[wp-hackers] Pharma hack

Abdussamad Abdurrazzaq abdussamad at abdussamad.com
Sat Sep 28 15:39:50 UTC 2013

Most shared hosts use php fastcgi and they configure it so that the 
entire directory is writeable. This can makes it easier for users to 
update WP and allows WP core devs to boast that more WP installations 
are up to date compared to other major CMS.

But yeah it isn't ideal from a security point of view.

On 09/28/2013 07:37 PM, Hal Burgiss wrote:
> On Sat, Sep 28, 2013 at 4:09 AM, Steve Taylor <steve at sltaylor.co.uk> wrote:
>> A site I run just got hit by the "pharma hack". There was a common.php and
>> a /coockies/ directory in the root, and a modification to .htaccess
>> rerouting all search bots to common.php - encoded but obviously stuffed
>> with spam keywords, which were appearing in Google's index.
>> I've cleaned up and all seems fine now, but obviously it'd be good to
>> identify the point of entry and be sure.
> Definitely. But why is .htaccess writable in the first place? Root
> directory? From a systems administration standpoint, the only directory in
> a default installation that should be writable is the uploads folder. That
> by itself doesn't stop everything, but it stops a helluva lot of stuff.

More information about the wp-hackers mailing list