Jul 17 2010
New Hosting Attacks – bluehost attacked

New Wave of Injection Attacks Targets WordPress Blogs

Compromised websites direct users to scareware

Read more here. But I just got off the phone with Bluehost who basically denied that there was any problem. What else is new.  They are too big to really care. Talked to Roger, who was in the dark about the situation.

I think this has happened to many hosting companies, that they get too big to really care, and when something like this happens, people suffer and are stuck trying to figure out how to fix something that can be fixed in a matter of minutes if you know what you are doing.

I did basically what I did before, but there is no guarantee that it will fix the problem or vulnerability.   Also, if you already had the file and tried to run it the redirect would occur again. So you have to copy a new file.

https://sucuri.net/malware/helpers/wordpress-fix_php.txt and be sure to rename it to .php and then open it in a browser and you should get a message that the site is clean, then go ahead and try your site again, it should be ok.

Just as a good measure, you can make sure your WordPress blog is also updated.


Amid my various calls to alert BlueHost to their hosting vulnerabilities. These are the response I got. I appreciate the effort Roger made, but it is too little too late for many users who are simply hacked and have no recourse or wherewithal to deal with it.  Roger starts that I am angry with my WordPress install…ha. That’s is not true, I am angry about the way BlueHost handles attacks on their network.

Read below:


Customer is very frustrated and angry that his WordPress install has been hacked multiple times in the last month or so and we haven’t done anything about it yet.

He referred us to this article:
“Sucuri Security, a provider of Web integrity monitoring solutions, warns that a new wave of malicious code injection attacks is targeting outdated WordPress sites. Users visiting the compromised websites will be directed to pages serving a FakeAV variant.

The new attacks are a reiteration of the mass compromises that affected thousands of WordPress blogs hosted at GoDaddy, BlueHost and other companies in recent months. The hackers perform automated scans to locate vulnerable installations and inject rogue code into the php pages.

This code is obfuscated via a base64 encoding function, …”

Victor, i’ll be following up with you in a little bit via a 2nd email.


second follow-up email:


Hi Victor, thank you for waiting.

The developer community and maintainers of WordPress.org and it’s software have chosen a security model that is different from other popular CMS (content management systems) such as Drupal and Joomla.

#1 – WordPress.org only sends out announcements about core security issues.
You’ll definitely want to subscribe to it at https://wordpress.org/support/register.php !
They’ll let you know of core upgrades.

#2 – WordPress.org does not keep track of any security problems in each of the over 10,000 plugins for it.
For that you have to go to a plugin’s page at wordpress.org and then click on “Plugin Page” and/or “Author Homepage” in order to sign up on their security announcements list.  You have to do that for EVERY single one of your plugins.

Example — https://wordpress.org/extend/plugins/wp-e-commerce/ — on the right you can see “Author Homepage” and “Plugin Page”.
Somewhere there you’ll find their security updates info or list.
For each of your plugins you’ll want to decide whether to keep it, reinstall it fresh, or to delete it.

I don’t think that WordPress.org forces any of the authors of the submitted plugins to run a security list.  The end user assumes all risk by using any plugin.  That’s part of the WordPress license agreement.

#3 – These security documents from WordPress.org are very, very good:

NOTE: You mentioned that don’t care about WordPress at the beginning of our call and something about how you don’t need it.
If you want to uninstall it, you can do so through your Bluehost cPanel at https://login.bluehost.com
Click on SimpleScripts and then on that page click on the small grey Uninstall link under the https://www.centerstagingcorp.com/blog URL.

*** BOTTOM LINE: I’d like to use a helpful analogy:
Renting hosting space is like renting an apartment.
We secure our end such as protecting the utility closet so criminals can’t get in and shut off your water or electricity.
We do not put a guard inside your living room and each of the rooms in your apartment.
We leave that up to you.
What you put inside your apartment is up to you.
We only monitor for illegal activity such as your account being used to hack into other accounts here.

There are hosting companies that not only watch their end but also the customer’s end — to continue with the analogy they put a guard inside your front door and inside every bedroom of your apartment so to speak.

We do not currently offer that type of service.  That’s definitely a suggestion that you and I can make to management.
Also, there are 3rd party security monitors that you can use with any hosting company.
I know of one at https://jacadis.com (Bluehost does not have a relationship with them — that is my own personal recommendation.)
You can also find others by searching a search engine for “website security monitoring” or a similar phrase like that.

Additionally, if you want to learn more about security i highly, highly recommend https://www.securityfocus.com/ — they run some of the very oldest and most experienced security consultants discussion lists on the Internet.

Let us know if you have any follow-up questions.

P.S. It’s good to make regular backups of your whole account — you can do so via the “Download or Generate a Full Backup” tool at https://box507.bluehost.com:2083/frontend/bluehost/backup/fullbackup.html

Kind Regards,

Roger L. Brown
Support Technician

FTC - Site employs income earning affiliate linking

Written by

View all posts by: