In the past couple of days I’ve been involved with the cleaning up of a number of successful SQL Injection attacks on WordPress blogs, including one that was running the most recent version 2.9.1.
Then last night I read that TechCrunch was also hacked (their post on it seems to re-direct to an interstitial ad – which I’ve never seen on TC before and makes we wonder whether they are trying to put up ‘interference’ here)..
From what I can see it looks as though the vector that I have seen could also have been used to do this to TechCrunch. I don’t know what version of WordPress TechCrunch runs.
I’ve decided not to give the details who was affected or too much info about the attacks, although the two common occurances I’m seeing with all of the sites exploited are:
- They are using WP-Cache or WP-SuperCache
- They are running on the RackSpace Cloud Sites serving platform
I should state for the record that at this point I do not have any evidence that RackSpace Cloud Sites is vulnerable, I’m just noting that all of the examples I’ve seen have occurred on RackSpace Cloud Sites, and I believe TechCrunch runs on Rackspace Sites too. Conversely I’ve not heard of any non-RackSpace Cloud Sites blog having any problems, and I’ve not had any issues with my blogs either (other than a botched upgrade to 2.9.1 just now due to human error, doh!).
Although I don’t want to give out specific information, some interesting discussion is occurring on a thread of HackerNews, especially this sub-thread.
Advice
While we wait to see if/how the WordPress developer community responds to this, my only advice is to make sure all of your directories and files are locked down (chmod 700 works fine on RS Sites), and that you are running the latest version of WP & all of your plugins. You might want to keep an extra eye out if you are using RackSpace Cloud Sites (or your hosting reseller does) and make use of WP-Cache/WP-SuperCache
I remain a massive fan and supporter of WordPress.