Category Archives: wordpress

guess who got hacked

Night Work

Let me tell you about that time my site got hacked.

Once upon a time I received this email from Google. Now when Google emails you, you usually pay attention, even it it’s a bot. Those guys know their stuff.
The email told me that my site was possibly hacked because it was suddenly feeding spam when the Google bot was passing by.
The reason why I got this email is because I use the free web master tools from the G btw. That way they know my site has behaved nicely over the years, and when it suddenly started spewing spam, they knew something bad was up.

The scary part is that this only happened when Googlebot was munching my pages. Not when I or any other human passed by with a browser. So in other words, I didn’t have a clue.
Because it was quite the mystery, I checked my web folder and found a few suspicious files and folders in there. Suspicious, because I never put them there.

I found a folder named “coockies“, an unknown common.php, session.php and coockies.txt file. My .htaccess file was also changed. All php files and the .htaccess had the same timestamp. I compared my complete WP installation with the original installation files to be sure no other files were modified, which turned out to be the case.

The folder seemed to contain files with file names resembling URIs of my blog posts. The content was unreadable and appeared garbage. I’m guessing it was an encoded version of the spam my site was feeding Google.

At first I thought my WP blog was hacked, but the entry point was simply the modified .htaccess file. It contained a few new rewrite rules which checked the user agent of the incoming request, and if that matched any of the major crawlers, it would redirect to the new php files, which would feed the spammy content.

Cleaning up turned out to be rather easy.
I deleted all the new files, restored my old .htaccess file (hurrah for backups) and changed my site passwords just to be sure.

The fishy thing about all this is that I’m still not sure how these files got on my system (hence the password changes). The timestamp on the files seemed to point to the moment I last ran a WP and plugin update on my site. Maybe it was pulled in with a compromised plugin, but there is no way to tell which one it could have been. Another option is a compromised FTP account, but that password was already random before I changed it so that seems unlikely. I still changed it to a random and longer one to be sure.

I also took some extra defensive measures to try to avoid this kind of hack in the future, but that’s for another post.

Photo by Thomas Heylen, cc-licensed.

get some neato wordpress plugin speed profiling stats

An abstract pie chart

Stats. Geeks love em and at some point my blog was acting sluggish, and I was all like “OMG would it be that mobile plugin? Or the spam blocker? Or that one that makes it available for mobile?”.
Yep, you guessed it. A shear geek panic attack. So I head over to the virtual plugin store and checked if there was something out there to do that for me. Yep, having the computer do stuff for you. Another one of those things geeks love.

Enter P3, the Plugin Profiler.
After a quick profile test (takes about 5 minutes) it presents you with pretty pie and line charts telling you how long it took for your pages to load (average is less than a second, which is nice), which plugins are slowing you down and how many database queries were launched (56 on average, wow).
Interesting stuff!

To give you an idea of what that looks like without the pretty pie charts, here’s some plain old text output.

WordPress Plugin Profile Report

Report date: July 24, 2012
Theme name: Evening Red (based on Sandbox)
Pages browsed: 11
Avg. load time: 0.7966 sec
Number of plugins: 23
Plugin impact: 54.10% of load time
Avg. plugin time: 0.4310 sec
Avg. core time: 0.3161 sec
Avg. theme time: 0.0474 sec
Avg. mem usage: 19.95 MB
Avg. ticks: 4,232
Avg. db queries : 56.27
Margin of error : 0.0021 sec

Plugin list:

P3 (Plugin Performance Profiler) – 0.0054 sec – 1.26%
After The Deadline – 0.0093 sec – 2.16%
Akismet – 0.0205 sec – 4.76%
Bad Behavior – 0.0251 sec – 5.82%
Dean’s Permalinks Migration – 0.0222 sec – 5.16%
Exploit Scanner – 0.0064 sec – 1.48%
Feedburner Plugin – 0.0019 sec – 0.45%
Google Sitemap Generator – 0.0013 sec – 0.30%
Lightbox 2 – 0.0048 sec – 1.12%
Do Follow – 0.0121 sec – 2.80%
Simple Reverse Comments – 0.0020 sec – 0.47%
SoundCloud Shortcode – 0.0091 sec – 2.11%
WordPress.com Stats – 0.0147 sec – 3.42%
Subscribe To Comments – 0.0647 sec – 15.01%
Viper’s Video Quicktags – 0.0088 sec – 2.04%
Widget Category Cloud – 0.0449 sec – 10.42%
Wordpress Mobile Edition – 0.0131 sec – 3.04%
Wordpress Popular Posts – 0.0105 sec – 2.44%
wp-cache – 0.0105 sec – 2.45%
WordPress Database Backup – 0.0120 sec – 2.79%
WP Tweet Button – 0.0533 sec – 12.36%
WPtouch – 0.0225 sec – 5.23%
Yet Another Related Posts Plugin – 0.0557 sec – 12.93%

10 reasons why wordpress kicks ass

Chapas WordPress
  1. 5 minute install. Seriously.
  2. Install a new theme for your blog from inside WP. No need to mess with FTP clients and uploading files and stuff. Easy peasy.
  3. Tons of free and open source themes to choose from.
  4. Plugins allow endless possibilities. Whatever you are looking for probably exists already. Facebook/twitter/whatever integration, fancy widgets, syntax highlighting for code, caching, Google site map generators, you name it.
  5. Install plugins without leaving your WP admin page. No geek skills required.
  6. Comes with an automated backup plugin. Backup your database and email it to yourself daily. Do this!
  7. Upgrade your WP installation with 2 clicks. Maybe 3 (didn’t actually count, but it’s just clicking).
  8. The layout is super-flexible. 1, 2, 3 columns? None? Make your site look like less like a blog and very CMS-like? No problem. There are themes for all that.
  9. PHP & MySQL hosts are everywhere. You’ll have no trouble finding a host at all. If you don’t want to do your own hosting, you can always create your blog at wordpress.com.
  10. It’s Open Source and has a huge community. This means that WordPress will never die! *stabs and Amen break start here*

Photo by {El Gris}, cc-licensed.

getting a wordpress linux box up in 5 minutes (*)

diving

If you’ve ever went to the trouble of setting up WordPress on a Windows machine yourself, going through a PHP, MySQL and phpMyAdmin installation, then sort through all the IIS crap you run into you’ll love TurnKey Linux virtual appliances (aka pre-installed virtual machine boxes).

You can for example download a WordPress appliance which has all the stuff mentioned above pre-installed, launch it in VMWare Player, go through a 5 minute config et voil√†! You have your very own virtual Ubuntu box up and running with a fully functioning fresh WordPress install on it. You can even flex your 1337 Linux command line skillz through “Shell in a box” which simulates a shell window in your browser. Or you can use SFTP/SSH. Wickedness indeed.

There’s more fun to be had though. Lot’s of other cool appliance are available containing tons of Open Source Software to be messed with. There’s a LAMP stack, one for Drupal, Ruby (how hip!) etc. Not quite geeky enough for ya? Well alright, go ahead then, get one of those appliances and upload it to Amazon EC2 and be all “in the cloud”. Cause they can do that you know. Oh yeah.

Don’t know if it’s a good idea though. Security wise and all.

(*) If you have VMWare Player installed and already downloaded the zip file of course. :)

Photo by MissMaze, cc-licensed.