WordPress Pharma Hack and WooThemes Shortcode Exploit Fix

I’ve been “plagued” for a while with some site hacking on my WordPress site.  And as annoying as it starts out to be – I kind of enjoy watching the techniques the rascals use to do it.  I have written about the WordPress Pharma Hack in the past – you can catch up here.

Some may have heard of the issues that have plagued WooThemes lately.  They had a small coding issue which would allow nefarious peeps to break into your website and gain access to your site/server.  Most of the time their goal is to add a few files to your site to allow them to leverage Google for pushing affiliate sites that sell off shore medicine – ala viagra and other interesting pills.  This is why they call this hack the “Pharma Hack“.

If you are having issues, check out you files carefully…the technique used is to gain access to your site via a vulnerability – lately, it has been timthumb vulnerability or WooThemes shortcode exploit.

How to spot it

The way I see people trying to get to my stuff is via the Redirection plugin.  It allows you to track the 404’s coming into your site and see what people are throwing at your site.  I’m sure there are other similar plugins.

You can see how it logs the 404's and gives you the IP too, not that they ever amount to anything...usually a compromised machine or server.

Now – this doesn’t register if they have already gained access – but it gives you an idea of what is happening.

Tim Thumb Issues – the Timthumb Vulnerability Scanner is an option to check for the original issue.

What to do about it

You need to stay aware and keep an eye on things – as more and more of these fake files come into my site as 404’s – I add them to my .htaccess file.  (If you don’t know how to change the .htaccess file – check out this site.)

Here is what I have in my file:

RewriteRule ^auto\.php https://tomaltman.com/wordpress-pharma-hack-and-woothemes-shortcode-exploit-fix?da=1 [R=301,L]

This takes any request for auto.php and redirects it to this post.

I also have entries so far for: keyboard.php, fotter.php, wpcima.php, __2.php, 2008.php, en.php, wp-post.php, wp-library.php, wp-conf.php, topper.php, wp-plugin.php, wp-lenks.php


You have to stay up on security if you are going to host your own wordpress install.  If that is something you are not interested in, then you must find a host who can do that for you.

WordPress Managed hosts: here are some of the better options  WP Engine, page.ly or hostguts  {affiliate links}.

It is crazy important – please, WordPress is a great piece of software…but like your home – if you leave it unlocked and the door open, bad people will enter.