When the Hackers Come Sniffing Around

hackerEarlier this week I was working in a client’s site and noticed an odd error log in the theme folder.

Usually, when there is an error log, it means that something is wrong in WordPress itself — a plugin has gone bad, or the database needs to be optimized, or any of a number of fairly routine things. But this one was new to me. For one thing, it was in the theme folder, not the main WordPress directory. For another, the file itself was pretty small. Error logs can be pretty large, with a huge number of entries before anyone notices.

I’ve been seeing a high number of attacks on WordPress sites in the past months, so my spidey sense was on high alert. I downloaded and opened the error log and found four or five identical entries that looked like this:

[11-Aug-2013 18:49:51 America/New_York] PHP Fatal error: Call to undefined function get_header() in /home/username/public_html/wp-content/themes/themename/index.php on line 8

Well. This was odd. It was also a little disturbing, since several of the malware hacks I’ve seen lately were attacks inside the theme’s functions file. This particular error means that someone had been trying to access the theme’s index.php directly — something that never happens in normal usage. Could be a legitimate robot crawling the site, but more likely it was some kind of script sniffing for vulnerabilities.

So I experimented by opening the link directly.

http://domainname.com/wp-content/themes/themename/index.php

And there was a blank white page with the above error message displayed for all the world to see:

PHP Fatal error: Call to undefined function get_header() in /home/username/public_html/wp-content/themes/themename/index.php on line 8

Why is this a bad thing?

This part of the error message: /home/username/ gives a hacker half of the information needed — your account’s username — to get into your hosting account.

If you have a strong and secure password, it’s going to be more difficult for a brute-force attack (where a script tries combinations or patterns of letters and numbers) to succeed. But if your password is not strong and secure, then hackers have full access to your hosting account and can upload anything they want to your site.

Hello, V1agra (or worse!). Hello, blacklisting. Goodbye, Google ranking.

How can it be fixed?

Open your theme’s index.php file. At the very top, before anything else in the file, paste this line of code:

< ?php ini_set('display_errors', 0); ?>

(Remove the space between < and ?php before saving.) I would also suggest deleting all themes other than the active one. Yes, that includes the WordPress standard themes twentytwelve and twentythirteen. I've seen those hacked and malware inserted, as well. Now, if a script comes sniffing, the browser will display only a blank white screen. You'll still see the error log in your themes folder to show you that they've been poking around, but your account username will no longer be easily visible to anyone who looks. Oh... and update your FTP and WordPress accounts with a strong, secure password — just in case!