New WordPress Hack Inserts Hidden Text

Posted in Technology
Thu, Mar 27 - 10:45 pm EDT | 9 years ago by
Comments: 7
Be Sociable, Share!
    Use Arrow Keys (← →) to Browse

    Ruth Kusterer reveals a new WordPress hack that lets spammers put hidden text on WordPress-powered sites. The worst part: the hack works on multiple versions.

    Somebody managed to insert a div with spam text into a blog entry’s content (and in one case even into the description meta tag). As opposed to ‘normal’ comment spam (see rel=nofollow), content spam makes it look as if the blogger recommended the link, which (I presume) gives it a higher google ranking.

    So why does the blogger not notice the inserted text? The height and width of the div are zero, so the text is hidden. Some feedreaders however preview entries without div styles, so the inserted text is visible in the RSS feed.

    By googling for variations of the link text, I found 7 more blogs. Sure, eight is far from a botnet epidemic. Still it’s strange how the same hidden text turns up in the content of eight unrelated blogs. Do they have anything in common?

    The eight cases I saw all run on WordPress, but on different versions.

    If you have a wordpress blog, please quickly search the page source for a div with style=’overflow:auto;width:0;height:0; and tell us whether you got one too.

    M. Uli Kusterer reports that Peter Hosey has detected traffic spikes in WordPress’ xmlrpc.php file. The hackers could be going through that.

    Hidden text can get a site deindexed by Google. This is a big fucking deal.

    Update: The second commenter on Ruth’s blog post says upgrading to the latest version of WordPress does not fix the security hole. This is bad.

    Use Arrow Keys (← →) to Browse

    Be Sociable, Share!

      Related Posts

      • Pingback: WordPress Hack Epidemic!

      • Michael Shinn

        I’ve written a modsecurity rule to help prevent this. You can download it (and other rules) from the GotRoot Website, or you can just use this rule:

        #Rule 300055: Hidden spam links
        SecRule REQUEST_BODY|ARGS “< ?font style ?= ?(position ?\: ?absolute|overflow ?\: ?(?:hidden|auto)).*(?:height|width) ?(?:=|\:) ?[0-9] ?(px|\;)” \
        “t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:300056,rev:1,severity:2,msg:’Spam: Hidden Text Exploit’”

      • Mike Abundo

        Awesome. Thanks, Michael! :)

      • Pramudita

        Michael, how to use that rule for my wordpress blog ?. I can’t install mod_security on server (dreamhost)

        Thank You

      • erdal sahin

        thanks michael for sharing this article

      • Michael Shinn

        Hmmm… what do if you cant install and your system does not have mod_security installed…

        I might be able to tweak this for mod_rewrite. I’ll have to do some experimenting later today to see what can be done with other tools. In the mean time, see if you can encourage your ISP to install mod_security and I’ll see what I can come up with for mod_rewrite.

      • Increase Search Engine Ranking

        I would highly recommend ASL (available at the website). Say hi to Scott for me.


        If your hosting provider doesn’t run mod_sec, then do you really think it’s a good idea to be with them? (nothing personal Dreamhost, I am sure your security is fine). This should be addressed by your provider Pramudita, you shouldn’t be even having to worry about it.

        Go visit and ask around for which providers are best suited for hosting your type of application. Always start your search for a provider based on what application you are going to run and then go from there.

      Be Sociable, Share!