The Tea Trade hacking

As many of you already know, over the weekend, Tea Trade was hacked. I am posting this to give you a better idea about what happened, what we did and what we are doing to prevent it happening again. First off, I want to let you know, that this attack did not compromise any passwords, personal information or blog posts. All of that was safe, and as soon as we saw what was going on, we took Tea Trade offline to prevent any further damage. While,  I recommend that you change your passwords,  the passwords in Tea Trade are all stored encrypted which makes them very safe.  That is, unless you are using one of the common passwords, like iloveyou, or (God forbid) password. Additionally, the information of any customers who have purchased products was also safe. All of this type of information is stored in the database, and the database was well protected.

Attacks are common

Generally speaking, hacker attacks are pretty common. We started documenting the number of threats back in September 2011. To date, our records show that our defenses have stopped 206,488 threatening attacks from ever reaching Tea Trade. This number includes the spammers and the hacking bots as well. Generally speaking, our security in the big picture is good. However…

Leaving the back door open

I know now exactly how the attack got in, and it didn’t get in over the weekend. It entered through a “back door” – a security hole in a piece of third party image resizing software.  It’s a popular piece of software that comes inbuilt with many WordPress themes. When the hole was discovered, a patch was pushed out by the developers, and I inspected over 300 themes with thousands of files and directories to apply the patch where necessary. However, six themes were not patched at that time. A hacker with a program to search the internet for such weaknesses, found one and infected it with a back door program. Then over the weekend, that harmless backdoor was exploited.

One of our members was using a popular theme, by a popular developer, which unfortunately was compromised by that initial security hole. Once that member’s blog started getting traction in the search engines, that backdoor was easier to find.

What it did

The malicious code was designed to replicate itself in a file called footer.php. Every theme has one of those files – I temporarily deleted over 250 themes while trying to track this down. The footer files are all written differently, and are used to build the very bottom section of your website each time a page loads. The bad code looked for a specific tag common in every footer file and injected itself. To make matters worse, the code was encrypted making it difficult to know what it does. Fortunately, on the majority of the sites, the code failed to execute resulting in an error that appeared at the bottom of the websites over the weekend. It was this error; visible on one of the blogs that prompted Jackie to tell me to have a look, and how I discovered the hacking.

Improving security

As a result of this, I’ve boosted our security measures to prevent this from happening again. Most of these steps are technical and involve protecting various file directories using a combination of special commands and permissions. As a result of this, for the next couple of days and weeks, if you find something not working properly (uploading images might be affected sightly) let me know as I work to fine tune these–its important to get the right balance of security and accessibility. In addition to this, I will be increasing  our backup schedule.

Furthermore, we’ve retained the internet security firm that helped us track this one down to continue monitoring Tea Trade for the next year. Given at how efficient they were in helping us out, I’m very pleased with their service, and we will renew with them next year to keep the protection in place.

Keeping Tea Trade safe

It’s important to remember that Tea Trade itself was not targeted. Tea Trade is built on WordPress, and WordPress is one of the most popular platforms on the internet for building a website. Due to this, WordPress was targeted, but more specifically; a weakness in a third-party script commonly associated with WordPress was. With popularity, one becomes a target. My job, and the job of the developers who build WordPress and the supporting software,  is to ensure that WordPress websites are hard to hack into. This incident has motivated me to ensure that Tea Trade is setup with the best practices in the industry, over the coming days, I’ll be double-checking the hardening of our WordPress installation and consulting with others about how to keep it safe in the future.

I sincerely apologize for any inconvenience caused by this. To help compensate for the confusion and frustration over the last 3 days, I’ll be extending all the paid Tea Trader accounts for one month free of charge. I want to encourage confidence that Tea Trade is a safe and secure place to host your tea blog or online tea store and show that Jackie and I are committed to making and keeping Tea Trade as the best tea community online.

peter

Peter Davenport is one of the founders of Tea Trade. In addition to building, enhancing and supporting Tea Trade and its members, he studies Business Administration and Management at American Public University with a focus on Entrepreneurial Studies and Enterprises.

Latest posts by peter (see all)

Comments

  1. thedevotea

    Pete
    Much as this event was awful, your response to it was speedy and impressive. It is a better response that one would get from many large hosting organisation with entire IT departments on board.
    All of my important tea activities are hosted by you and this just confirms my choice.
    I imagine others, like me, have noticed a large spike in spam, and realise that this is a direct result of the growing popularity and ranking of the Tea Trade Site.

  2. Rachana (Rachel) Carter

    Such an amazing counter offensive. Remind me never to go up against you. You do put up a good fight and from what I can tell you would not have quit until you were pronounced victorious. Thank you for all you did and please thank @Jackie for helping as well. I am certain she kept your cup full. 🙂

  3. lazyliteratus

    I concur. Y’all were very promt in taking care of it. I was just sorry I couldn’t post and promote thusly yesterday. But glad things are mostly-ish back to normal. Keep up the good work.

  4. Jackie

    Thanks everyone for your supportive comments. They and you are much appreciated. By the way @thedevotea – the recent increase in spam was due to Pete’s testing a spam function, he mentioned it in a forum post: http://teatra.de/forums/topic/spam-testing/ He turned it back on today, so you should see a decrease again. Despite our popularity : )

  5. manx

    I like your response to this! Speedy and resolute, and good relevant in time information. That is not an easy thing when something like this happends. Thanks.

Comments are closed.