WordPress Blog Hacked

It’s hardly news. Hacking into blogs is far more prevalent than you may think. A Google search for ‘My Blog Was Hacked’ gives a count of over 2,770,000 web pages. I regret to say that this blog was hacked into by a real expert some 10 days ago. Since then, I’ve done a great deal of exploration and frankly it’s all very fascinating.

In this post, you will find hints on how to stay vigilant so that you will be aware if your blog is hacked. In a subsequent post, I will give some more advanced tips on how to stay vigilant and make your blog more secure. In a final post, I will describe some of the results of such hacking activities.

An underlying realisation in all that is written is that some hackers are extremely knowledgeable and skillful. The best you can do is to ensure that your blog is as secure as you can make it. It then is like the old joke about outrunning the bear. You don’t need to outrun the bear, but only your buddies who are with you. There are a host of other blogs that are insecure, and that may be your biggest protection.

Whose Blogs Get Hacked?

WordPress is quite rightly enormously popular software for writing blogs. As more and more people use it, it becomes a more interesting target for hackers who try to exploit any weaknesses in the software.

It was not surprising to see items such as WordPress 2.1.1 Dangerous, Upgrade beginning to appear early in 2007. Nor was it difficult to believe that Matt Cutts WordPress Blog had been hacked, when this appeared on April 1, 2007. That was a spoof but since then there have been many real hacking incidents. Al Gore’s blog was, according to Stuart McKeown, as was the WordPress blog of Matt Heaton (Bluehost and Hostmonster CEO). It continues unabated as Stephan Miller and members of the WordPress Support Forums can testify.

How Will You Know If Your Blog Is Hacked?

The real problem is that you may not realize your blog has been hacked. There may be no visible trace of the hacker’s work. The hacker may wish to boost the search engine visibility of online non-prescription medications or pornographic websites. It is done in such a way that it is hidden from prying eyes.

One useful test is to look at the source code for the blog. In Internet Explorer this can be seen by clicking on View > Source. In Mozilla Firefox, this can be seen via View > Page Source or from the keyboard by pressing U. Sometimes code can be found which has been inserted by the hacker. Another indicator can be very much higher levels of traffic. This will be covered more fully in the next post in this series.

Make Your Blog More Secure

Matt Cutts has given some useful tips to protect a WordPress installation. The most important of these is to ensure you always have the latest and most secure upgrade of WordPress. It is perhaps fitting that this blog post appears when WordPress version 2.3.3 has just been issued. This topic will be covered more fully in a subsequent blog post.

Further Articles in the series:
Guarding Your WordPress Blog
How WordPress Blogs Are Hacked

46 thoughts on “WordPress Blog Hacked”

  1. Thanks for the link Barry. The main culprit in my blog and a few others was a WordPress forum plugin that allowed the hacker in, specifically Refresh from Georgia. There is only about 2000 some results for his name in Google now. At one time there was over 200,000. It was a massive amount. I linked to the details.

  2. I agree with the latest update. You should always upgrade no mater what script you are using. However there are hacking groups able to get in no mater what latest version script you have. I run a great deal of security for my servers and still from time to time get hacked. The biggest tool you have is to always back up your data. I generally perform nightly backups just for this reason. Unfortunately it is a necessary evil. No mater what script you run hackers are waiting. The more popular the better! BACK IT UP!

  3. When I first started in Real Estate I had a WordPress blog that I used quite frequently. At the time I was completely ignorant to most, if not all, SEO. Well, it got hacked. After about 6 months I joined a forum and quickly learned from some of the other members that there was all kind of hidden text and keyword stuffing in my cached snapshot of just the text on my blog. I had been hacked and was essentailly advertising for all kinds of lovely stuff like “Pe_n_s Enlargement” and other misc. things. It took a little while to clean up. I am just glad that it happened to me in the very early stages of my social media campaign. Now I know what to look for and tend to be in defense mode most of the time. I guess you have to be….

