Home » Writing

Protect Your Blog Or Get Hacked Like PracticeThis.com Was


36 Comments
www.PracticeThis.com was recently defaced, hacked, hijacked, poisoned by hackers. Instead of usual content the site was exhibiting “Security Z3ro”.

How ironically, in my day job I am software security [and performance] engineer.

That taught me a lesson that I want to share with you.

image
by ohsoabnormal 
Once I realized I have been hacked, these are the steps I have followed to get back on track with minimal losses.


Contact Your Hosting Services Provider

I am hosting my blog with www.BlueHost.com. They offer very good technical support – registered accounts like myself can open either Service Tickets (SR) or start off immediate chat with technical support representative. I decided to fire up a chat client with their rep after observing this image on my home page:

wordpress security

The www.Bluehost.com rep quickly verified my identity and then following my request disabled totally the access to www.PracticeThis.com. I preferred to not serve my readers at all vs. serving bogus content instead.

Rollback The Latest Backup

www.Bluehost.com offers flexible backs up system. Most recent backup was from April 12 2009, so I asked to restore it. That is the reason some comments on the blog are not shown – they were submitted after that date. Dear loyal commenters, sorry for that. I also needed to republish my recent post – What Your Kid Knows About Creativity – as it was published after the latest back up. Subscribers might have received the content twice. Sorry about that – I have not meant to be annoying that much.

Re-Configure Security Settings

Following the advice from the technical support at Bluehost.com I changed my passwords. I also, changed moderation policy. In “Comment Moderation” section I have changed it to “Hold a comment in the queue if it contains 1 or more links” (the default setting was 2). This configuration can be found in Settings->Discussion section of WordPress administration. I have my take on how my site was exploited which is way beyond the theme of this blog. Ping me via contact form if you are interested to hear the details.

Share Your Security Practices

  • What’s your experience with security for WrodPress?
  • What have you done to strengthen the security of your blog?

Related Materials

15 April 2009

36 Comments »

  • Sheila Atwood said:

    Thanks for the heads up! I had no idea. I will be using the plug in you suggested.
    Kudos to bluehost.

  • alik levin (author) said:

    Sheila,
    Bluehost.com has really good tech support. Remember the plugin is not 100% cure. It does nice preliminary security scan though. I am pretty new to the tech that WordPress is built with – PHP. I am planning to invest some time in researching WordPress security. I will be sharing my findings and best practices.

  • J.D. Meier said:

    I like your transparency and the fact you’ve shared your lessons learned.

    I look forward to your WordPress security best practices.

    I think the key at the end of the day is good backup/restore by your provider.

  • Giovanna Garcia said:

    Hi Alik

    Thank you for making me aware of security on Word Press. It is very important for us to protect our work.
    Thanks for the tips.
    Giovanna Garcia
    Imperfect Action is better than No Action

  • Stephen - Rat Race Trap said:

    WOW. I’m glad you recovered. I ahve bluehost too!

  • alik levin (author) said:

    J.D.,
    Thank you. Yep. Since there not so much under my control to protect better my blog I need to keep my eyes on backup/restore story closer.

    Giovanna,
    Happy to hear it is helpful for you ;)

    Stephen,
    Bluehost.com offered very good help to me so far. You are in good hands ;) (touch wood)

  • Liara Covert said:

    Alik, it would seem back-ups are useful precautionary measures. However, physical existence evolves in such a way as to repeatedly test human ability to adapt to unforeseen circumstances. That is to say, no matter how proactive you believe you are, guarantees do not exist. You will encounter challenges. Thus, you are prompted to learn survival skills. This includes how to curtail the power negative emotions exert over the mind, body and spirit. Thanks for sharing more practical experience and lessons learned.

  • alik levin (author) said:

    Liara,
    I was amazed at myself how calm I was when discovered it. I am investing tons of energy in my blog and it is my “baby” I really care about ;)
    Despite this, I was calm and the first though was “OK, what’s next, how do I recover?”. I was not attached emotionally to it, i was not stuck with the event itself, I was thinking about the future. I think it’s a progress in terms of personal dev, eh? :)

  • Mike said:

    This just happened to me yesterday! Judging by your entry, this happened to you too.

    I’m on Bluehost as well. I’m assuming your on a shared host. Which on are you on? I’m dedecting a pattern here…

  • Mike said:

    BTW, I was able to find out that the theme was compromised, nothing else. I re-installed wp just to be safe though.

  • alik levin (author) said:

    Mike,
    Sorry to hear that.
    Compromising the theme is one way to do it. There are few more… I have different take. Happy you have recovered. What are you doing to prevent it in the future?

  • mikesoh.com was hacked!! : mikesoh.com said:

    [...] a quick search, another site was hit with the same exact hack.  He is also using WordPress, but he also uses the same hosting [...]

  • Mike said:

    Alik,

    Just posted my findings. You may want to search your logs for the IP address I have listed on the post:

    http://www.mikesoh.com/2009/04/mikesohcom-was-hacked/

  • Jannie Funster said:

    Alik: I’m real sorry for your loss. April 12th is not too far back, luckily.

    Those hackers rile me up more that I can express, I’m a pretty happy-go-lucky sort but those n’er-do-wells really pardon me – piss me off.

    I need to check into that link default setting. Like, Right Now. I am getting a LOT of spam.

    Thanks for the heads-up!

  • Broderick Allen said:

    Hey Alik,
    Glad to hear you didn’t lose much, and it got me thinking about the security of my blog. I do have a good backup system in place, but I’d rather take the steps so I don’t have to use it. I’ll have to see exactly what those steps are lol.

  • Stacey / Create a Balance said:

    I feel your pain. My blog was hacked a few months ago and before I called Bluehost, I thought it completely vanished. Fortunately Bluehost was great and was able to get my blog up and running in a few hours. I’m happy to know you are back up and writing again.

  • Evelyn Lim said:

    Oh dear..how traumatic!! Thanks for sharing about what to do if our sites got hacked. I’m so glad that your blog is working fine now.

  • Gennaro said:

    Sorry to hear that, Alik. Looks like you got back on your feet quickly though. Nice job by Blue Host too. Another reminder to backup regularly and to think about security measures.

  • alik levin (author) said:

    Mike,
    Thanks for sharing it – it actually connected few dots. Another hardening I have done is setting proper permissions on wp-admin/index.php that should be 644, and not 755 as it was, it should prevent from changing by accounts that different than registered ones. The plugin i refer in the related materials actually revealed by its scanner. I am collecting some more info and will be posting it soon ;)

    Jannie,
    Check you backup policies with your hosting provider too, this is what saved me, also run this security scanner plugin, it reveals *some* weak spots to, like permissions on critical administrative files.

    Broderick,
    Yes, best approach here is double sided – prevention and recovery.

    Stacy,
    Thank you for good words and for the support ;)

    Evelyn,
    Thank you for good words! Happy it is helpful for you – I hope to share some more insights on WordPress security soon ;)

    Gennaro,
    Yeah – good backup policy is what saved me. Thanks for the support ;)

  • Mike said:

    If you’re using Bluehost, you may want to consider installing the vanilla version of WordPress, vs the one that they provide through the installation program. I don’t even use Fantasico anymore and prefer to install everything myself.

    Your permissions look fine. As long as they weren’t writable (5 = read & execute), the WP shouldn’t be able to write to the template.

  • tom said:

    Alik, its good that nothing more serious didn’t happen or more damage was done.

    What did bluehost suggest you can do to increase security?

    The only issue i had a few weeks ago was someone stealing my content and my webhost blocked their site right away. I was really upset and was about to report them to their ISP as well.

  • alik levin (author) said:

    tom,
    Thank you for caring ;).
    Bluehost provided plain vanilla checklist:

    1. Change the Admin Email on your account.
    2. Change the Password on your account.
    3. Change the Credit Card on file on your account.
    4. Update and apply any patches, upgrades, or updates that the 3rd party vendor or web developer of your scripts may have available.
    5. Fix any loose file permissions (this may be the most common exploit vulnerability)
    6. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
    7. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc.

    Very general as you can see – I am still collecting info on it.
    I think #5 is crucial here.

  • Mike said:

    Alik:

    Your files can be world-writable if you want! The problem comes down to what your script does with them. As long as the script is secure, you file permissions is a secondary vulnerability.

