Tuesday
Jun012010
Inkygirl is BACK...and some security tips for other bloggers
(Resource list updated: June 3, 2010, 11:06 AM)
As some of you may already know, some of my sites were hacked on the weekend. If you notice some missing images and features from this site, that's why -- I still haven't finished the finetuning after major damage control had been done.
Many thanks to those who e-mailed, tweeted and sent me Facebook messages about the problem, and to Cid of Cidwrites.com and others for their advice. Biggest thanks to my technonerdboy hubby, Jeff Ridpath, who spent pretty much the whole weekend helping me get things back to normal.
For anyone else out there who uses Wordpress as their blogging platform, be aware that what happened to me could very easily happen to you. You might think you don't have to worry because you just have a small site or figure that you don't have any valuable info on your site anyway but trust me...it's worth taking a few precautions to avoid going through the hassle of having to scrub your site clean and have to reinstall everything.
And if you get flagged by Google as a malware site, then you have the added embarrassment of the warning that comes up whenever someone tries to access your site. Even after you scrub your site, then you have to fill out an application to get Google to review your site.
Here are some things I learned from the experience that you may find useful:
- Make sure your passwords are strong. Read Protect Your Blog With A Solid Password. Don't use any words that can be found in the dictionary. Other BAD passwords: names spelled backwards, phone numbers, birthdays, qwerty, asdf, yourname1, default, letmein, password1, your car license, middle names. Don't use the same password for multiple sites.
- Keep your versions of Wordpress updated. As Alex King says, "Upgrade immediately. Always. No exceptions."
- Keep your versions of plugins updated. Remove any plugins you aren't using. Some older versions of plugins have security holes that hackers can use.
- Don't use the default admin account (called "admin") that comes with every Wordpress installation. Create another admin account with a different name and then delete the "admin" account.
- Take regular backups of your file directories as well as your database. One security tips post I found recommended WordPress Database Backup.
- Be wary of letting an application have write access to your files. Keep your file permissions as restrictive as possible.
- Limit your use of plugins. I try to do this anyway, because I was finding that having too many plugins really slowed down page loading on my site.
- Turn off any features you don't use.
And yes, I'm on the lookout for another blogging platform. If anyone has any suggestions, feel free to post below!
Anyway, here are some useful resources I found while researching Wordpress and security issues:
Top 5 WordPress Security Tips You Most Likely Don't Follow
Wordpress Security Tips and Hacks
20+ Powerful Security Plugins and Some Tips & Tricks
Wordpress Security, Upgrades and Backups
Wordpress Security Issues Lead To Mass Hacking. Is Your Blog Next?
Hardening Wordpress
Wordpress Security Whitepaper
How To Diagnose and Remove the WordPress Pharma Hack
Protect your Admin folder in Wordpress by limiting access in .htaccess
Any other tips or suggestions? Feel free to share them below.
As some of you may already know, some of my sites were hacked on the weekend. If you notice some missing images and features from this site, that's why -- I still haven't finished the finetuning after major damage control had been done.
Many thanks to those who e-mailed, tweeted and sent me Facebook messages about the problem, and to Cid of Cidwrites.com and others for their advice. Biggest thanks to my technonerdboy hubby, Jeff Ridpath, who spent pretty much the whole weekend helping me get things back to normal.
For anyone else out there who uses Wordpress as their blogging platform, be aware that what happened to me could very easily happen to you. You might think you don't have to worry because you just have a small site or figure that you don't have any valuable info on your site anyway but trust me...it's worth taking a few precautions to avoid going through the hassle of having to scrub your site clean and have to reinstall everything.
And if you get flagged by Google as a malware site, then you have the added embarrassment of the warning that comes up whenever someone tries to access your site. Even after you scrub your site, then you have to fill out an application to get Google to review your site.
Here are some things I learned from the experience that you may find useful:
- Make sure your passwords are strong. Read Protect Your Blog With A Solid Password. Don't use any words that can be found in the dictionary. Other BAD passwords: names spelled backwards, phone numbers, birthdays, qwerty, asdf, yourname1, default, letmein, password1, your car license, middle names. Don't use the same password for multiple sites.
- Keep your versions of Wordpress updated. As Alex King says, "Upgrade immediately. Always. No exceptions."
- Keep your versions of plugins updated. Remove any plugins you aren't using. Some older versions of plugins have security holes that hackers can use.
- Don't use the default admin account (called "admin") that comes with every Wordpress installation. Create another admin account with a different name and then delete the "admin" account.
- Take regular backups of your file directories as well as your database. One security tips post I found recommended WordPress Database Backup.
- Be wary of letting an application have write access to your files. Keep your file permissions as restrictive as possible.
- Limit your use of plugins. I try to do this anyway, because I was finding that having too many plugins really slowed down page loading on my site.
- Turn off any features you don't use.
And yes, I'm on the lookout for another blogging platform. If anyone has any suggestions, feel free to post below!
Anyway, here are some useful resources I found while researching Wordpress and security issues:
Top 5 WordPress Security Tips You Most Likely Don't Follow
Wordpress Security Tips and Hacks
20+ Powerful Security Plugins and Some Tips & Tricks
Wordpress Security, Upgrades and Backups
Wordpress Security Issues Lead To Mass Hacking. Is Your Blog Next?
Hardening Wordpress
Wordpress Security Whitepaper
How To Diagnose and Remove the WordPress Pharma Hack
Protect your Admin folder in Wordpress by limiting access in .htaccess
Any other tips or suggestions? Feel free to share them below.
