Cheap Hack/Worm Protection for your WordPress Blog

This on its own might be only security done half, but I thought the idea is not that bad to spread the word. It can be normally setup in seconds on the various linux based hostings out there: disable eval.

Most WordPress exploits are used to place Worms or Backdoor scripts onto the server. They turn it into a Web-Drone to hack other Blogs, send Spam, deeper attack your server, store payloads for other attacks and all that stuff. You just do not want that.

Example Eval Code found on a hacked WordPress Blog

Example Eval Code found on a hacked WordPress Blog

Most of the backdoor-scripts I’ve seen on hacked wordpress installations make heavy use of the eval language construct in PHP. So the simple idea is to disable eval. This works well with WordPress, because since some month the code is eval-free. Related ticket is #9602.

For example this can be done with a PHP Extension called Suhosin:

suhosin.executor.disable_eval = On

The Suhosin configuration can be edited within your php.ini file. If you’re unsure wether or not your changes did work, use phpinfo() to display all the configuration settings (if it’s not disabled 😉 ).

“If eval() is the answer, then you asked the wrong question”.

If you think things can not be done w/o eval, take a look on this sample code I provided to patch wordpress core to remove eval out of permalinks parsing. That eval in there has been used for many wordpress exploits and it was long overdue to be removed.

So again: It’s possible to remove eval very often, just throw it out of your plugins and themes if you have it in there. And do yourself a favor and do not use Themes or Plugins that contain eval.

But I’ve already been hacked!

Especially when your Blog got hacked, this suhosin setting comes in handy. As reported in a previous post, hacked blogs can contain tons of eval-code after being attacked. With that suhosin setting, those attacks are removed w/o actually removing the code. That’s somehow dirty but in case you’ve been attacked, this can save you at least some more headaches in a snap of a second.

Read on: Comprehensive WordPress Guide with many Ideas how to secure a Blog (19 APR 2010).

This entry was posted in Hacking The Core, Hakre's Tips, Tools, WordPress Support and tagged , , , , , , , , , , , , . Bookmark the permalink.

3 Responses to Cheap Hack/Worm Protection for your WordPress Blog

  1. Pingback: Einfacher Schutz vor Hacks auf deinem WordPress Blog - PHPUGFFM - PHP User Group Frankfurt am Main

  2. John Hoff says:

    Interesting article. It does seem like though that a lot of plugins and themes use eval. What is your suggested steps to go through to implement this as far as discovering if any of your blog’s code uses eval?

    • hakre says:

      Review the code, locate the eval calls and look if you can replace it with non-eval code. This sometimes can be trivial, sometimes challenging.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.