|Few days ago my blog was hacked. It is up and running now with minimal losses. My hosting provider, www.bluehost.com, helped me quickly to recover by restoring recent back up of the system. I decided to put some time and energy to research the topic of threats and countermeasures related to WordPress.||
by Randy Son Of Robert
|Let me state this upfront – there is no silver bullet. Very few can protect their blog to the max (99%). It requires significant investment. Most of the bloggers just cannot afford it. What you can do is apply simple, first line defense practices readily available to everyone. These practices can significantly reduce the chance of being hacked.|
What are the threats and vulnerabilities associated with WordPress blogging platform? In professional security speak Threat is something unwanted that might happen to your blog. Generally there are only few abbreviated by STRIDE:
That is it, only six threats that any software system might be threatened by. The other question is how these threats can be materialized?
Vulnerabilities, And Attacks
The threats can be materialized by performing attacks targeted on your blog and/or the hosting environment. Usually attacks are performed by hackers and targeted on the weakest links in your systems. These weakest links called vulnerabilities. The possibilities are endless. If you perform a search on www.secunia.com, a web site specializing on tracking vulnerabilities for myriads of software technologies, including WordPress, you will realize that there are about 150 known vulnerabilities (weakest links that hackers can attack and exploit). Fortunately many of them are patched by vendors. Worth mentioning that bloggers are not always aware of the patch and keep running vulnerable software. Most vulnerabilities (security bugs, introduced by developers of WordPress and plugins) allow code injections attacks. Code injections are the deadliest. This kind of the attack can materialize all the threats I mentioned above.
There are plenty guidance on how to protect your WordPress from being hacked – see below for the references. The more I researched it the more I became confident in WP Security Scan plugin as it touches many aspects mentioned in the security guidance. I also believe since it is hosted on WP.org it is trustful, but it is only my own assumption. For example, one of the things the plugin performs is automatic scan for well known vulnerabilities. It suggest what’s needed to be done to fix once the vulnerability identified. Very handy. This is the sample snapshot of how correctly configured WordPress installation should look (green is good, red is bad):
I Was Hacked, Now What?
So far I discussed proactive actions aimed to protect your blog from being hacked. To be more precise, preventive actions’ goal is reducing the risk of being hacked. There is no 100% protection. The other side of the story is reactive actions, and that is having good backup/restore policy in place. In case your blog was hacked your backup should help you quickly recover and get back on track. Contact your hosting service provider for backup related matters. You might also want to manually export XML file that contains all your posts and associated materials, like comments, using import feature of WordPress (located in Manage->Export section of WordPress control panel). You can use it as your backup copy. To restore your work from the file the import can be easily performed from Manage->Import section of WordPress control panel.
Practice This – Get Results
My And Other Related Posts