    Check to make sure you’re running the latest version of WP. I upgraded mine yesterday when I saw that there was a minor revision. I don’t think it fixed the bug, but hopefully it will deter them.

  • alik levin (author) said:

    Mike,
    Thanks for being on top of the things. This info is valuable.

  • Chris Edgar | Purpose Power Coaching said:

    Thanks for this post. I think I’ll look into Bluehost — when I was in a similar situation, my hosting provider told me my request was “beyond the scope of support.” :)

  • alik levin (author) said:

    Chris,
    Bluehost told me so too, I believe it is fair enough. But they were very cooperative in restoring my backups. Indeed protecting and maintaining security level of the blog does not seem to be their job as they do not control what plugins we, the bloggers install. They also do not control our tweaks for the rest of the system.
    Said that, bluehost support was ultra responsive and provided with any help I asked so far. I recommend it.

  • Mike said:

    I would recommend Bluehost for those who are familiar with Linux and would be comfortable with only “Administrative” support. I *rarely* need support from them. Usually my support is in the area of updating a A NAME DNS entry or increasing my bandwidth…things I don’t have control over.

    They are good people though. Since I moved to them, I’ve never considered moving, even if it were cheaper. Quite honestly, I don’t think you can get cheaper than $8 / mo for unlimited space, pretty much unlimited bandwidth, etc. I’m thinking about moving to a dedicated server though…

  • Happiness Is Better said:

    Sorry to hear that your blog was hacked. I really appreciate you sharing your experience with us though so if we do get hacked, we can use your experience as a reference.

    Thanks!
    -Dustin

  • Tom - Home Business Marketing Tips said:

    Thanks for the tips! It´s a good idea to change the login name to something else than “admin” what it is by default and also use the automated backup feature.

  • Melissa Donovan said:

    Thanks for sharing your story. I’ve heard a lot of bloggers mention that they were hacked, but they rarely go into much detail, so I’m left wondering. Why not post how they did it? I, for one, would love to know!

  • Andrew said:

    Alik,

    I’m terribly sorry to hear about your recent experience, which must have been most frustrating from your point of view.

    I really wish that people wouldn’t do this.

    I myself have not really thought about what I would do in that situation, nor have I thought about preventative steps which I could take in order to prevent this from occurring.

  • alik levin (author) said:

    Mike,
    I am techie myself, not in Unix stuff though so it does not count ;). I am happy bluehost offered me first class services. Nevertheless it triggered me to learn Unix/Linux basic stuff and PHP too. Thank you for you insights regarding this.

    Dustin,
    Tank you. Good to hear it is helpful for you ;)

    Tom,
    Thanks for the insight, the plugin’s security scan actually “revealed” this. Good stuff.

    Melissa,
    You are welcome. I do not know exactly how they did it. The possibilities are endless. Being security guy on the block I only can tell that it is never ending story. What works best is continuously hardening your blog with best practices in mind. I’d start with the security scan that the plugin i mentioned offers. It is hosted on wp.org so it should be trustful. Another reason why not to publish it is reducing the chance someone decides to put the black hat and use my research to hack others ;) . If you are interested in looking into vulnerabilites and exploits for WP and related – i suggest visiting secunia.com.

    Andrew,
    Thank you. Do not be sorry. I was not, *I* failed and I saw the opportunity to learn. Here is another story that happened to my yesterday – I was at risk of losing my work/life digital materials i collected for 5 years. In the end i recovered, but when I thought it is not going to end good – i was not sorry. I was thinking about how to avoid it when it happens next. ;)

  • 150 Ways To Break Into Your Blog (Hacking For Dummies) — Practice This said:

    [...] ← Protect Your Blog Or Get Hacked Like PracticeThis.com Was [...]

  • Andrew said:

    Alik,

    That sounds like a very proactive approach to an unfortunate situation.

    Good to hear that you learned a valuable lesson from the experience.

  • Salwa said:

    Thanks for the tips. It is very important for us to protect our work.

    I really wish that people wouldn’t do this, but sadly they do! and what I fail to understand is what do they get from doing this?

  • alik levin (author) said:

    Salwa,
    You are very welcome ;)

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.