| www.PracticeThis.com was recently defaced, hacked, hijacked, poisoned by hackers. Instead of usual content the site was exhibiting “Security Z3ro”.
How ironically, in my day job I am software security [and performance] engineer. That taught me a lesson that I want to share with you. |
 by ohsoabnormal |
| Once I realized I have been hacked, these are the steps I have followed to get back on track with minimal losses. | |
Contact Your Hosting Services ProviderI am hosting my blog with www.BlueHost.com. They offer very good technical support – registered accounts like myself can open either Service Tickets (SR) or start off immediate chat with technical support representative. I decided to fire up a chat client with their rep after observing this image on my home page:
The www.Bluehost.com rep quickly verified my identity and then following my request disabled totally the access to www.PracticeThis.com. I preferred to not serve my readers at all vs. serving bogus content instead. Rollback The Latest Backupwww.Bluehost.com offers flexible backs up system. Most recent backup was from April 12 2009, so I asked to restore it. That is the reason some comments on the blog are not shown – they were submitted after that date. Dear loyal commenters, sorry for that. I also needed to republish my recent post - What Your Kid Knows About Creativity – as it was published after the latest back up. Subscribers might have received the content twice. Sorry about that – I have not meant to be annoying that much. Re-Configure Security SettingsFollowing the advice from the technical support at Bluehost.com I changed my passwords. I also, changed moderation policy. In “Comment Moderation” section I have changed it to “Hold a comment in the queue if it contains 1 or more links” (the default setting was 2). This configuration can be found in Settings->Discussion section of WordPress administration. I have my take on how my site was exploited which is way beyond the theme of this blog. Ping me via contact form if you are interested to hear the details. Share Your Security Practices
Related Materials |
36 comments ↓
Kudos to bluehost.
Bluehost.com has really good tech support. Remember the plugin is not 100% cure. It does nice preliminary security scan though. I am pretty new to the tech that WordPress is built with - PHP. I am planning to invest some time in researching WordPress security. I will be sharing my findings and best practices.
I look forward to your WordPress security best practices.
I think the key at the end of the day is good backup/restore by your provider.
Thank you for making me aware of security on Word Press. It is very important for us to protect our work.
Thanks for the tips.
Giovanna Garcia
Imperfect Action is better than No Action
Thank you. Yep. Since there not so much under my control to protect better my blog I need to keep my eyes on backup/restore story closer.
Giovanna,
Happy to hear it is helpful for you
Stephen,
(touch wood)
Bluehost.com offered very good help to me so far. You are in good hands
I was amazed at myself how calm I was when discovered it. I am investing tons of energy in my blog and it is my “baby” I really care about
Despite this, I was calm and the first though was “OK, what’s next, how do I recover?”. I was not attached emotionally to it, i was not stuck with the event itself, I was thinking about the future. I think it’s a progress in terms of personal dev, eh?
I’m on Bluehost as well. I’m assuming your on a shared host. Which on are you on? I’m dedecting a pattern here…
Sorry to hear that.
Compromising the theme is one way to do it. There are few more… I have different take. Happy you have recovered. What are you doing to prevent it in the future?
[...] a quick search, another site was hit with the same exact hack. He is also using Wordpress, but he also uses the same hosting [...]
Just posted my findings. You may want to search your logs for the IP address I have listed on the post:
http://www.mikesoh.com/2009/04/mikesohcom-was-hacked/
Those hackers rile me up more that I can express, I’m a pretty happy-go-lucky sort but those n’er-do-wells really pardon me - piss me off.
I need to check into that link default setting. Like, Right Now. I am getting a LOT of spam.
Thanks for the heads-up!
Glad to hear you didn’t lose much, and it got me thinking about the security of my blog. I do have a good backup system in place, but I’d rather take the steps so I don’t have to use it. I’ll have to see exactly what those steps are lol.
