Protect Your Blog Or Get Hacked Like PracticeThis.com Was
36 Comments
| www.PracticeThis.com was recently defaced, hacked, hijacked, poisoned by hackers. Instead of usual content the site was exhibiting “Security Z3ro”.
How ironically, in my day job I am software security [and performance] engineer. That taught me a lesson that I want to share with you. |
 by ohsoabnormal |
| Once I realized I have been hacked, these are the steps I have followed to get back on track with minimal losses. | |
Contact Your Hosting Services ProviderI am hosting my blog with www.BlueHost.com. They offer very good technical support – registered accounts like myself can open either Service Tickets (SR) or start off immediate chat with technical support representative. I decided to fire up a chat client with their rep after observing this image on my home page:
The www.Bluehost.com rep quickly verified my identity and then following my request disabled totally the access to www.PracticeThis.com. I preferred to not serve my readers at all vs. serving bogus content instead. Rollback The Latest Backupwww.Bluehost.com offers flexible backs up system. Most recent backup was from April 12 2009, so I asked to restore it. That is the reason some comments on the blog are not shown – they were submitted after that date. Dear loyal commenters, sorry for that. I also needed to republish my recent post – What Your Kid Knows About Creativity – as it was published after the latest back up. Subscribers might have received the content twice. Sorry about that – I have not meant to be annoying that much. Re-Configure Security SettingsFollowing the advice from the technical support at Bluehost.com I changed my passwords. I also, changed moderation policy. In “Comment Moderation” section I have changed it to “Hold a comment in the queue if it contains 1 or more links” (the default setting was 2). This configuration can be found in Settings->Discussion section of WordPress administration. I have my take on how my site was exploited which is way beyond the theme of this blog. Ping me via contact form if you are interested to hear the details. Share Your Security Practices
Related Materials |
Thanks for the heads up! I had no idea. I will be using the plug in you suggested.
Kudos to bluehost.
Sheila,
Bluehost.com has really good tech support. Remember the plugin is not 100% cure. It does nice preliminary security scan though. I am pretty new to the tech that WordPress is built with – PHP. I am planning to invest some time in researching WordPress security. I will be sharing my findings and best practices.
I like your transparency and the fact you’ve shared your lessons learned.
I look forward to your WordPress security best practices.
I think the key at the end of the day is good backup/restore by your provider.
Hi Alik
Thank you for making me aware of security on Word Press. It is very important for us to protect our work.
Thanks for the tips.
Giovanna Garcia
Imperfect Action is better than No Action
WOW. I’m glad you recovered. I ahve bluehost too!
J.D.,
Thank you. Yep. Since there not so much under my control to protect better my blog I need to keep my eyes on backup/restore story closer.
Giovanna,
Happy to hear it is helpful for you
Stephen,
(touch wood)
Bluehost.com offered very good help to me so far. You are in good hands
Alik, it would seem back-ups are useful precautionary measures. However, physical existence evolves in such a way as to repeatedly test human ability to adapt to unforeseen circumstances. That is to say, no matter how proactive you believe you are, guarantees do not exist. You will encounter challenges. Thus, you are prompted to learn survival skills. This includes how to curtail the power negative emotions exert over the mind, body and spirit. Thanks for sharing more practical experience and lessons learned.
Liara,
I was amazed at myself how calm I was when discovered it. I am investing tons of energy in my blog and it is my “baby” I really care about
Despite this, I was calm and the first though was “OK, what’s next, how do I recover?”. I was not attached emotionally to it, i was not stuck with the event itself, I was thinking about the future. I think it’s a progress in terms of personal dev, eh?
This just happened to me yesterday! Judging by your entry, this happened to you too.
I’m on Bluehost as well. I’m assuming your on a shared host. Which on are you on? I’m dedecting a pattern here…
BTW, I was able to find out that the theme was compromised, nothing else. I re-installed wp just to be safe though.
Mike,
Sorry to hear that.
Compromising the theme is one way to do it. There are few more… I have different take. Happy you have recovered. What are you doing to prevent it in the future?
[...] a quick search, another site was hit with the same exact hack. He is also using WordPress, but he also uses the same hosting [...]
Alik,
Just posted my findings. You may want to search your logs for the IP address I have listed on the post:
http://www.mikesoh.com/2009/04/mikesohcom-was-hacked/
Alik: I’m real sorry for your loss. April 12th is not too far back, luckily.
Those hackers rile me up more that I can express, I’m a pretty happy-go-lucky sort but those n’er-do-wells really pardon me – piss me off.
I need to check into that link default setting. Like, Right Now. I am getting a LOT of spam.
Thanks for the heads-up!
Hey Alik,
Glad to hear you didn’t lose much, and it got me thinking about the security of my blog. I do have a good backup system in place, but I’d rather take the steps so I don’t have to use it. I’ll have to see exactly what those steps are lol.
I feel your pain. My blog was hacked a few months ago and before I called Bluehost, I thought it completely vanished. Fortunately Bluehost was great and was able to get my blog up and running in a few hours. I’m happy to know you are back up and writing again.
Oh dear..how traumatic!! Thanks for sharing about what to do if our sites got hacked. I’m so glad that your blog is working fine now.
Sorry to hear that, Alik. Looks like you got back on your feet quickly though. Nice job by Blue Host too. Another reminder to backup regularly and to think about security measures.
