Home » Writing

150 Ways To Break Into Your Blog (Hacking For Dummies)


31 Comments
Few days ago my blog was hacked. It is up and running now with minimal losses. My hosting provider, www.bluehost.com, helped me quickly to recover by restoring recent back up of the system. I decided to put some time and energy to research the topic of threats and countermeasures related to WordPress. image
by Randy Son Of Robert
Let me state this upfront – there is no silver bullet. Very few can protect their blog to the max (99%). It requires significant investment. Most of the bloggers just cannot afford it. What you can do is apply simple, first line defense practices readily available to everyone. These practices can significantly reduce the chance of being hacked.

Threats

What are the threats and vulnerabilities associated with WordPress blogging platform? In professional security speak Threat is something unwanted that might happen to your blog. Generally there are only few abbreviated by STRIDE:

  • Spoofing. Stealing your identity (for example, your User Name and Password that you use to logon into your blog).
  • Tampering. Modifying the data on your blog (for example, defacement of your blog’s homepage).
  • Repudiation. Less relevant to blogging but in a nutshell it is the ability by hacker to deny what he has done.
  • Information disclosure. Exposing private information like passwords.
  • Denial of service. Making your blog unavailable.
  • Elevation of rights. Gaining higher privileges, such as administrative ones, that can make possible performing harmful actions on your blog.

That is it, only six threats that any software system might be threatened by. The other question is how these threats can be materialized?

Vulnerabilities, And Attacks

The threats can be materialized by performing attacks targeted on your blog and/or the hosting environment. Usually attacks are performed by hackers and targeted on the weakest links in your systems. These weakest links called vulnerabilities. The possibilities are endless. If you perform a search on www.secunia.com, a web site specializing on tracking vulnerabilities for myriads of software technologies, including WordPress, you will realize that there are about 150 known vulnerabilities (weakest links that hackers can attack and exploit). Fortunately many of them are patched by vendors. Worth mentioning that bloggers are not always aware of the patch and keep running vulnerable software.  Most vulnerabilities (security bugs, introduced by developers of WordPress and plugins) allow code injections attacks. Code injections are the deadliest. This kind of the attack can materialize all the threats I mentioned above.

Countermeasures

There are plenty guidance on how to protect your WordPress from being hacked – see below for the references. The more I researched it the more I became confident in WP Security Scan plugin as it touches many aspects mentioned in the security guidance. I also believe since it is hosted on WP.org it is trustful, but it is only my own assumption. For example, one of the things the plugin performs is automatic scan for well known vulnerabilities. It suggest what’s needed to be done to fix once the vulnerability identified. Very handy. This is the sample snapshot of how correctly configured WordPress installation should look (green is good, red is bad):

WordPress Security Scan

I Was Hacked, Now What?

So far I discussed  proactive actions aimed to protect your blog from being hacked. To be more precise, preventive actions’ goal is reducing the risk of being hacked. There is no 100% protection. The other side of the story is reactive actions, and that is having good backup/restore policy in place. In case your blog was hacked your backup should help you quickly recover and get back on track. Contact your hosting service provider for backup related matters. You might also want to manually export XML file that contains all your posts and associated materials, like comments, using import feature of WordPress (located in Manage->Export section of WordPress control panel). You can use it as your backup copy. To restore your work from the file the import can be easily performed from Manage->Import section of WordPress control panel.

Practice This – Get Results

  • Patch your software – follow vendors updates.
  • Use WordPress security guidance to proactively protect your blog – inspect your WordPress for well known vulnerabilities or/and loose configurations.
  • Make sure you have backup/restore policies in place – it’ll save you the day your blog will be hacked.

My And Other Related Posts

17 April 2009

31 Comments »

  • Barbara Swafford said:

    Hi Alik – What a informative and helpful post. This is the first time I’ve heard of the WordPress Security Scan plugin. I’m going to check it out. I agree, if it’s hosted on WordPress.org that does give us an indication it’s should be safe to use. I hope. :)

    P.S. I’m happy to hear you got your blog back up and “unhacked”.

  • Liara Covert said:

    Every experience offers valuable lessons. If you believe something will be dangerous difficult or inevitable, it will be. To believe something is possible reminds you it is. The idea of choosing to do nothing does not mean a person is unaware of reality. One is reminded different options exist to discern and relate to patterns of activity. The mind appears and creates havoc until it disappears and dissolved obstacles.

