This is the second in a series of articles on how WordPress blogs may be hacked.
Unfortunately it’s becoming a more and more frequent occurrence, even though some seem unaware it has happened. If you have not yet read the first article, WordPress Blog Hacked, you may find it useful to do so before reading this follow-on article. However it is not required reading.
You may naturally feel that calamities such as your house burning or your blog being hacked only happen to other people. It’s not true and it’s always wise to take precautions. Just imagine returning to your home one evening and finding it in flames. You close your eyes and cannot imagine it’s happening to you. You open them again and it’s all still flames.
How can you recover from such a tragic event. That is why most of us take out insurance and have security alarm systems to prevent such happenings. The more valuable your house, the more you are willing to invest in the right level of protection.
Getting your website hacked can be an equally unwelcome experience. Just see how Anita Campbell describes it in a recent article, Hacked: It Could Never Happen to My Site (Famous Last Words).
On Christmas morning, I tried to open this site as I normally do first thing in the morning, just to do a quick check. The home page of the site was completely blank! Nothing. Nada. I could not post anything new, either. I realized that a cracker had hacked the site. As I investigated later that day I discovered quite a bit of damage to the site.
Imagine seeing that blank screen. It’s as devastating in its own way as all those flames consuming your house. However if you think that is what happens when a site is hacked, you haven’t come up against the latest generation of skillful hackers. You won’t be aware that they have come in and taken over the attic of your house. They may create thousands of parasite webpages on your server without changing the physical appearance of your blog. That is what happened to the two SMM blogs that were hacked two weeks ago.
The first part of the security plan for your blog must emphasize vigilance. If you’re Al Gore or Matt Cutts, your blog is valuable real estate. Its traffic represents real economic potential to a hacker. Just as for a palatial home, you should invest in significant security systems. However for reasons we will discuss in the third article in the series, even more modest blogs are attractive to hackers. What you must do is to determine what you believe the risk of hacking to be and then invest an appropriate amount of effort in protecting against that.
If your blog is worth hacking, then likely it will be hacked so as to give the maximum time before you detect the intrusion. As will be explained in the next article in this series, hackers may only need access to your website for a few days to gain full value for their efforts. You will notice that Anita Campbell’s blog was hacked on Christmas Day. The two SMM blogs were hacked one Saturday morning. One important lesson is to never leave the blog unattended for too long.
There are two simple ways of checking whether intruders may be ‘in the house’. The first and easiest step is to check the source code of your blog. Just visit the blog and then use the View choice on your browser menu to examine the Source. With Firefox if you prefer you can use < control > U to see the source code in a different window. It may be this will show some lines of code or hyperlinks that should not be there. If you have followed the steps to be described later, then hopefully the code is as you expect it to be. A very rapid way of checking changes in source code is given in the article, Fast Alarm For Hidden WordPress Hackers.
Another way is to examine the traffic to your website. If there is an unexplained and massive increase in the volume, then this may be a sign of trouble. Similar increases in traffic may be seen in other analytic programs such as Google Analytics or SiteMeter. However depending on what hacking has been done, the increased traffic might be hidden from these tools.
To avoid these intrusions, there are certain recommended steps which are described below. As was mentioned in the previous article in this series, the best you can do is to ensure that your blog is as secure as you can make it. There are a host of other blogs that are insecure, and that may be your biggest protection.
Upgrade to the latest version
The most important recommendation that cannot be emphasized enough is to always upgrade to the most stable recent version of WordPress. The WordPress community is very active and as security holes are spotted, then as quickly as possible they are plugged. This does not guarantee that hackers will be kept out. However they may choose to attack earlier version blogs that have easier access holes.
You should also upgrade to the latest version of any plugins that you are using. A plugin may well be written by a single volunteer author so less attention may have been paid to security considerations. You should do a little research on each plugin you intend to use to make sure that others have not had security concerns about it. It is also recommended that you put an empty index.html in the plugins subfolder. This prevents anyone checking that folder and receiving a full display of all the plugins being used.
Harden Your Administration
In addition to working with the latest version of WordPress, there are a number of steps you can take to make hacker intrusions more difficult. The references below explain in greater detail what is involved. Here we summarize only the more important points.
Having user names and passwords that are not easily cracked for access to the blog administration panel is critical. In addition if you have a highly visible blog then you might wish to use the Login LockDown Plugin. This blocks access to the administration panel for a certain period after a small number of incorrect attempts.
You can also restrict access to the admin folder by having an appropriate .htaccess file there. This would specify the IP addresses for those who have rightful access to the folder. This would take the following form:
deny from all
# whitelist home IP address
allow from 22.214.171.124
# whitelist office IP address
allow from 126.96.36.199
The extent to which you go beyond these steps should be based on your assessment of the risk of being hacked. The references spell out the possibilities.
Hardening WordPress – WordPress Codex
Three tips to protect your WordPress installation – Matt Cutts
5 WordPress Security Essentials – Lee Robertson
How to Protect Your WordPress Site – Anita Campbell
Protecting Your WordPress Blog – Lorelle
The final article in this series is How WordPress Blogs Are Hacked.