WordPress Zend Hack Attacks Vulnerable Websites

Late last week we discovered a seriously scary WordPress zend hack attempt that affected WordPress websites across the globe.  In each case malware was injected in the headers of PHP files.

The Zend hack usually looks something like this:

php $zend_framework="\x63\162\x65\141\x74\145\x5f\146\x and the string goes on. We have several samples and, so far, they’re all in the first line of the PHP files that make up WordPress (sometimes, all of them).

One of our servers, Panther, had several sites that were even targeted and hacked in what we’re resentfully calling the “Zend Hack.”

  • Check this article if you’re interested in the down-n-dirty description of the Zend Hack from a security expert.
  • Here’s a script for clean the Zend Hack. Warning: proceed with great caution and backup first.

What Happened?

In all cases, the hackers targeted WordPress installations that were vulnerable due to one, or more, of the following:

1. Insecure passwords

This is one of the top reasons people get hacked: they use common words, or simply short passwords.  If your password is a family member or pet’s birthday or name, it’s not a good password!

You should be using very secure passwords for all of your email accounts, web hosting logins, and WordPress credentials. Really, anything you do on the Net.

There are a ton of tools out there that can help generate secure passwords.  One I especially like is the Secure Password Generator at PCTools.

Also, if you’re in your hosting control panel (cPanel), you can reset passwords for your email accounts and your cPanel account, and there’s a tool that you can use to Generate Passwords.

Honestly, most people hate this because the passwords tend to be hard to remember.  That’s often a sign of a decent password: if it’s too complex to be easily guessed or remembered.

There are plenty of great password management programs out there that are quite good.  I use 1Password for Mac, iPhone and iPad, but it’s also available for Windows.

Others swear by LastPass, a web service with a browser plugin.

Check them out; they can really help.

One last password tip:

  1. don’t use the same password in multiple places. Trust me.  My personal Twitter account was hacked about 6 months ago and, because I’d used the same password on a bunch of sites including my bank (I should know better), I had to scramble to change passwords and remember where all I’d used it.
  2. Try to make sure your password is complex. Like:
    • At least 10 characters
    • At least 1 upper case letter
    • At least 1 number
    • At least 1 special character<

2. Default Usernames

It used to be that each new installation of WordPress had a user with the username of ‘admin’ and you had no choice in the matter.  WordPress changed this a few years ago, so now when you install, you have the option to change the administrative username.

As you might guess, having a default username like ‘admin’ is no good because it makes a hacker’s job a LOT easier – they only have to guess one thing: your password.

If your WordPress install is older than a few years, you should check in your WordPress Dashboard under Users to see if there’s an account with the username admin.  If there is, you should work to remove it.  We can assist with this, but you can also follow Bob Dunn’s instructions in this quick video and blog post:


3. Virus or malware infections on your computer

Scary, but we’ve found several viruses that can infect your computer and search your hard drives for username and password data and deliver it right to a hacker’s inbox.

These infections are especially frustrating because, until you’ve completely cleaned your computer and ensured that there are no viruses or malware, it’s not safe to access ANY password-protected site.

Make sure you have current anti-virus software that’s updated and perform a full system scan of your machine.

What We’re Doing

As many of you know, security is no joke at IvyCat.  We hate crappy spammers and crackers and want to make sure our customers are safe.

That said, we can only do so much – we have to trust you to use good usernames and passwords, maintain your own computer’s security, and keep your WordPress, plugins and themes updated.

We’ve already cleaned several sites that fell subject to this hack, and restored others from backups.  Once cleaned, we update WordPress and all plugins and verify that everything is working.

Giving You More Backups

If you’re unaware, we always have a daily, weekly and monthly server backup for each account we host.  This is a bit deceiving, though, as they roll over, so we don’t always have a backup that’s 30 days old.

If you’re using WordPress, we recommend that you use a good backup plugin.  We like BackupBuddy and recommend it, although it’s not free.  There are other good backup plugins too.  Just make sure you’re using one.

On our servers, we rolled out an additional backup service yesterday called R1Soft.  If you log into your hosting control panel (cPanel), you’ll now see an R1Soft Restore Backups icon.

Using R1Soft, we’re going to keep an additional 15 daily backups for each hosting account.  So you’ll always have a daily backup for each of the last 15 days.

No charge.  We love you.

Begging You to Keep Updated

Pretty please?

WordPress incorporated built-in updates back in version 2.7, so you can upgrade WordPress, themes and plugins directly through the WordPress Dashboard if you’re an administrator.  It’s really just a few clicks, wait a moment and it’s done.

Usually it’s that easy, but there are some cases where especially poor, or overly complex plugins can cause issues when upgrading.  We see this more with e-commerce, event management, and membership sites.

Get Pro Support

Although we haven’t made a formal announcement yet (it’s coming soon), we launched our new responsive website last month and, with it, some new WordPress Support & Maintenance packages.

Our WP Support packages come with:

  • WordPress Updates
  • Off-site backups
  • Security & uptime scanning & monitoring
  • Troubleshooting & advice
  • Pro WordPress tech support
  • Monthly reports

We also have some additional features that we’ll be rolling out soon, including a monthly online hangout where you can ask questions of WordPress and website pros and get answers.

These packages start at just $35/month, but sign up before July 4th and use the coupon code supportmywp and you’ll save $10/month for life on the support package of your choice.

WordPress Security Plugins


We don’t joke around with our own site’s security either, so we’re big fans of Sucuri.net’s anti-malware service.  Here’s what’s great about it: once you sign up with Sucuri and login, you can download their Professional WordPress Plugin, which will help keep your site free from malware.

Sucuri Pro runs scans of your site and even audits files for changes and will notify you if anything looks fishy.  There’s a built-in firewall that will block suspicious activity like repeated hack attempts or other bad behavior.  And, in the event that your site is hacked, the pros at Sucuri will clean it for free.

Sucuri’s service is $89/year, which is a small price to pay for ease of mind.  I’ve had to clean many sites in the past and it can get expensive quickly, so $89 is a wise investment for anyone serious about their WordPress site.

If you sign up for Sucuri using this affiliate link, we’ll even help you get it installed and configured correctly at no charge.

They also have a free Sucuri Scanner plugin that has some of the basic features.

Limit Login Attempts

The Limit Login Attempts WordPress plugin will simply lock a user out if they exceed a certain number of login attempts.  You can set the limit, along with other options. Here’s a good article on Limit Login Attempts.

The Wrap

I know that was a ton of information and not much of it very fun.  But your site is important stuff and we want to make sure it’s getting the attention it deserves.

Please let us know if you have any questions and also check out our WordPress Support & Maintenance Packages and save $10/month if you signup by July 4th.

Thanks for your business!

Eric Amundson