According to Forbes, one out of every 6 websites on the Internet is powered by WordPress (nearly 60 million in all), with 100,000 more popping up each day. Wordpress.com currently hosts over 56 million blogs. As of this writing, WordPress stats did not include the number of self-hosted blogs, but rest assured there are many of us! I’ve been using WordPress since Gold days and it only gets better with each release.
In the past I have been the victim of two WordPress hacks. At the time of the first hack, I was on a managed VPS. All maintenance and administrative tasks (including software updates) was administered by the hosting provider. In my case, the software was rarely updated.
editor note: I’ve experienced the same problem on a blog I abandoned. I was left with a nice note from the hacker to update my installs or suffer
It was a major hack where all WordPress index pages was injected with malicious code that redirected vulnerable visitors to malware-infected domains. All WordPress sites on my VPS was affected with malicious iframes, so that any visitor to my website (who had operating system or browser vulnerabilities) became infected . Many plugin files was also injected with bootstrap code. I also found modified file permissions (0777 -chmod) for the themes and plugins directory. It was such a flopping mess that it could make a grown woman cry…
I learned a huge lesson from the first hack! I was never going to trust a hosting service again with updating site software. Fortunately I had a number of good backups (both remote and local) and was able to wipe the VPS and start fresh. Though restoration was a rather lengthy process – I was more concerned with the visitors who came to my site who may have been infected. It was my responsibility as a site admin and good Netizen to host a clean and malware-free site. Rest assured that I felt remorse for a very long time, and researched and implemented strong security practices for all my WordPress sites.
The second hack occurred this summer via an automated theme script injection. I
set myself up for this exploit because I forgot to disable the backend editor (after I edited my theme). This oversight resulted in a .404 defacement that was recorded at Zone-H.
It does not matter how trivial a hack appears; other unsavory exploits may be lurking elsewhere. Once I knew my site had been compromised, I immediately shut the site down and reviewed logs. Then I wiped the site and restored with a good solid backup.
Running a self-hosted blog comes with myriad responsibilities. It is not like you can merely install it and be done with it. Your first priority should be to familiarize yourself with the platform, along with the pros and cons of self-hosting or hosting your blog at WordPress.com.
If you self-host you will need to be somewhat technically savvy – if not, hire someone who is. When you self-host you are responsible for technical maintenance (backend configuration; backups; blog security; logs; spam filtering; and updates).
Take the time to find a reputable and reliable hosting service – do your research first. You don’t want to end up on a server that is easily compromised, is slow to update software, has bad tech support, or has too much down time.
The fact that hackers and cybercriminals favor targeting WordPress is for the same reason they favor exploiting Microsoft Windows – it’s popular!
I have seen a lot of site admins downplay the importance of updating CMS software and hardening company blogs. This is especially prevalent with small businesses and startups that rely solely on a development teams to schedule site updates and releases.
I’ve also seen many home businesses slap together self-hosted blogs (because they noticed that cpanel had a Fantastico, Softaculous or an Installatron autoinstaller), and they think that all they have to do is populate their blog with posts, widgets and plugins. For the love of Matt Mullenweg, please check out wordpress.com…
The top 10 mistakes
1- Managing a WordPress site from a friend’s/public computer or insecure/public Wi-Fi
You should always login to your site via a secure connection. You never know what could be lurking on someone elses computer; from keyloggers to password-stealing Trojans, take your pick. The same goes for logging in on an unsecured Wi-Fi connection.
2- The use of weak passwords
Last March when 30,000 WordPress blogs became infected with rogue anti-virus, many of the blogs had weak administrative passwords, was outdated, or had vulnerable plugins. Forget about using weak passwords , and don’t ever use the same password across multiple sites!
How long would an online attacker using a password cracker at 1,000 guesses per second take to figure your password out? Let’s take a look at how effective your password is at GRC:
If your password is 5 characters long and uses:
- Just numbers, the time to “crack” = 1.85 minutes (Example: 12345).
- The full alphabet but doesn’t mix upper and lowercase, the time to “crack” = 3.43 hours (Example: alpha).
- The full alphabet and numbers 0 through 9 but doesn’t mix upper and lowercase, the time to “crack” = 17.28 hours (Example: alp12).
- The full alphabet and numbers with mixed case, time to “crack” = 1.54 weeks (Example: Alp12).
Use a combination of uppercase, lowercase, numbers and symbols
- If we combine the alphabet, numbers, mixed case and use 6 characters instead of 5, the time to “crack” jumps to 1.84 years (Example: Alph12).
- If we go to 8 characters and throw in symbols like # % & *, the time to “crack” jumps to 2.13 thousand centuries (Example: Alph12*!). —The Cocoon Blog
3- Ignoring login attempt activity.
