Network Solutions hosting issue or WordPress Security Flaw

My one of client is victim of this mass hack on network solution hosted blog. I am going to share some interesting fact about this vulnerability story.

  1. when our client contacted to Network Solution support tell them to buy SSL as your site is not secure.  (6 April)
  2. I fixed theme files which is altered by this hack and checked my database for any possible code. found a funx.php on theme file and called in footer.php. site seems to fix that time for me. I used to clear my cookies to check at every refresh. my avast home antivirus and chrome browser help me to do that. Suddenly my blog database connection gone due to network solution effort i think. I changed all username and password for ftp, database, wp-admin users (8 April)
  3. When i wake up at 9 April found hacked blog again this time this this is another issue. Theme footer have reference to a function and 1 file included that is created on server. not able to remember the name 2 random file without any extension. I am not sure how someone put file on my server. I fixed the site again and and checked multiple time with clearing the cookies.  Seems fixed. I am very curious to know how this thing is happing to the site. anyone placing file on my server. (9-April).
  4. Seems everything is fixed i start working on to make site secure with ssl. fed up with redirect error and i finaly make that working. (10 April)
  5. Url is now https.  i loosed my page rank and all back link on new site. (10 April)
  6. Site is infected again. this time a plugins JavaScript file is infected. fixed again. (12 April).
  7. Till now not noticed any infection issue (14 April)

Now i am getting strange errors on site not sure this is infection or ?????

1
2
3
Error in ISAPI_Rewrite helper ISAPI extension.
12030 - The connection with the server was terminated abnormally
File: .\rwhelper.cpp, Line: 1290.

More update coming . Feel free to comment. Thanks

Update 18 April

Site is again showing virus warning. I did all step to resolve nothing works. then i rename .htaccess upload a 1.php on root with  following code

1
< ?php phpinfo(); ?>

According to my knowledge this is server issue. This is no more any WordPress Issues. May be this problem is solved by Network solution before people notiiced that.

Update 21 April

I gave up my effort with Network Solution and i shifted to another Host.

Best response on this issue

Summary: A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.

If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.

P.S. Network Solutions, it’s “WordPress” not “Word Press.”

–Matt

Should My Company Have a Blog?

One of the most common misconceptions today is that a blog is meant for personal use. This couldn’t be further from the truth. A blog is so much more than a personal diary or a daily dose of someone’s personal opinions and ideas. A blog provides an opportunity for outsiders to become engaged and active. Let me put it this way. You are missing out on a huge opportunity if your company does not have a blog. Let’s start out with the consumer’s perception of companies.

Blog Visuals

Consumers have changed the way they view companies. In the past, consumers had a limited number of choices when purchasing goods and services. Before the web, consumers purchased goods and services from a local company or possibly through a catalog. The U.S. Census Bureau estimated that total e-commerce sales for 2009 were $134.9 billion. More and more people are signing on to the web to make purchases. This has provided a significant opportunity for businesses, especially small to medium size businesses. Think about it. If I wanted to buy a bicycle ten years ago I would have went to my local Wal-Mart to make the purchase. That’s not the case today. I can get online and search specifically for the bike I want. It could be that I end up making the purchase from a small bike shop in Minnesota and have it shipped to me. The web has increased the purchasing power of consumers. We now have more choices and are not limited to what our local companies can offer. You are probably thinking what does this have to do with whether or not my company should have a blog? Everything.

It is your responsibility to differentiate yourself from your competition. It is much more difficult to do this today. Not only do you have to compete with your local competition, but you also have to compete with businesses in other cities, states, and even other countries. One way you can differentiate yourself from your competitors is with a blog. Consumers want to feel good about their purchases. I will gladly pay $10, $25, or $50 extra to a business that I feel understands my circumstances and reaches me on a personal level. That is exactly what a blog is…personal. It could be that I chose to purchase my bike from the online company in Minnesota rather than my local Wal-Mart because the company in Minnesota spoke to me in a different way through a blog.

A blog creates a feeling with consumers that they are getting inside knowledge. It helps companies establish relationships with their customers, which by default leads to trust. Do you want to see an increase in online sales or see your website become a tool rather than an expense? Get on a personal level with your consumers.

Another reason you should have a blog is because it keeps your website updated with fresh content. Common sense tells us that people are not going to visit your website repeatedly if they see the same thing each time they visit. However, if your content is changing consistently they will continue to visit your website in order to remain informed. The opportunity to sale your products and services increases greatly with the more visits you have to your website and the longer people remain on your website.

Having a blog opens up so many avenues for companies. Think about the numerous ways you can keep your website visitors engaged through a blog.

  1. Inform them of new products and services, or changes to existing products and services.
  2. Offer online discounts and promotions to your blog readers.
  3. Inform your readers of how your company is doing in relation to its’ goals and objectives.
  4. Post articles regarding your company’s involvement in charity (consumers love this).
  5. Post information about your employees.

These are just a few of the ways you can utilize a blog to reach out to your website visitors and customers. Do not use a blog to bash your competition. This is one of the cardinal sins of blogging. We, consumers, get really tired of negative publicity. So, keep it positive and be consistent.

If you are still unsure if your company needs a blog you apparently skipped this entire article and went straight to the bottom hoping to find a summary. Well, here is your summary. Yes, you need a blog. If you are on board and are ready to implement a blog then we recommend using WordPress.

About the Author:
Ray Goins is an author and owner of www.stopdev.com. StopDev provides web design and online marketing tips.