  • Sterling Okura said:

    Thanks for heads up on WP Security Scan. Going to download and test it right now.

    Glad to hear that you were able to restore backup of your blog.

  • Andrew said:

    Thanks Alex,

    This is vey useful information, and constitutes an excellent follow up on your previous discussion.

    I will certainly be having a good look at that wordpress security scan tool, as well as the export function in WordPress.

    Again, a very useful summary and I am grateful for your sharing of this experience which could happen to any one of us.

  • J.D. Meier said:

    Very good info my friend.

    It sounds like you did your homework and that security plug in sounds worth it.

  • alik levin (author) said:

    Barbara,
    Happy to hear you find it helpful ;)

    Liara,
    This taught me a lession – that is for sure! ;)

    Sterling,
    Thank you. I am interested to hear your feedback about it. Go ahead and protect your assets ;)

    Andrew,
    Thank you. You have invested in your blog quite a lot, eh? It is good to have baseline protection in place.

    J.D.,
    We both know it’s never ending story. I hope this simple first line precautions will reduce the chance those script kiddies will be messing with my blog again. ;)

  • Giovanna Garcia said:

    Hi Alika

    Thank you for the detail information. I am going to foward this to my friends and my web guy. That way we can be safer form the hackers.
    Giovanna Garcia
    Imperfect Action is better than No Action

  • alik levin (author) said:

    Giovanna,
    Happy to be of help.

  • Positively Present said:

    Lots of great stuff here. Thanks for all of this info! :)

  • alik levin (author) said:

    Positively Present,
    Happy to be of help! ;)

  • Broderick Allen said:

    Hey Alik,
    Thanks for the info and the WP Security Scan plugin. I’m going to download it now. Good Stuff!

  • alik levin (author) said:

    Broderick,
    Happy to be of help ;)

  • Stephen - Rat Race Trap said:

    Great advice. I plan to use some of it. Thanks so much!

  • alik levin (author) said:

    Stephen,
    You are welcome ;)

  • Positively Present said:

    Great info. Thanks! Now I’m scared of hackers…

    http://positivelypresent.typepad.com

  • alik levin (author) said:

    Positively Present,
    Do not be scared, be aware ;)
    Follow proactive and reactive steps to reduce the risk of losing your stuff.

  • Gennaro said:

    Thanks for turining your negative situation into a lesson for you readers. Life experiences are great for lessons.

  • Davina said:

    Hi Alik. Well, I’m happy to hear your blog is back to normal. Thank you for sharing what you’ve learned through this inconvenient episode. We can never be too careful.

  • alik levin (author) said:

    Gennaro,
    Yeah, i find it useful to spend my energy on something constructive vs destructive like regrets ;)

    Davina,
    Thank you. Yes, w/security it is never ending story, but it is never too late to take basic steps to protect your assets ;)

  • Sheila Atwood said:

    Thanks for the information. I plan on doing the security scan.
    I appreciate all of the work you went to.

    Sheila

  • alik levin (author) said:

    Sheila,
    Happy it is helpful for you

  • Melissa Donovan said:

    Thank you for sharing this information! I’ve been curious about it ever since your last post on getting hacked.

  • alik levin (author) said:

    Melissa,
    You are very welcome ;)

  • Giovanna Garcia said:

    Hi Alik
    This is a lot of good information. You’re efforts are appreciated.
    Giovanna Garcia
    Imperfect Action is better than No Action

  • Salwa said:

    Very informative and helpful post. This is the first time I’ve heard of the Security Scan plugin. I am definitely going to check it out. Thanks for the share!

  • alik levin (author) said:

    Salwa,
    Happy to be of help! ;)

  • Liara Covert said:

    Alik, you remind people that hacking happens, that it can and does happen to many people who do not expect it. The universe is full of wake up calls to prompt huamn beings to be more alert in their lives. This does not only concern what is occuring to their computers. It also concerns transformations in energy vibration, in apparent environmental upheavals and other changes that are all teachers in their own ways. Each person is given endless opportunties to learn.

  • Tracy said:

    Hi Alika,

    Thank you for the easy to read, informative post!

  • alik levin (author) said:

    Hey, Tracy!
    Happy you found it helpful and consumable ;)

  • Tess The Bold Life said:

    Love the photo and love the input. Let’s get as many as possible into this club!

  • alik levin (author) said:

    Tess,
    Happy you liked it ;)
    What club? Black Hat or White Hat? – LOL!

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.