By default, WordPress enables unlimited login attempts. I recommend that you limit failed login attempts to a maximum of 5 and use the Limit Login Attempts plugin
4- Downloading themes from strange places
Make sure that the current theme you are using has been downloaded from a reputable source (such as WordPress.org).
Earlier this summer theme exploits such as Uploadify (in older versions of WordPress), and a zero day vulnerability found in Timthumb.php led to exploits and bad-boy automated scripts.
Unless you play musical themes, there is no reason to keep more than one theme in your theme directory. Copy the themes that you are not using to a back-up and only upload it when you you are replacing a current working theme.
5- Failure to update software and plugins
Always update WordPress to the latest version and keep all plugins and themes up to date. Deactivated plugins can still pose a threat if they are not kept up to date. Delete plugins that are unnecessary or that you no longer use.
You can scan your site at Sitecheck.Sucuri.net to see if your wordpress installation is outdated or hosting malware.
Back in early June I emailed Sophos about a malicious exploit that was affecting massive websites, to which Chet Wisniewski responded:
Unfortunately we are seeing hundreds of these per hour… In fact a similar domain is what inspired my post earlier today… We are currently tracking over 32,000 URLs a day pointing at garbage on the net. Most of them seem to be unpatched WordPress sites that are being hit.
6- Failure to back-up
This is a big one! The first thing I do when I create a new WordPress site (after I have secured it) and have the look and feel that I want – is to download a copy so that I can run a duplicate locally. I tend to call this backup my core copy.
The best plugin that I have found is BackWPup. This simple plugin provides you with all the options necessary to automatically backup your blog with absolutely no hassles.
7- Using the default admin account
This is a big no-no! Obscure the admin account by renaming it. Go to Users. Change the admin email address to an address that you will not be using. Then, create a new user and set the role to administrator. Log out and login (a few times) as the new account, and once you are sure that the new account is working correctly, go ahead and delete the admin account (and don’t forget to select the radio button that attributes all posts and links to the new admin account that you just created).
8- Not moving the WP-Config file to the directory above your WordPress install
WordPress will look one directory past the default location. CHMOD 0640.
9- Keeping the same old keys year after year…
A secret key makes your site harder to hack and access harder to crack by adding random elements to the password. You can use the online generator to create new keys and just copy and replace the old keys in the WP-Config.php file.
10- Failure to harden the security of your WordPress site
There are a number of awesome security plugins that can utilize to harden your WordPress blog. One of my all time favorites is Better WP Security. It is really an amazing plugin that manages to accomplish quite a bit toward hardening any WordPress site.
The only problem that I’ve run into with this particular plugin is #8: Your WordPress admin area is available 24/7. Do you really update 24 hours a day?
It seems that everytime I enable #8 I end up locking myself out of the backend and have to manually edit a file on my webserver to get myself back in again.
Better WP Security [Plug-in]
- You are enforcing strong passwords for all users.
- Your WordPress header is revealing as little information as possible.
- Non-administrators cannot see available updates.
- The admin user has been removed.
- The user with id 1 has been removed.
- Your table prefix is xxx_
- You have scheduled regular backups of your WordPress database.
- Your WordPress admin area is available 24/7. Do you really update 24 hours a day? Click here to fix.
- You are blocking known bad hosts and agents with HackRepair.com’s blacklist..
- Your login area is protected from brute force attacks.
- Your WordPress admin area is hidden.
- Your .htaccess file is fully secured.
- Your installation is actively blocking attackers trying to scan your site for vulnerabilities.
- Your installation is actively looking for changed files.
- Your installation does not accept long URLs.
- You are not allowing users to edit theme and plugin files from the WordPress backend.
- Better WP Security is allowed to write to wp-config.php and .htaccess.
- wp-config.php and .htacess are not writeable.
- Version information is obscured to all non admin users.
- You have renamed the wp-content directory of your site.
- You are requiring a secure connection for logins and the admin area.
From the moment that you install WordPress you should be thinking about security. Some things may be beyond your control such as: when a webhost becomes infected or when a rogue employee decides to steal account passwords.
The above list is not a silver bullet or cure-all; it takes constant vigilance (logging, spam filtering, tweaking, and awareness of potential exploits) – to stay one step ahead of the bad guys.
Update: March 18, 2013
I would like to add the plug-in Wordfence: I have this installed on a few WP blogs now – quite impressive and allows file change comparisons. File alerts are awesome too – sends alert for core upgrade/plug-in updates. I ended up up purchasing the premium version for one site = Scan public facing site for vulnerabilities.