It’s recently become evident to me that the hackers are starting to look at plugin code to try and compromise your wordpress installation. One possible hack is with the wordpress redirect plugin.
I’ve been corresponding to a fellow wp’er, and some of his wordpress installations have started to ‘redirect’ to pages outside of his site, instead of pages and posts within his site.
It immediately sounded like a redirect problem, so out of speculation, I suggested that he take a look at his redirect plugin. Sure enough, seems that part of the hacking that occurred on his site centers around manipulation of the redirect plugin.
I don’t yet know that full scope of this, but I do know that there may be an easy fix for this issue. If you go into your admin panel and look for the ‘redirection’ under ‘Tools’,
Select this, and you will be presented with this page, here select under ‘Redirections for group’, ‘options’:
Once you select, Options, you’ll go down the page and near the bottom you’ll see the following:
Click on the ‘Delete’. Be forewarned that you keep a record of any static redirects you’ve entered into the redirect module. It will remove all of these too! You’ll have to re-enter any manual redirects that you’ve created after deleting all links.
Now, you will be asked to confirm the deletion and after the redirect plugin will be cleaned and disabled. You will need to re-enable the plugin after.
I’m pretty sure that this will rectify the wordpress redirect hack but I still need to confirm this information.
If you encounter this problem and have more info, please comment below!
{ 4 comments… read them below or add one }
I have what I think is a related problem. When I access my blog, I see at the bottom of the browser window attempts to contact 94.247.2.195, an address registered in Latvia.
I’m not in Latvia.
I do not have the redirect plugin, so that’s not the cause. However, I found over a dozen php and html pages on my blog that had code inserted into them last Sunday. I think this is what’s causing the redirect attempts… but I don’t know.
Fortunately I did a complete backup of the blog (including all the WP files) six weeks ago or so, in addition to my weekly backup of the posts, so I can overwrite. I’m just wondering how this happened, and how to keep it from happening again.
Hey Dave, Thanks for your comments and I’m sorry to hear your predicement. What your problem is, is you have a security hole in your wordpress installation. Even if you’ve restored your wordpress install from a backup, you still have to repair the hole. Things to look at are:
- your ftp password. Make it complex. I just finished repairing a hack of over 30 wordpress sites where the intruders hard cracked my ftp password through guessing. Took them several weeks, (found out after from my hosting agent), but they did crack it. Choose a hard long random password.
- check your wordpress passwords. The biggest security hole is one, the admin password is easy to crack and two your password is easy to crack.
- upgrade to version 2.7.1 on your wordpress blog. I’m thinking that you are still running 2.7 and 2.7.1 does fix some security issues. You can very easily upgrade from the admin console.
And if all else fails, send me a message and I can offer my help to you.
Frank
Frank, mostly it’s been a nuisance. Your advice is good; my ISP also sent me some tech suggestions. One is to move config.php files to a directory outside the public_html folder (I’m not sure how WP would get to that, then). Another is to change permissions on the config file to 440, so they can’t be written to.
If you’d like, I can email this to you–it’s technical for me, but you might want to look at it and see whether it has value for others.
Hey, I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say GREAT blog!…..I”ll be checking in on a regularly now….Keep up the good work!
I’m Out!