Tuesday, June 1, 2010 at 4:28 PM
Reader Comments (17)
Yay for fixing the site and coming back! I've never used Wordpress. I use Blogger, which I really like. It's very easy to use.
Wow, I am so terribly sorry you went through this. You seem to be positive and upbeat given the circumstances. It's very generous of you to share this helpful information. May we link it and include it in our Friday blog round-up? This is going to help many people avoid disaster! The site is looking great and we're rooting for you :)
Marissa
Brittany: Thanks!
AICP: I'd be honoured if you linked to it, thanks!
Another vote for Blogger here. Love Blogger.
So sorry that happened to you, but thanks for sharing what you learned with us! :)
Yay you're back!
Thanks for the help! I use wordpress for damn near everything.
Mark
I'm so sorry you were hacked! I've been thinking about starting a Wordpress site, but now I'm going to have to seriously reconsider. Thanks so much for the tips, they're very helpful.
I know how you're feeling! My site was hacked once, too, and it was a pain to clean up. I still use WordPress... It's not their fault I wasn't keeping my installs updated. But correcting that and using the Secure WordPress plugin (found here: http://wordpress.org/extend/plugins/secure-wordpress/) resolved all my issues and I've had no problems since. I just thought I'd mention it, in case you'd like to try that instead of going to the time/investment/expense of moving platforms.
You can set up WordPress on Dreamhost to automatically upgrade when a new version comes out. It sends you mail to let you know it's happened.
I'm looking for a good blogging platform that is based on Ruby on Rails, myself. Typo looked good, maybe I should try that.
http://wiki.github.com/fdv/typo
Thank you for these tips! My email was hacked a few months ago, so I know how frustrating (annoying! upsetting!) it is.
So glad you got this all fixed and are up and running again.
It's a real pain to get hacked--been there done that. Business contact list was hacked. Hackers sent the entire list an email saying I was stranded in London without my cell phone and no money. Asked the whole list to wire money. The dummies even sent one to me at my other address! I straightened it all out but what a headache. No one sent money because the saw me the night before at a banquet and because of my elderly dad I was never separated from my cell.
That's a bummer. In general, I think all platforms have security flaw potential, so I'm not sure that switching will help much. Or rather, it'll help until it doesn't.
Here's another link to a helpful (to me, anyway!) article on wordpress blog security:
http://www.problogger.net/archives/2010/03/11/blog-security-girl-with-dragon-tattoo-movie/
Glad you're back up!
Greg
Hey.
Do you think this is a problem with Wordpress particularly? Do you blog through Wordpress.com, or -.org?
Thanks for the advice, it's not something I've really thought about, but certainly will now.
S
Glad things are fixed!
I've been using Blogger for a couple of years now with no problems (cross fingers). It's all web-based (although you can compose off-line and then upload), so there's nothing to "update" per se. I'm very stingy about which plugins I use, tending only to go with Blogger ones or very trustable third-party ones like ShareThis, so I can't comment about that part very well.
One weird thing: over the weekend I posted a link to *my* blog in my Facebook status, and it gave me an inkygirl.com malware warning, even though I hadn't mentioned inkygirl in that particular post. Would love to know how that happened....
Glad you're back up. Crackers (hackers who have turned to the dark side) make life miserable for the rest of us.
Whether you stick with WordPress or choose another platform, keep in mind that with FOSS (free, open-source software) you have a pretty good chance there are uber-geeks out there looking for security holes so they can plug them. With paid software, the developers' have no motivation to discover flaws until they have been exploited - and little motivation to reveal the fact to users even then, unless it gets into the news.
The developers of FOSS platforms "eat their own dog food", and they don't want their sites cracked. Many of the most devoted users are coders themselves - and they don't want their sites cracked, either. So you've got a larger base of people trying to keep up with security.
That said, all the people I know who understand the most about security will admit - at least privately - that it is impossible to be one hundred percent certain that any platform is totally secure. All you can do is make your site so tough to crack it is easier for the bad guys to look somewhere else.
A few things to add to your tips:
1: The best site security is useless if you don't also follow good security procedures on all the machines you use to access that site. You could use a password too tough for an intelligence agency to crack by brute force - and if you enter that password on a machine that has been compromised, the bad guys know exactly what it is. (Anti-virus, updated, regular scans; anti-malware, regular scans; use a HOSTS file and keep that up-to-date; disable Flash and Java except for selected sites; don't click on links unless you know where they go; etc. etc.)
2: I know a guy who does all of the above - and more - and he STILL uses another trick for entering important passwords. Just in case he's got a keylogger, he'll fire up an on-screen keyboard to enter sensitive information.
There are a lot of other tricks, but those are the most important ones you missed (unless I've missed one, too... ;) )
Wow! I'm so sorry you had to go through this.
You have provided a lot of helpful information, thanks! I am on wordpress and will take everything you said to heart! And, share with others.
I looked long and hard at blogging platforms before picking WordPress; I may not be the webslinger whiz that Jeff is, but I've been keeping peanut butter in my cupboard for twenty years now by sysadminning, and I haven't gone hungry yet... and a number of my webslinger friends (and an author who is a QA type by day and has no patience for adminning) swear by it.
I think you've pretty much hit the high points: Stay updated, keep good passwords, and keep your writeables and your total plugin exposure to a minimum.
That said, you've given me some homework to do with that security link salad... thanks for sharing the lessons, so we don' t have to learn'em the hard way!
(That's what open source people *do*, is share their screwups as well as their triumphs... it makes things much easier!)
Aloha! maa