Your Blog Got Cracked! 8 Steps To Show You Concern
Jul 2008 | Category: Lead Article, Make Money Blogging
Hi! Do you have a blog/site? Add your opinion to the discussion and you may get a review, a comment or even my subscription. Please also consider to my feed. Thanks for visiting!
Yesterday on my article about keeping your blog alive when your writing skydives , I mentioned cleaning up your blog from link leakages. I also included that I found invisible links led to pharmacy and viagra websites had been installed invisibly just before the “</body>” tag.
Now how those links managed to reside within my blog, I don’t know for sure. But Andrew Rickmann suggested me to google for “wordpress security scanner ” to find what might have caused it and how to prevent it happen in the future.
As the result, here are the pre-emptive procedures I commenced to harden my WordPress installation . You might want to see if there are anything you may also need to do before similar or worse infiltration happens to your blog.
I changed my password - Password crackings is one of the methods used to hijack blogs . And if they got through, the worst possibility is they could replace your password with theirs so you wouldn’t have control of your blog. And the only option left is reinstalling your blog and hopefully you have a backup of your blog’s database. Here’s a good suggestion from WordPress on how your password shouldn’t be . As a result, my password is now three times stronger (not longer) and more varied.
do not use your own name for your password, do not use a dictionary word (from any language) for your password, do not use a 4 character string of numbers as your password. Your goal with your password is to make the search space as large as possible, so using numbers and varying capitalization all make it more difficult, statistically, to brute force a password.
- In case someone is using brute force to break in, I already had the login lock down WordPress plugin installed, which locks down login function for a period of time when there are certain numbers of failed login attempt within a range of time. The plugin also records the IP address and timestamp of every failed WordPress login attempt.
- I had my plugins upgraded - Similar to WordPress installation, plugins need to be updated over time decrease blog security risks. Some of them need write acces to WordPress files and directories. This can be exploited as a security hole. When a plugin’s upgrade is available, install it immediately and delete the plugins you don’t use .
I restrict access to my wp-admin directory - I did this by adding a .htaccess file inside my wp-admin directory and made the directory accessible only from a certain IP address. Here’s the code I used:
order deny,allow
allow from xxx.xxx.xxx.xxx # This is your static IP
deny from all
- As well as wp-admin directory, access to my wp-config.php has also been blocked . Add the following codes to the .htaccess file inside the wp-admin directory:
<Files wp-config.php>
Order Deny,Allow
Deny from All
</Files>
- Everytime WordPress release a new version upgrade, they list blog security holes found in the previous version. Crackers can take advantage over the information to break into outdated WordPress blog. There are two ways to prevent this. One is by upgrading your WordPress blog ASAP , or hiding the information of your current WordPress version (or do them both). WordPress version is usually displayed on blog footers, so you may want to replace with just “Powered by WordPress”. You can also view the current version by viewing a page’s source code. It’s the result of what’s coded within header.php , usually with the remark “<!– leave this for stats –> “. To disguise your WordPress version, simply install and activate the Replace WP-Version plugin. It will replace your WordPress version with a random number in case someone is trying to view your page’s source.
Try typing http://www.homebiz.bukiki.com/wp-content/plugins/ . Without a blank index.html file inside my plugins directory , anybody can view the plugins I use easily. The same thing can happen to your blog! Check each directory if it displays its content when people type their URL and if it does, add a blank index.html file inside the directory. DO NOT add an index.php file. Why? See the comment below. It doesn’t have to be blank though, you can write anything you want like “Beware of dogs!” Don’t forget to put it inside your themes directory also.- In case you think you need a more concrete-solid protection against unauthorized access, you can install wp-scanner plugin to get your list of security risks on your blog.
The blog breach could happened maybe because I was putting security not as important as content, design and SEO. While they might be the King , Queen and Queen Mother , I musn’t forget that there’s also the Gurkha .
There you are. Let me know if there’s any problem after performing these steps (I wish there weren’t any).
Hopefully you won’t have to experience the same like I did (twice!). Or if you did, maybe you have something to share 
Other sources for securing your WordPress blog:
- Hardening WordPress
- Is your Wordpress blog hacked? Why not upgrade to the latest version?
- How To Secure Your Wordpress Blog
My bad! I just figured out that placing an empty index.php file inside my wp-includes directory will render my dashboard blank. So it’s safer to use just the index.html file instead. I’ve updates the post also. There you go!
Good post and some very sound advice. I know what its like to be hacked and it aint nice. Luckily for me they just added a index.html file so all i needed was to delete it and i was back in business.
David Hobsons last blog post..Promoting a Website With Squidoo Part 6
Excellent post! I’m glad you included everything because, call me naive, but I really didn’t know there were so many ways to hack into a blog. Thanks for the heads up and I’ll be double-checking things a.s.a.p.
I did hear of some ways people can hack someone’s blog. But I didn’t do anything since I was ignorant and I thought there were still millions of blogs other than mine to break in to.
And if you have time, maybe you also want to check with your hosting service to prevent the same thing happen to your hosting account.
Good informative post. I use WP and have wondered about passwords and hacking. Thanks for all the information.
RecycleCindys last blog post..Sunshine Dishcloth with Scrubbie
Very good tips. Everyone should follow.Richard McLaughlins last blog post..Sidebar Spots Available
Wonderful article. I wrote something like this a while ago and you’ll surprised that many are still clueless about the importance of blog protection.
Yan
Blog Tips for Beginnerss last blog post..What Do They Say About Link Building?
Agree, Yan. Better safe than sorry
These were very informative. Thanks. I am going to use some of these plugins, thanks for providing the links to them!
Simple Mindzs last blog post..Catchy titles not included…
any suggestions for blogger. I’m sure they’re having this problem with hacking as well. Also how often should you back up your blog just in case something like this happens
roschelles last blog post..Obama, McCain and the Purpose-Driven Campaign
I usually do it once every two weeks. But it actually depends on how often your site’s content is updated.
Good advice i will use this myself.Thankyou for sharing
I had no idea that could be done. Thanks for the heads up. I will pay more attention to my security.
Writer Dads last blog post..Just Pay Attention
keeping all your plugins up to date s a good thing to do… of course, if a hacker wants to mess around with you, they will catch were you least expect…
Hugo Santoss last blog post..August Earnings and top 100 update
Added you to my Google Reader. I found you from
http://michaelmartine.com/2008/09/03/get-web-traffic/#comments
my site is
http://www.thejimgaudet.com/blog/
Nice site by the way
Jim Gaudets last blog post..Would you Smack That Ass? … the series