The attack involved changes to the site content stored in the WordPress database. The attacker inserted an IFRAME tag in the database, so that when content rendered on a WordPress blog, the siteurl parameter pointed to a malicious website. Siteurl is meant to point to the website URL containing the blog in question.
The attack, discovered by researchers at security firm Sucuri Security, affected fully patched versions of the WordPress blog. Even blogs that restricted administrative access to a few IP addresses were hit. The problem was found to lie with the way that file permissions were configured on the hosting server. wp_config.php, the configuration file for independently hosted WordPress blogs, stores the database access credentials for a blog in plain text. This should not normally be a problem, if file access permissions are set properly. However, many users installed the software in a way that left the file readable by anyone.
According to Sucuri, the attacker created a script to find configuration files that were incorrectly configured and therefore publicly readable. He then retrieved the configuration files with the incorrect permissions, and harvested the database credentials. The hacker then used those credentials to access the databases and change the siteurl parameter, pointing to a malicious site.
"So, at the end anyone can be blamed," said the researcher at Sucuri. "At WordPress for requiring that the database credentials be stored in clear text. At WordPress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen."
WordPress developers responded that configuration parameters are the users' responsibility, or the responsibility of automated installation scripts that might be run by a hosting company. And the file has to be stored in plain text so that it is readable by the system, they added.
Network Security fixed the problem in a process that involved changing passwords for the WordPress databases hosted on its systems. It recommended that all customers using WordPress should log into their accounts to change their administrative passwords.