WordPress hacks are on the rise, but is WordPress to blame or are the ISPs at fault. Many ISPs take the easy way and and pass the blame. The same action is being taken by many bloggers. Their first approach is to look for the last developer, may be his computer was infected? – May be a virus that steals FTP passwords. Well, there are plenty of theories and you can keep adding them to the list.
The truth in this matter is that it has to do all with your ISP and nothing to do with WordPress. Is just very easy to pass the blame towards WordPress. It some cases you might have left permission settings on 777 by mistake. But let’s get to the needy griddy.
Many php applications including Joomla and Zencart have been hit by the malicious code. Also at first the threat seemed to be on Godaddy, Godaddy support was very quick to pass the blame to the software and plugins or last developers.
What is the Virus doing?
The virus inserts an eval script to your files.
On the footer of your pages, most php pages on your WP installation and theme files will be infected.
Visit this great article on http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html - It will dercribe the steps the virus takes when infecting the system.
From some of the notes on their post they describe – So what is going on? The attackers are able to create this single PHP file on all the sites and then remotely execute it to infect everything. Once it is done, the script deletes itself.
I have been hearing on the rate of two people I know a week. The attacks seem to go in waves. Dreamhost, blue host, Host Gator seem to be also affected. I have not had any 1and1.com hosted sites infected yet.
We located a few articles with additional information in regards to the malicious infections.
Our recommendation is to download the WordPress file monitor plugin to receive an email alert when any file is changed. This will warn you of anything changes or any malicious code input onto your file.
Remember the virus copies itself to the footer and bottom/top of most php files on your installation. This can be any file within your WWW directory.