Thanks for sharing it - it actually connected few dots. Another hardening I have done is setting proper permissions on wp-admin/index.php that should be 644, and not 755 as it was, it should prevent from changing by accounts that different than registered ones. The plugin i refer in the related materials actually revealed by its scanner. I am collecting some more info and will be posting it soon
Jannie,
Check you backup policies with your hosting provider too, this is what saved me, also run this security scanner plugin, it reveals *some* weak spots to, like permissions on critical administrative files.
Broderick,
Yes, best approach here is double sided - prevention and recovery.
Stacy,
Thank you for good words and for the support
Evelyn,
Thank you for good words! Happy it is helpful for you - I hope to share some more insights on WordPress security soon
Gennaro,
Yeah - good backup policy is what saved me. Thanks for the support
Your permissions look fine. As long as they weren’t writable (5 = read & execute), the WP shouldn’t be able to write to the template.
What did bluehost suggest you can do to increase security?
The only issue i had a few weeks ago was someone stealing my content and my webhost blocked their site right away. I was really upset and was about to report them to their ISP as well.
Thank you for caring ;).
Bluehost provided plain vanilla checklist:
1. Change the Admin Email on your account.
2. Change the Password on your account.
3. Change the Credit Card on file on your account.
4. Update and apply any patches, upgrades, or updates that the 3rd party vendor or web developer of your scripts may have available.
5. Fix any loose file permissions (this may be the most common exploit vulnerability)
6. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
7. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc.
Very general as you can see - I am still collecting info on it.
I think #5 is crucial here.
Your files can be world-writable if you want! The problem comes down to what your script does with them. As long as the script is secure, you file permissions is a secondary vulnerability.
Check to make sure you’re running the latest version of WP. I upgraded mine yesterday when I saw that there was a minor revision. I don’t think it fixed the bug, but hopefully it will deter them.
Thanks for being on top of the things. This info is valuable.
Bluehost told me so too, I believe it is fair enough. But they were very cooperative in restoring my backups. Indeed protecting and maintaining security level of the blog does not seem to be their job as they do not control what plugins we, the bloggers install. They also do not control our tweaks for the rest of the system.
Said that, bluehost support was ultra responsive and provided with any help I asked so far. I recommend it.
They are good people though. Since I moved to them, I’ve never considered moving, even if it were cheaper. Quite honestly, I don’t think you can get cheaper than $8 / mo for unlimited space, pretty much unlimited bandwidth, etc. I’m thinking about moving to a dedicated server though…
Thanks!
-Dustin
I’m terribly sorry to hear about your recent experience, which must have been most frustrating from your point of view.
I really wish that people wouldn’t do this.
I myself have not really thought about what I would do in that situation, nor have I thought about preventative steps which I could take in order to prevent this from occurring.
I am techie myself, not in Unix stuff though so it does not count ;). I am happy bluehost offered me first class services. Nevertheless it triggered me to learn Unix/Linux basic stuff and PHP too. Thank you for you insights regarding this.
Dustin,
Tank you. Good to hear it is helpful for you
Tom,
Thanks for the insight, the plugin’s security scan actually “revealed” this. Good stuff.
Melissa,
. If you are interested in looking into vulnerabilites and exploits for WP and related - i suggest visiting secunia.com.
You are welcome. I do not know exactly how they did it. The possibilities are endless. Being security guy on the block I only can tell that it is never ending story. What works best is continuously hardening your blog with best practices in mind. I’d start with the security scan that the plugin i mentioned offers. It is hosted on wp.org so it should be trustful. Another reason why not to publish it is reducing the chance someone decides to put the black hat and use my research to hack others
Andrew,
Thank you. Do not be sorry. I was not, *I* failed and I saw the opportunity to learn. Here is another story that happened to my yesterday - I was at risk of losing my work/life digital materials i collected for 5 years. In the end i recovered, but when I thought it is not going to end good - i was not sorry. I was thinking about how to avoid it when it happens next.
[...] ← Protect Your Blog Or Get Hacked Like PracticeThis.com Was [...]
That sounds like a very proactive approach to an unfortunate situation.
Good to hear that you learned a valuable lesson from the experience.
I really wish that people wouldn’t do this, but sadly they do! and what I fail to understand is what do they get from doing this?
You are very welcome
Leave a Comment