Hashemian Blog
Web, Finance, Technology

Wordpress 'page_option' Hack

    📂 Hacking,Web     #     🗨 No Comments

wordpress-hackWordpress is a great publishing product but its popularity is also its Achilles heel. It's notorious for being a favorite target of hackers and many have been successful in compromising plenty of installations out there, including this one.

Having automated monitoring software is certainly a prudent way to stay on top of things, but in the end vigilance and bit of common sense seems to be a good way of detecting and removing attacks. Thwarting them is of course another story.

Staying with the vigilance theme, for some time I had noticed that this blog was very slow. I just attributed it to the server load or bandwidth issues but like everything else after a prolonged time of sluggish performance I turned my attention to the installation itself.

That's when I discovered the 'page_option' hack. The 'functions.php' file in my theme folder had been appended with a block calling the 'add-action' with the 'wp_head' parameter. The second parameter was from a deserialized array coming from a newly added row in the 'wp_options' table (in MySQL) with the 'option_name' field set to 'page_option'. The whole thing smelled of a hack, you know the mysterious call to decode and slice up some long encoded string. Why do hackers waste so much time with these idiotic obscurity schemes? Just dump the damn payload in. the layman won't see it and the rest can spot it from miles away, totally pointless.

A Google search brought up this reference, and the blogger's experience was very similar to mine and indeed I found the offending '/wp-includes/page.php' file just as he had. He has very good tips and hints on dealing with this hack, so head on over and give it a read.

As for me, I removed the offending block from the 'functions.php' file, delete the '/wp-includes/page.php' file, deleted the 'page_option' row from the 'wp_options' table and removed all unused themes and plugins, in case those were the hacker's conduit.

The page load times are now back to normal and for good measure I updated Wordpress to the latest version, always a wise move as they always plug new security holes.

Stay vigilant…

Your Comment


* Comments are subject to screening and manual approval.

Read Financial Markets  |   Home  |   Web Tools  |   Blog  |   News  |   Articles  |   FAQ  |   About  |   Privacy  |   Contact
Give a few Sats: 1GfrF49zFWfn7qHtgFxgLMihgdnVzhE361
© 2001-2024 Robert Hashemian   Powered by Hashemian.com