As many of you already know, over the weekend, Tea Trade was hacked. I am posting this to give you a better idea about what happened, what we did and what we are doing to prevent it happening again. First off, I want to let you know, that this attack did not compromise any passwords, personal information or blog posts. All of that was safe, and as soon as we saw what was going on, we took Tea Trade offline to prevent any further damage. While, I recommend that you change your passwords, the passwords in Tea Trade are all stored encrypted which makes them very safe. That is, unless you are using one of the common passwords, like iloveyou, or (God forbid) password. Additionally, the information of any customers who have purchased products was also safe. All of this type of information is stored in the database, and the database was well protected.
Attacks are common
Generally speaking, hacker attacks are pretty common. We started documenting the number of threats back in September 2011. To date, our records show that our defenses have stopped 206,488 threatening attacks from ever reaching Tea Trade. This number includes the spammers and the hacking bots as well. Generally speaking, our security in the big picture is good. However…
Leaving the back door open
I know now exactly how the attack got in, and it didn’t get in over the weekend. It entered through a “back door” – a security hole in a piece of third party image resizing software. It’s a popular piece of software that comes inbuilt with many WordPress themes. When the hole was discovered, a patch was pushed out by the developers, and I inspected over 300 themes with thousands of files and directories to apply the patch where necessary. However, six themes were not patched at that time. A hacker with a program to search the internet for such weaknesses, found one and infected it with a back door program. Then over the weekend, that harmless backdoor was exploited.
One of our members was using a popular theme, by a popular developer, which unfortunately was compromised by that initial security hole. Once that member’s blog started getting traction in the search engines, that backdoor was easier to find.
What it did
The malicious code was designed to replicate itself in a file called footer.php. Every theme has one of those files – I temporarily deleted over 250 themes while trying to track this down. The footer files are all written differently, and are used to build the very bottom section of your website each time a page loads. The bad code looked for a specific tag common in every footer file and injected itself. To make matters worse, the code was encrypted making it difficult to know what it does. Fortunately, on the majority of the sites, the code failed to execute resulting in an error that appeared at the bottom of the websites over the weekend. It was this error; visible on one of the blogs that prompted Jackie to tell me to have a look, and how I discovered the hacking.
As a result of this, I’ve boosted our security measures to prevent this from happening again. Most of these steps are technical and involve protecting various file directories using a combination of special commands and permissions. As a result of this, for the next couple of days and weeks, if you find something not working properly (uploading images might be affected sightly) let me know as I work to fine tune these–its important to get the right balance of security and accessibility. In addition to this, I will be increasing our backup schedule.
Furthermore, we’ve retained the internet security firm that helped us track this one down to continue monitoring Tea Trade for the next year. Given at how efficient they were in helping us out, I’m very pleased with their service, and we will renew with them next year to keep the protection in place.
Keeping Tea Trade safe
It’s important to remember that Tea Trade itself was not targeted. Tea Trade is built on WordPress, and WordPress is one of the most popular platforms on the internet for building a website. Due to this, WordPress was targeted, but more specifically; a weakness in a third-party script commonly associated with WordPress was. With popularity, one becomes a target. My job, and the job of the developers who build WordPress and the supporting software, is to ensure that WordPress websites are hard to hack into. This incident has motivated me to ensure that Tea Trade is setup with the best practices in the industry, over the coming days, I’ll be double-checking the hardening of our WordPress installation and consulting with others about how to keep it safe in the future.
I sincerely apologize for any inconvenience caused by this. To help compensate for the confusion and frustration over the last 3 days, I’ll be extending all the paid Tea Trader accounts for one month free of charge. I want to encourage confidence that Tea Trade is a safe and secure place to host your tea blog or online tea store and show that Jackie and I are committed to making and keeping Tea Trade as the best tea community online.