With increased popularity comes increased risk.
rottmann.net, formerly 24100.net, runs on the most current version of WordPress. However, it’s not a fresh install. Instead, I started the site quite a few years ago, so the current version is one of many updates I’ve applied over those years.
It turned out, that over all these years, attackers had used some of the now fixed vulnerabilities in either WordPress’ core or some of the Plugins I’m using here.
While none of the stuff that I found could directly harm any of rottmann.net’s visitors, I started to worry and seriously invested some time to fix all issues.
AVG ThreatLabs still shows the cached results, but rottmann.net has been completely cleaned and all lights are green again.
In case, you’ve been running a WordPress install for a while, you might find the following tips valuable:
- By far the most helpful plugin during my quest was GOTMLS.NET‘s Anti-Malware (Get Off Malicious Script). It allows you to scan your entire WordPress folder structure for altered files and those that look suspicious. It requires you to register with GOTMLS but it’s well worth the extra steps. Be aware though, in my case the plugin yielded a couple of false positives, primarily because it tends to always flag files, that contain the eval PHP statement.
- Look-See Security Scanner is a plugin that helps you clean up your WordPress installation and checks whether your current configuration is safe. It does so, by downloading the latest list of standard WordPress files and folders and comparing it with the ones on your web server. In my case, I could get rid of hundreds of orphaned files from previous WordPress installations and identified a couple of PHP scripts, that were modified by attackers.
- The Ultimate Security Checker for WordPress provided additional insight, however, it yielded way too many false positives for my taste. A security tool, that makes you wrongly feel insecure in the majority of cases is probably not a good idea. Unfortunately, the File Analysis module did not work at all.
- In case you decide to leverage Sucuri’s paid services, they’ve got a WordPress plugin, too. It frequently auto-checks your installation and notifies with email alerts, in case anything needs your attention. I’ve subscribed to their somewhat pricy services for rottmann.net.
For quickly checking whether you need to take action, check your site via the following services:
- http://www.avgthreatlabs.com/sitereports/domain/<your domain here>
- http://sitecheck.sucuri.net/results/<your domain here>
- http://www.google.com/safebrowsing/diagnostic?site=<your domain here>
- Reader Stephan Hochhaus pointed me to the free Detectify, which allows for scheduled scans.
Should you run into infected files, there are a couple of alternatives, depending on your skills and how much effort you plan to put into it:
- Sucuri has a paid services. You provide them with temporary FTP or SSH level access and they make sure your install gets completely cleaned within 48 hours.
- You might want to start over with a clean WordPress install and use one of the export / import plugins, to move all of your settings and content over.
Last but not least, this October 2012 article in Smashing Magazine provides an in-depth technical overview of WordPress vulnerabilities and measures to protect against them.
Hope this helps. For questions and comments, hop over to Google+. Would love to hear from you.