WordPress is a great platform – it’s easy to use, fast, reliable, and very popular. Unfortunately, that also makes it a big target for hackers.
A few weeks ago, FerretArmy.com got hacked – essentially, it was serving malicious content from an injected iFrame. In addition, the administrative panel was intentionally broken in an effort to make it harder to fix. The hack directly targeted the WordPress platform – there are millions of WordPress users, so it was likely an automated attack looking for a known vulnerability. I’m still unsure of the attack vector, though I believe it was most likely either through a plugin, or through a (hopefully patched) security hole in the framework itself.
In order to get the site back up and running, I had to physically comb through all the files in my site and remove all the bad code. It’s very apparent that the hack was scripted – it effectively added a single malicious line to every PHP file in the site. It was all reversible damage (with no data loss, thank goodness), but it still left me pretty upset.
In the end, I changed my passwords and made sure that everything was up to date (site and plugins), and the site has not suffered any similar misfortune since. Being hacked really sucks, and I have absolutely no respect for someone that would do such a thing. FerretArmy is a small fish in a big pond, but I try my hardest to deliver worthwhile content to my visitors. Having someone exploit this (for no real gain, let’s be serious here) is inexcusable.