I was contacted yesterday by a friend who wanted some changes made to his website. First thing I happened to notice when I went to take a look at the site in question is that my security software started throwing up some alerts about blocking access to a potentially malicious site.

Confident that my friend’s site doesn’t usually qualify for that description I did some digging and discovered that every time I accessed a page on his site, it was attempting to contact an internet address that is registered to an address in Latvia. Looking at the source for the site, there was some JavaScript that appeared on the end of each page that referred to a site called meqashoppinginfo and called a script called js.php.

As far as I can tell the attackers targeted sites with WordPress Blogs on shared hosting providers (most SME websites are hosted in this way) and using WordPress as the point of entry will have gone on to infect any php pages hosted by that site.

Having cleaned my friends site manually (and deleted his WP blog as he isn’t currently using it anyway) and reported the issue to his hosting company, I have received an update from my hosting company as shown below:

Security warning for websites using WordPress

We’ve been made aware of a security issue facing websites using WordPress. We take security very seriously at 123-reg, so we want to check if this matter has affected your site.

If you use the blogging platform WordPress on your web hosting, you may have been the victim of a security hack (please ignore this email if you haven’t installed WordPress on your hosting).

The problem is due to a security breach caused by hackers, who have targeted sites that use WordPress. WordPress is an open source application, making it vulnerable to such attacks.

As your hosting provider, we want to help you counter this WordPress hack as quickly and as effectively as possible. To do so, please follow these simple steps as soon as you can:

1. Run a simple cleanup script
If your WordPress site has been hacked, you will need to run this
simple cleanup solution script (written to defeat this WordPress hack).
2. Scan your local machine
Run a full anti-virus scan on the local PC from which you administer
your WordPress account.
3. Change all your user passwords
Change any user passwords for WordPress account, your FTP
account and MySQL account.
4. Change your secret keys
If hackers have stolen your password they may remain logged into
your WordPress account until you have changed your secret keys.

Visit the WordPress key generator to obtain a new random set of keys.

Then overwrite your secret keys wp-config.php file with the new ones.
This will disable the hacker’s connection.

5. Take a backup of your WordPress files
Backup all of your WordPress files to your local PC (label them as
‘hacked site backup). You can then investigate these files later.

That should do the trick!

If you have been affected by the WordPress hack, we’re sure that the above steps will completey eradicate the problem – allowing your website to function as before.

We’d like to stress that this WordPress hack bears no relation to the security of your 123-reg web hosting itself. This remains robust and very well protected from any attacks by hackers.

Having used the script on another infected site, I can confirm that it is simple and use and works effectively.

This episode re-iterates the importance of:

  • Make sure your passwords (blog admin, FTP etc) are strong passwords and are changed regularly
  • Keep your software up to date, hackers often make use of known bugs in older versions that are now fixed
  • Install anti-malware software on your PC and check your site regularly – this is what alerted me to the problem