Category: WordPress

Not too long ago, I helped a friend clear out some malware on their WordPress site. In doing so, we went thru a pretty comprehensive site cleanup checklist:

• Deleted unused plugins & themes.
• Installed a fresh copy of everything.
  • WordPress core
  • Plugins
  • Themes
• Double checked the .htaccess file.
• Changed every conceivable password.
  • WordPress admin users
  • FTP/SFTP/SSH account
  • MySQL user
• Bought a SSL certificate and forced all wp-admin & wp-login.php traffic to it.
• Reset their WordPress security keys.
• Disabled the plugin & theme editor.

But the malware would keep getting reinserted in the site. Almost like clockwork. So I had them install a logging plugin to see if we could catch what was happening. Sure enough, the lone admin account would log in, upload & activate a plugin — which seems to be how the attacker was delivering their payload — and then remove the plugin from the site before logging out. Running a “stat” (via the shell) on the files we’d cleaned previously all showed that the modify timestamp matched up (roughly) with the plugin activation timestamp.

Because this kept happening, there were some concerns that my friend’s personal Gmail account might be hacked. They enabled 2-step verification as a response and started watching the account activity like a hawk.

Then the malware came back. Again. But nobody had logged in to my friend’s Gmail account. Things were getting to be maddening.

Since we couldn’t spot anyone logging into their email account, I started going over their Apache logs. That’s when I found something interesting…

If you look at things closely, you’ll see that the key value is the same both times. And, upon checking their database, I noticed the key value was still set to HR9qFJ2N6c3XveQY487b. Since WordPress clears out the user_activation_key value from the database after it has been used, the faux plugin the attacker was using must’ve pushed that value back into place to provide them with a backdoor. Pretty sneaky.

So I cleared the malware, locked the site down again and made sure to clear out the user_activation_key. Sure enough, the malware stopped coming back and my friend was happy that they could finally concentrate on blogging again.

Anyhow, ever since then, this little MySQL query has been getting run on every hacked site I’ve worked on…

Yeah, that totally guts all of the user_activation_key values for admin and non-admin users alike — and I’m sure that most attackers aren’t as clever as the one I was dealing with — but it’s always better to be safe than sorry, right?

I couldn’t agree more with Justin Tadlock’s feelings about the prevalence of [column] shortcodes. They’ve been getting baked into a ton of new WordPress themes and there’s no standard for how they’re implemented. Besides:

Users lose this functionality when they switch to a theme that doesn’t support their previous theme’s shortcodes, leaving bracketed words in their content.

It’s just a big bag of hurt. So I love what he’s doing to address it…

His Grid Columns plugin allows folks to drop their post or page content into readymade columns, inside of existing themes, by using a fairly simple, straightforward shortcode. The documentation is a bit sparse right now — and I’m sure that’ll improve before this gets thrown into the official WordPress plugin repository — but I’m totally hoping this gets picked up by the theme community at large.

When it comes to speed, one of the easiest things someone hosting their own WordPress install can do is enable expires headers. Expires headers basically tell the browsers visiting your site to cache the static stuff — like images and scripts — so they don’t have to be downloaded every time one of your pages needs them.

To do this, I’ve been using some fairly straightforward .htaccess rules that I adapted from the ones in HTML5 Boilerplate. But since version 4.0 of Boilerplate came out about a week ago, I went in and cleaned things up a bit. And now that everything is looking good, I figured that I should probably share them.

So here are the new & improved rules I’m using:

All you need to do to benefit from this is add the code above to your site’s .htaccess file. Just make sure you don’t have any rules pertaining to expires hanging around from an old plugin or something else and you should be golden.