Dirty Attack Cripples Hundreds of WordPress Blogs

Hundreds of WordPress-powered blog owners have recently found their websites inaccessible after a critical value has been altered in the database. The attack seems to affect even the latest version of the popular blog platform and, so far, the entry point has not been determined.

Sucuri Security Labs, a provider of Web-based integrity monitoring, reports that a worrying number of blogs were compromised the last week, in an attempt to silently redirect visitors to a malicious URL loading exploits. According to the company, most of the affected sites are hosted at Network Solutions.

The common symptom of the hack is an altered "siteurl" value in the "wp_options" database table. This variable should normally contain the main URL of the website, however, on affected installations, it is modified to a rogue <iframe> element pointing to a http://networkads.net/grep/ [don't open – malware alert].

Since "siteurl" is not supposed to hold HTML code, this modification breaks the entire blog layout and prevents users and admins alike from reaching the website. The unusual technique suggests that the attackers are amateurs and not particularly familiar with the intricacies of the WordPress platform.

Another interesting aspect is that no one has successfully pinpointed the entry point used by the attackers, which could be either an unidentified security hole in WordPress or a common plug-in. "The only way for the database to be modified like that is via SQL injection or a bigger problem inside Network Solutions databases," David Dede, a security researcher with Sucuri, said, however, no suspicious activity is registered in the access logs.

Shashi Bellamkonda, head of social media strategy at Network Solutions, challenged the idea that only blogs hosted with Network Solutions were affected. "Its not accurate to say that this affects only Network Solutions customers. It seems like there have been a spate of these attacks over the past few weeks," he wrote in response to Sucuri's report.

Fixing the rogue "siteurl" entry from the database might not be enough to mitigate this problem, as a lot of webmasters reported their blogs getting reinfected. It is also recommended to manually override the "siteurl" value via the wp_config.php.