How To Protect Your Blog From Hackers
April 30th, 2009
Email this article to a friend
I had some technical difficulties with my blog recently. Some files got corrupted, and I wasn’t able to log in. I don’t know if I was hacked, but it made me wonder.
Since then, I’ve been a lot more interested in WordPress security. That’s how it goes, right? We’re not concerned about what could go wrong until something happens. But if you have a blog, there’s a good chance that someone will try to hack it someday. When that happens, you don’t want them to succeed.
John Hoff from WpBlogHost offers a WordPress security upgrade, normally priced at $49.95. From now until Thursday 5/7/2009, use the promo code “Hunter” to get it for just $24.95.
Here are some of the things included in the security upgrade:
- Rename your database tables so they don’t start with “wp_,” making them harder for hackers to find.
- Protect your login page from brute force password attacks.
- Prevent other people from accessing pages and directories you don’t want them in, such as your login page.
- Block people who attempt common hacker attacks, such as SQL injection.
- Hide your WordPress version number, so you won’t be seen as a target if your version isn’t up to date.
Of course, nothing is 100% secure. But just like a bank is far more secure than a hot dog stand, a blog with these security upgrades is far more secure than a blog using the default installation. I highly recommend a one-time investment in this security upgrade to all WordPress bloggers. I feel way more secure now than I did before.
Whether you have a blog or not, take a minute to consider all the passwords you use online. Just because your password is a little harder to guess than “password1″ doesn’t mean it’s secure. Make sure you’re not using dictionary words, or names, or sequential numbers. Use a mix of lowercase letters, uppercase letters, numbers, and symbols. Don’t use the same password for every site, and change them periodically.
April 30th, 2009 at 9:48 pm
Hello Hunter. You said it best:
I’ve spent quite a bit of time in the WordPress forums helping people with WordPress related issues and I’ve lost count how many times someone had an issue with their blog which was a result of a hack.
Just because your blog is about napkin folding doesn’t mean you’re not a target. Hackers will get into anyone’s blog for various reasons. Some want to create dozens of spam links (which you never see) while others simply do it because they are bored.
Take for example that kid who hacked Twitter lately. He did it because he was bored – and you know what? He taught a lot of other hackers that Twitter is vulnerable.
John Hoff – WpBlogHost´s last blog post..Landing Page Optimization: Make Your Links Stand Out To Get More Clicks
May 1st, 2009 at 10:58 pm
@ John, I imagine that hackers often go after the people who don’t think they’re a target, as they’re the least likely to have taken any security precautions. Unfortunately, everyone is a potential target, and we have to act accordingly.
May 4th, 2009 at 2:49 pm
Do you know if anybody has done a pretty good threat model for Word Press?
It seems to me that the 80/20 rule is perfect here. I bet that 80% of the issues boil down to 20% of the common flaws. It would be great to know the patterns.
One of the biggest issues with security is not knowing how the magic tricks are done. Once you know the magic tricks, it’s easier to know which tool to use for the job.
J.D. Meier´s last blog post..Choose Your Jobs Based on Strengths
May 4th, 2009 at 6:30 pm
@Hunter – They come in all shapes, sizes, types, and backgrounds. The vast majority of them use search engines to find easy targets (more in the comment below). Like you said though, everyone is a potential target.
Sometimes though, they don’t even try and do any research – they just arrive on a site and try a few methods they know which gets them into an outdated blog.
Here’s a screen shot of someone who tried to hack my blog. I pointed arrows to the two key areas they were trying to get to. You’ll notice they are trying to access my database table wp_users and retrieve my password.
Well, this particular sql injection attempt does not work with my version of WordPress first, second my firewall stopped them, and third my database prefix is not wp_ (they just took a guess because that’s what WordPress typically uses out of the box). This was someone who tried 7 attempts in about 20 seconds simply copy and pasting in some code in the web address bar. They obviously didn’t do any research, just tried a couple tools in their belt.
Once I was notified of the attempts I banned their IP from our website. But who knows if that did any good – a good hacker would use a proxy to hide under.
@J.D. – Knowing the tricks is key, problem is, once you learn them, how do you blog about them? If I were to show people how people hack your blog I’d be teaching people how to hack your blog LOL.
In many cases their best tool is Google. Let me give you an example.
They might go to Google and type in “powered by wordpress 2.1.1″ or something. Does anyone have a blog where it says in the footer “Powered by WordPress….”? Is your blog outdated?
Or maybe they’ll Google wp-content/wp-login.php and get a bunch of people’s login pages. If they have access, they can run a brute force attack to discover your password. That login page needs to be locked down well – it’s the front door to your blog (need a custom username, lock out function so they can’t keep trying to guess your password, have a strong password, and deny access from even getting to that page).
No security is full proof, unfortunately. The best we can do is make it more difficult by making our blogs not so cookie-cutter.
John Hoff – WpBlogHost´s last blog post..Landing Page Optimization: Make Your Links Stand Out To Get More Clicks
May 5th, 2009 at 9:08 am
A hearty AMEN to John’s comment above and an additional “note”… the “best” and therefore most deadly hackers will sneak in through a “back door” to do their dirty work.
I had a client for whom I installed a WP blog. He didn’t have a CLUE his two year old blog had been hacked until he got an email from a frustrated “victim” of his hacker. It seems the hacker accessed my client’s blog through a “security hole” closed in later editions. My client was totally unaware that his blog – based his NAME – was sending spam. His first clue – a threat from a frustrated “victim” who was threatening to sue.
Yeah, it will be a LONG time before that guy will forget my client’s name – the blog which incessantly spammed him to the point of hiring a lawyer. The thing is, my client probably would have been much happier had the hacker done some damage BEFORE his blog was used as a spam portal!
Count your blessing Hunter – it could have been MUCH worse!
Kathy | Virtual Impax´s last blog post..Social Media: Same Shit-Different Day
May 5th, 2009 at 10:36 am
@Kathy – That’s the thing, most people won’t even know they have been intruded upon.
Many of these people work in groups and they often times run by a “code”. They don’t brag to everyone about what they did – so as to not draw attention, once in they make sure to make it easy for others to get in, and they don’t really want to crash your website.
I mean, if they crash your site, what use is it to them?
By the way, there’s a pretty cool plugin called Bluetrait Event Viewer which records everything your WP does. If an email is sent or if a failed login attempt happened, it shows it in your Dashboard. If you install it, be sure to read the FAQs area to learn how to lock it down.
John Hoff – WpBlogHost´s last blog post..Landing Page Optimization: Make Your Links Stand Out To Get More Clicks