Mike,
Thanks for sharing it – it actually connected few dots. Another hardening I have done is setting proper permissions on wp-admin/index.php that should be 644, and not 755 as it was, it should prevent from changing by accounts that different than registered ones. The plugin i refer in the related materials actually revealed by its scanner. I am collecting some more info and will be posting it soon
Jannie,
Check you backup policies with your hosting provider too, this is what saved me, also run this security scanner plugin, it reveals *some* weak spots to, like permissions on critical administrative files.
Broderick,
Yes, best approach here is double sided – prevention and recovery.
Stacy,
Thank you for good words and for the support
Evelyn,
Thank you for good words! Happy it is helpful for you – I hope to share some more insights on WordPress security soon
Gennaro,
Yeah – good backup policy is what saved me. Thanks for the support
If you’re using Bluehost, you may want to consider installing the vanilla version of WordPress, vs the one that they provide through the installation program. I don’t even use Fantasico anymore and prefer to install everything myself.
Your permissions look fine. As long as they weren’t writable (5 = read & execute), the WP shouldn’t be able to write to the template.
Alik, its good that nothing more serious didn’t happen or more damage was done.
What did bluehost suggest you can do to increase security?
The only issue i had a few weeks ago was someone stealing my content and my webhost blocked their site right away. I was really upset and was about to report them to their ISP as well.
tom,
.
Thank you for caring
Bluehost provided plain vanilla checklist:
1. Change the Admin Email on your account.
2. Change the Password on your account.
3. Change the Credit Card on file on your account.
4. Update and apply any patches, upgrades, or updates that the 3rd party vendor or web developer of your scripts may have available.
5. Fix any loose file permissions (this may be the most common exploit vulnerability)
6. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
7. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc.
Very general as you can see – I am still collecting info on it.
I think #5 is crucial here.
Alik:
Your files can be world-writable if you want! The problem comes down to what your script does with them. As long as the script is secure, you file permissions is a secondary vulnerability.
Check to make sure you’re running the latest version of WP. I upgraded mine yesterday when I saw that there was a minor revision. I don’t think it fixed the bug, but hopefully it will deter them.
Mike,
Thanks for being on top of the things. This info is valuable.
Thanks for this post. I think I’ll look into Bluehost — when I was in a similar situation, my hosting provider told me my request was “beyond the scope of support.”
Chris,
Bluehost told me so too, I believe it is fair enough. But they were very cooperative in restoring my backups. Indeed protecting and maintaining security level of the blog does not seem to be their job as they do not control what plugins we, the bloggers install. They also do not control our tweaks for the rest of the system.
Said that, bluehost support was ultra responsive and provided with any help I asked so far. I recommend it.
I would recommend Bluehost for those who are familiar with Linux and would be comfortable with only “Administrative” support. I *rarely* need support from them. Usually my support is in the area of updating a A NAME DNS entry or increasing my bandwidth…things I don’t have control over.
They are good people though. Since I moved to them, I’ve never considered moving, even if it were cheaper. Quite honestly, I don’t think you can get cheaper than $8 / mo for unlimited space, pretty much unlimited bandwidth, etc. I’m thinking about moving to a dedicated server though…
Sorry to hear that your blog was hacked. I really appreciate you sharing your experience with us though so if we do get hacked, we can use your experience as a reference.
Thanks!
-Dustin
Thanks for the tips! It´s a good idea to change the login name to something else than “admin” what it is by default and also use the automated backup feature.
Thanks for sharing your story. I’ve heard a lot of bloggers mention that they were hacked, but they rarely go into much detail, so I’m left wondering. Why not post how they did it? I, for one, would love to know!
Alik,
I’m terribly sorry to hear about your recent experience, which must have been most frustrating from your point of view.
I really wish that people wouldn’t do this.
I myself have not really thought about what I would do in that situation, nor have I thought about preventative steps which I could take in order to prevent this from occurring.
Mike,
. I am happy bluehost offered me first class services. Nevertheless it triggered me to learn Unix/Linux basic stuff and PHP too. Thank you for you insights regarding this.
I am techie myself, not in Unix stuff though so it does not count
Dustin,
Tank you. Good to hear it is helpful for you
Tom,
Thanks for the insight, the plugin’s security scan actually “revealed” this. Good stuff.
Melissa,
. If you are interested in looking into vulnerabilites and exploits for WP and related – i suggest visiting secunia.com.
You are welcome. I do not know exactly how they did it. The possibilities are endless. Being security guy on the block I only can tell that it is never ending story. What works best is continuously hardening your blog with best practices in mind. I’d start with the security scan that the plugin i mentioned offers. It is hosted on wp.org so it should be trustful. Another reason why not to publish it is reducing the chance someone decides to put the black hat and use my research to hack others
Andrew,
Thank you. Do not be sorry. I was not, *I* failed and I saw the opportunity to learn. Here is another story that happened to my yesterday – I was at risk of losing my work/life digital materials i collected for 5 years. In the end i recovered, but when I thought it is not going to end good – i was not sorry. I was thinking about how to avoid it when it happens next.
[...] ← Protect Your Blog Or Get Hacked Like PracticeThis.com Was [...]
Alik,
That sounds like a very proactive approach to an unfortunate situation.
Good to hear that you learned a valuable lesson from the experience.
Thanks for the tips. It is very important for us to protect our work.
I really wish that people wouldn’t do this, but sadly they do! and what I fail to understand is what do they get from doing this?
Salwa,
You are very welcome
Leave your response!
For Consultants
FREE
- eBook: Time Management With Outlook
- Finances Management Template
More…Categories
Recent Articles
Recent Comments
Most Commented
Categories