over at wpsecuritylock.com. The break down of the virus payload and sources was then attempted over at some dude name Dancho Denchoev’s blog. Dancho’s write up looks good, but use of “emerging threatscape” in is bio doesn’t look so good.
My take on all this is going to sound familiar: you must be vigilant about keeping your software up to date. I suspect that a lot of the GoDaddy customers feel they really got the shaft. Most likely these WordPress installs were all copies of the same older WordPress installed via a control panel for a domain that said “Set up a blog in 1 click!”. This is a great use of an open source project and WordPress is a really good candidate to be the one click code base for a blog. However, the end user at GoDaddy probably knows more about their flower pots or farmers market they blogged about, than about how to upgrade their blog. I’m not entirely sure it should have fallen to GoDaddy to keep up to date, but enabling easy updates (it’s built in since…um WP 2.8?) via SFTP and really extra for reals making sure folks upgrade would have gone a long way. Further, there’s all kinds of ways you can harden WordPress. You don’t want to be Network Solutions with their big hack (nor suffering the wrath of a WordPress author!).
Speaking of WordPress authors, you should check out their Codex entry on the Hardening WordPress. It’s a good, holistic approach at security.