| Few days ago my blog was hacked. It is up and running now with minimal losses. My hosting provider, www.bluehost.com, helped me quickly to recover by restoring recent back up of the system. I decided to put some time and energy to research the topic of threats and countermeasures related to WordPress. |  by Randy Son Of Robert |
| Let me state this upfront – there is no silver bullet. Very few can protect their blog to the max (99%). It requires significant investment. Most of the bloggers just cannot afford it. What you can do is apply simple, first line defense practices readily available to everyone. These practices can significantly reduce the chance of being hacked. | |
ThreatsWhat are the threats and vulnerabilities associated with WordPress blogging platform? In professional security speak Threat is something unwanted that might happen to your blog. Generally there are only few abbreviated by STRIDE:
That is it, only six threats that any software system might be threatened by. The other question is how these threats can be materialized? Vulnerabilities, And AttacksThe threats can be materialized by performing attacks targeted on your blog and/or the hosting environment. Usually attacks are performed by hackers and targeted on the weakest links in your systems. These weakest links called vulnerabilities. The possibilities are endless. If you perform a search on www.secunia.com, a web site specializing on tracking vulnerabilities for myriads of software technologies, including WordPress, you will realize that there are about 150 known vulnerabilities (weakest links that hackers can attack and exploit). Fortunately many of them are patched by vendors. Worth mentioning that bloggers are not always aware of the patch and keep running vulnerable software. Most vulnerabilities (security bugs, introduced by developers of WordPress and plugins) allow code injections attacks. Code injections are the deadliest. This kind of the attack can materialize all the threats I mentioned above. CountermeasuresThere are plenty guidance on how to protect your WordPress from being hacked – see below for the references. The more I researched it the more I became confident in WP Security Scan plugin as it touches many aspects mentioned in the security guidance. I also believe since it is hosted on WP.org it is trustful, but it is only my own assumption. For example, one of the things the plugin performs is automatic scan for well known vulnerabilities. It suggest what’s needed to be done to fix once the vulnerability identified. Very handy. This is the sample snapshot of how correctly configured WordPress installation should look (green is good, red is bad):
I Was Hacked, Now What?So far I discussed proactive actions aimed to protect your blog from being hacked. To be more precise, preventive actions’ goal is reducing the risk of being hacked. There is no 100% protection. The other side of the story is reactive actions, and that is having good backup/restore policy in place. In case your blog was hacked your backup should help you quickly recover and get back on track. Contact your hosting service provider for backup related matters. You might also want to manually export XML file that contains all your posts and associated materials, like comments, using import feature of WordPress (located in Manage->Export section of WordPress control panel). You can use it as your backup copy. To restore your work from the file the import can be easily performed from Manage->Import section of WordPress control panel. Practice This – Get Results
My And Other Related Posts |
31 comments ↓
P.S. I’m happy to hear you got your blog back up and “unhacked”.
Glad to hear that you were able to restore backup of your blog.
This is vey useful information, and constitutes an excellent follow up on your previous discussion.
I will certainly be having a good look at that wordpress security scan tool, as well as the export function in Wordpress.
Again, a very useful summary and I am grateful for your sharing of this experience which could happen to any one of us.
It sounds like you did your homework and that security plug in sounds worth it.
Happy to hear you find it helpful
Liara,
This taught me a lession – that is for sure!
Sterling,
Thank you. I am interested to hear your feedback about it. Go ahead and protect your assets
Andrew,
Thank you. You have invested in your blog quite a lot, eh? It is good to have baseline protection in place.
J.D.,
We both know it’s never ending story. I hope this simple first line precautions will reduce the chance those script kiddies will be messing with my blog again.
Thank you for the detail information. I am going to foward this to my friends and my web guy. That way we can be safer form the hackers.
Giovanna Garcia
Imperfect Action is better than No Action
Happy to be of help.
Happy to be of help!
Thanks for the info and the WP Security Scan plugin. I’m going to download it now. Good Stuff!
Happy to be of help
You are welcome
http://positivelypresent.typepad.com
Do not be scared, be aware
Follow proactive and reactive steps to reduce the risk of losing your stuff.
Yeah, i find it useful to spend my energy on something constructive vs destructive like regrets
Davina,
Thank you. Yes, w/security it is never ending story, but it is never too late to take basic steps to protect your assets
I appreciate all of the work you went to.
Sheila
Happy it is helpful for you
You are very welcome
This is a lot of good information. You’re efforts are appreciated.
Giovanna Garcia
Imperfect Action is better than No Action
Happy to be of help!
Thank you for the easy to read, informative post!
Happy you found it helpful and consumable
Happy you liked it
What club? Black Hat or White Hat? – LOL!
Leave a Comment