  4. I always skim through any PHP code I come by before i place them on my webservers, for those who don’t have any programming background then it is always good to keep in touch with security websites, and subscribe to the PHP authors mailing lists/RSS feeds for newer versions.

  5. Thanks for the informations Barry. We just had to fight a hack-attack of a (well, we guess) competitor in the spanish real estate market. Anybody experiences with these kind of problems with Drupal?
    Best regards from Spain

  6. Barry – Another great post. Its nice to read posts like this once in awhile to help keep us on track and protected. I do agree that the biggest security hole is the end users! lol

  7. A timely reminder/education for many WP bloggers and those on other platforms – there are many things you can do to make things more secure including protecting your admin areas through IP restrictions and password protection of admin directories.

    Much of what I have learned about this was through other blogs and forums dealing with PHP security – the backup advice is still one of the most important though – being lazy can be very costly.

  8. I’m always nervous of any high profile software as it is more susceptible to hacking, I have only installed WordPress in the past month, normally I just code things up myself – but it is so timeconsuming reinventing the wheel every time…

  9. It’s very very important to upgrade wordpress whenever they have new editions out. (And they always do!)

    I believe the most major flaw was a recent version which had a XSS cross site scripting hole.

  10. My blog also got hacked and an iframe injection was somehow used. What was worse was that I was labelled in computer with the lovely ‘This site might harm your computer’. I had to contact stopbadware.org and fix the issue, which was a real fiaso.

    Lesson learned? Update as soon as updates arrive!

  11. Yes, wordpress has poor security when compared to other open source scripts. There are lots of easy ways to hack a wp blog when the blog is using any third part poorly coded plug-ins.[I have a list of plug-in names that are coded poorly].

  12. Thanks for reminding us about the flaws in WP – it often seems so good that people think it’s infallible. It’s a pain updating WP if you’ve got a lot of blogs, but it’s less of a pain than getting hacked!

    Peter

  13. Nice heads up on this growing problem of blog hacking . And thanks for the Links to make things more secure.

    BTW a really informative site that I have now bookmarked !! Lots of good stuff in here no doubt !!

  14. As with any big platform, WordPress has people constantly trying to find flaws in it so that they can manipulate it. That is why it is important to always stay updated, it is well worth the tedious task. Some of those hackers are so discreet that they will place hidden links in your theme that will obviousyl benefit them, but also hurt your in Google and maybe even permanently damage your SERPS.

  15. Those are some excellent tips. As a precaution I occasionally look at the source code of my template files to make sure that there is nothing fishy going on. When using a CMS like WordPress it is also crucial to keep updated.

  16. Maybe someone enterprising could setup a security audit service for 3rd party plugins to raise the trust levels of plugins for wordpress? At least bloggers would then have some reassurance as to the quality level of coding within the plugin?

  17. I think if your going to use many different websites what are all linked to throughout your blog or site its best to mix the passwords up every once and again. Just incase you sign up with a dodgey website. Eg. You have a website on paid surveys then you sign up with one and add it to your website. Lets say that this website isnt legit and you use the same paypal password as the service you signed upto and they take a wild guess and get in. Just a bad example i think im a bit tired

  18. I’m lucky enough to have never had a blog hacked. I have a web design / programmer friend who hacks people sites for fun. I don’t really get it, but he seems to have no problem with it. Ever since I’ve started teaching him about SEO, he hacks sites to insert links, which is really crappy in my opinion. I know a few people who sites have been hacked to bits, and its a lot of work to get everything back to normal.

  19. Thanks for pointing out in the right direction.I think that is only one of the many ways that hackers get into WordPress blogs. Vigilance is the watchword.

  20. The really important security fixes are much less frequent than that. For example there is a current upgrade that is suggested if you have a forum as part of your website. It isn’t necessary for most blogs so has not received the normal publicity. Nevertheless you should always stay aware and check the WordPress literature from time to time. Subscribing to a RSS newsfeed is an easy way to do that.

