This morning a client emailed me to report that their website had been hacked. The site ran a WordPress theme I had designed a few months ago and wasn’t held on any of my own servers but I was confident that I could get it back online, I mean, I think I’ve seen most WordPress-related hacks in my time right wrong

Turns out the hack was pretty a sneaky malware re-direction that it only kicked in when a search engine query directed the user to the site.

This is especially sneaky as it means that the site owners who probably had the site in favorites or just typed in the domain would most likely never find the hack until it had been lurking for a while.

Investigation

The first thing I did was check the .htaccess and index.php files on the site. The .htaccess file looked fine, see:

So, I moved on…. I checked the database, nothing, the theme, all clean, the plugins, all the plugins, they were all clean. So what was it? I checked for malicious hidden files in the FTP folders I double checked the data I looked for anything  and everything and nothing came up.

Google was no help either, this hack seemed to have been reported many times but it had many different solutions and none of them relevant here.

So a few hours into the investigation I went back to the start and checked the .htaccess file again. My plan was to add my own scripts to replace the default WordPress mod_rewrite code and see if it gleaned any results.

Doh!

Upon checking the main .htaccess file a 2nd time I noticed something that wasn’t obvious before:

GAH!! That’s it. The hacker had done the simplest of things to cover his tracks! By adding a few 1000 lines of whitespace and indenting the code in the .htaccess file it was hidden from view! I didn’t even think to scroll around the file the first time around!

So here it is the hack in all its glory:

A very simple hack but very sneakily done.

Fix

After removing the code the site now seems fine. How did it get there?? I really don’t know. The site isn’t hosted on any of my servers and I’m not contracted to find this out, the server tech can deal with that one. And I’m not even sure if its a WordPress-related hack, I mean, the rest of the site was clean. Only the .htaccess file had been messed with.

So if your site is sending you to malware portals or fake virus scanners then check your .htaccess file and please, dig around a little. Don’t waste 2 hours looking for something that isn’t there

The WonderThemes WordPress Theme Marketplace has have 1 micro-sponsor ticket and 2 standard tickets on offer for this years WordCamp UK in Portsmouth. Winners will also get a WordCamp UK t-shirt and a very cool WonderThemes t-shirt as well as some other cool swag at the event.

You also get to meet me which is always a bonus.

To be in with a chance of winning just check out this blog post over at the WonderThemes site.

Fly over to WPCandy TODAY and throw a vote on their really cool Theme Madness competition my new virgin theme marketplace WonderThemes is up for vote right now so vote for us here!

Yesterday was the 2nd WordPress User Group meetup over at The GIST Lab in Sheffield.

This follow up meeting was just a little more organised and just a little more focused than the first one with actual topics and subjects which (hopefully) enriched the experience of everyone involved. I personally learned a lot about blogging and creative writing from this session – actually, I learned sort of what I already know, it takes a lot of work and there are no shortcuts.

Other topics were the usual plugin recommendation, a healthy discussion on recommended reading and tips for new users and finally a quick chat on the potential for a fully-fledged WordCamp South Yorkshire to grow out of the meetup which will potentially happen early in 2011.

A WordCamp for South Yorkshire

Since WordCamp UK a few months ago there has been a change in the landscape of UK-based WordPress gatherings. Essentially the overlords at Automattic are keen for the userbase to break away into smaller, cosier and more local events rather than just a single large event.

This allows for more than 1 UK-based WordCamp per year (yey!) and encourages local WordPress gurus to build local communities whilst simultaneously promoting and evangelising the WordPress platform.

This sea change has already led to a number of smaller planned events such as WordCamp Whitehall which will hit London October 13th and is organised by Simon Dickson, the man who helped WordPress get into Number 10.

What about WordCamp UK?

I have yet to comment on the negative fallout from WordCamp UK (which is summed up excellently here by Dave Coveney), but here goes.

Because of the distance involved the USA model for WordCamps is very different to the UK model. Also, the sheer number of WordPress users in the United States vastly outnumbers the small pocket of WordPress consumers we have over here in the British Isles. Therefore the current USA model cannot (yet) be achieved in the UK but there is potential for middle ground.

I fully support the idea of ‘local’ WordCamps – in the UK and anywhere else – but I also really, really, REALLY see a strong need for a central event where visitors and organisers of ‘satellite’ events can congregate and provide a larger and perhaps more professional setting to help serve the entire UK community.

Take a look at WordCamps such as WordCamp New York and the MASSIVE and ever growing WordCamp San Francisco – these events are notable for their size and stature and with a little more time WordCamp UK will rise to this level.

This model allows for WordCamp UK and smaller WordPress-meetups/camps to co-exist in the same universe. We won’t lose the excellence of WordCamp UK but we will (hopefully) gain a new more diverse insurgence of WordPress-related gatherings.

WordCamp South Yorkshire is something the South Yorkshire WordPress User Group will be building up over the next couple of months. It will understandably be in Sheffield because of the existing infrastructure and support network provided by the team at the GIST Hub.

For more information keep an eye on Twitter and the #sywp hashtag.