MCCID Website was hacked! And how I fixed it…
Let’s put off my deaf advocacy hat here temporarily and put on my web designing hat in order to give you the technical details of what happened. After arriving from an appointment the whole day last Monday (November 21), I was very much surprised when our Deaf Trainor Sir Jerome approached me and gave me the shocking news that our school’s official website “www.mccid.edu.ph” was hacked!
As he was demo-teaching Internet subject that morning and used our school’s site as his example, he clicked on a page link. He got stunned when a porno site appeared! His students were also surprised and resorted to teasing him assuming that he is fond of opening these sites. When he clicked on the back button, the home page appears unchanged. Again, when he tried to visit another internal link, same thing happened! That disgusting porn site appeared again and again! He felt so humiliated about it. But when he gave me the bad news, I took it as an emergency case.
I have experienced before having websites I designed being hacked by malicious people who have nothing more to do than take glory in destroying other people’s reputation. The first one was with a website I designed being defaced. The other was the Official Government Website being turned into an Middle Eastern Propaganda site. This is the third one .
I took things calmly and tried to make some sense out of the flimsy belief that WordPress sites are difficult to hack. Well these bastards have done it again! Here are the things I did.
- First I tried looking at the codes to see if they actually changed the href tag. They didn’t! WordPress uses php functions to control the links.
- Then I tried checking the site’s files/folders using ftp to see if there are suspicious files added. There weren’t.
- Probably there is a vulnerability in having an outdated WordPress version (3.1.1) so I updated to 3.2.1. Again, the site still redirects to a porn site.
- I tried checking on the Permalinks. On the left menu, I clicked on Permalinks under Settings group. Then I selected the default setting format. It worked! The posts went back to their original content although the permalink was changed. Also, the changes only affected the posts, but not the pages.
- So I looked for plugins that changes the Permalink settings by adding .html or .php on URL and not just the common one. I did find two; the .html on Pages and the Improved Page Permalinks. It didn’t work. It didn’t even change the sites in-links.
- I also tried the Exploit Scanner plugin to view some weak links. But it also produced negative result. I simply cannot find the culprit.
So my last resort is to do what I similarly did with the government website, I need to re-install WordPress. But I gave myself another crack at it. I noticed that when I used Filezilla to view the file directory, all of the WordPress files dates were modified on November 21, the day I updated the version, except for .htaccess file. My doubts became more apparent when I saw the date created was 11/19/2011, which was just fairly recent. That’s most likely the date the malicious person penetrated my site.
To erase my suspicion, I opened the .htaccess file and bam! The file content was compromised! Instead of 401 code File not Found, the malicious hacker changed it to his own porno site. According to Wikipedia,
A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration.
The original purpose of .htaccess – reflected in its name – was to allow per-directory access control, by for example requiring a password to access the content. Nowadays however, the .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc.
So this is the one that overridden our school’s website. When I opened the file, the porno site URL appears!
Now, how do we solve these problems from cropping up again? The answer is, NONE. So long as there are mischievous, good-for-nothing guys out there whose main goal is to destroy others business, the hacking remains. But you can help minimize the intrusion by doing these simple suggestions:
- BACK UP, BACK UP, BACK UP OFTEN – WordPress developers have created plugins to automatically backup your database. My favorite is WordPress Database Backup by Austin Matzko. But nothing beats the old ftp back up style which you all web developers are used to. In this case, I simply deleted the .htaccess file and re-copied the back up one.
- Don’t use .htaccess on your main server folder. Hackers usually look for this file as one of the common way to enter your fortress.
- Since WordPress makes good use of .htaccess file, make sure that the file attribute is set to 444. This means it can only be read but not written.
- Always update your WordPress CMS version. Remember that these malicious guys often attack softwares that are popular and has widespread use. Think about Windows OS as against Apple OS. WorPress is now the most used CMS in the world. Hackers often race themselves in how to crack its codes in order to make them feel satisfied in penetrating the top and the best. But I’m pretty sure the WordPress good guys are doing overtime to make our sites safe.
Consider this as a learning experience and a time for you to brush up your web designing skills. I have been pre-occupied lately by activities related to the deaf community so I don’t update my sites as often as I used to. So I took this situation as an opportunity to review my web design lessons. :-)
- WordPress 3.3: The 11 Most Important New Features (mashable.com)
- Top 10 Ultimate WordPress Security Plugins (journalxtra.com)