  21. Someone above mentioned that perhaps its the plugins which really have more of the security holes in them than the actual wordpress software.

    Since, there appears to be no testing body or accredited body which must certify or at least look at a plugin, is it not far more likely that a would be hacker would use a plugin to do something subtle but virus like, as that is an obvious potential hole?

    If there are thousands of programming hands reviewing wordpress standard code, but almost no one reviewing plugins which are in fact php code that could be malicious, why would we not all put more concentration/discussion on this area?

    I use 4-5 plugins and prior to this discussion never suspected that perhaps they could be problematic. But now, I will check google to see if anyone else is complaining about any of them.

  22. Thanks for the post Barry. Every time I log on to my blog I check to see if there is a new update available. Looking to see if the hackers input any codes by view in Mozilla is a nice tip and easily accessible. I’ve never been hacked before, but what is the worst thing that can happen or what do they usually do to it? If you don’t download a bunch of crappy plug-ins I believe that will eliminate a lot of ways a hacker can get into your blog. I agree with most of the people saying that the user is usually the reason why you get hacked in the first place. Anyways, if you back up all your info you should be fine. Once again, vigilance is the watchword.

  23. My wordpress blogs have not been hacked, but has anyone heard of a blogger blog being hacked? I would hope that they have security built into them.

  24. The installalation on your server and the rights you give to your files and directories are mostly the reason you are hacked.

    Greetings from Nederland

  25. Yeah, WordPress is a great platform but the bugs aren’t the only problem. It’s the constant updating and patches and fixes. I’m not exactly complaining because I love WP, but if you have a bunch of WordPress sites, than upgrading and fixing will take a good amount of your time.

  26. Last time I updated one of my sites to the latest version of wordpress, something went wrong. Then when I reverted back to the old version, all my categories had disappeared. It took forever to update all the posts with categories again. From now on, I am taking my chances with the hackers.

  27. If you’re hacked you lose everything. It’s a much worse problem than merely losing categories. The important lesson there is to make sure you have thought through a good backup and recovery process.

  28. I use WP for my discount code site. Currently running the latest version of WP, as suggested. As my site is on shared hosting I can’t use Admin SSL but found AskApache (with MD5 hash conf’d) to be a great way of securing my login page. Hope this helps 🙂

  29. This is one of the reasons that I’m starting to use blogger more than wordpress because I don’t have to upgrade the blogger blogs every couple of months. Although I have no idea if they are any better at preventing a hack or not.

  30. Hey there! I love wordpress and it is normal that with such a widely used software, people are always trying to hack it! I think that the important thing is too keep all plugins and your wordpress version up to date! That way you will have much less security issues!

  31. Recently I have come more and more across hacking incidents. I look forward to reading more about your posts as my online presence increases. The scary thing is when you don’t know….The looking at source code is a good tip, but I am guessing that even at that, a good hacker can figure out how to stay hidden. Your bear analogy is good…also I think cat and mouse is too.

    matt

  32. Great point about checking out your source code. I haven’t yet had a blog hacked but I feel it is inevitable. One nice feature with WordPress is that it is easily apparent when an upgrade is released and they are relatively frequent. I assume they are staying on top of vulnerabilities. If you do have a blog and worry about being hacked at the very least make sure your wordpress is up to date (unless there is a plugin you can’t live without) and keep regular backups.

  33. Yea. It really depends if you are popular or not. I heard people getting their youtube, gmail and hotmail accounts hacked. Practically everything can be hacked and there is no stopping it. Like someone mentioned above. The white house even got hacked at one point and their security is top of the line. If someone wants to get in they will find a way to get in. No matter what you do. If there is a will there is a way.

  34. I love wordpress, and have used it for about 3 years! I have been lucky and never had any intruders in my blog. I always keep the software up to date, sometimes it breaks something, but it’s better that you know right away instead of having someone erase all your stuff!

Comments are closed.