I had a WP blog hacked :( so sad…
- 30 Comment
I have had a terrible last couple of days… Not only did I just shatter a tooth about 3 hours ago but I had one of my large sites hacked two days ago. So I just wanted to give a little word of caution on server security.
Most bloggers/affiliates use WordPress as a standard website platform. Whether it’s for a general blog creation or for our landing pages. However, because WP is so widely used many people (both bad and good) have easy access to the code. This can be a HUGE issue. Many plugins even have exploits to SQL injections.
“SQL injection is a method that exploits the vulnerable layer of an application that relies on SQL, and is performed by injecting SQL commands into an input field that SQL unknowingly executes as a result of programming errors. Trusting user-input without validation is a cause of this.”
Not all plugin developers are professionals. This leads to mistakes that in turn lead to opening a giant security hole leading access to the Wordpress administrator console, your database, and even worse your server as a whole. Many of us, if not all usually just keep our website content in one place. Many of you probably make landing pages and think to yourself “What’s the big deal? They’re just simply landing pages.”
The problem is that although using simple HTML and CSS for a landing page, you may still be vulnerable if those landing pages are hosted on the same server your core websites are existing on. Websites like myipneighor.com allow people to see all other websites hosted on your IP. If you have 100 landing pages setup on a single server and one of your primary websites are hosted in the same environment and that main website is exploitable to any web attack, then your entire network can be compromised.
I found out this week that web security is one of the smartest investments I have made along with many others. Being ignorant and thinking that getting hacked wasn’t going to happen to me left myself as a target. It was plain foolishness of me to think that no one would hack my site. That if I just kept updating the script I would be fine. Everyone is a target. Whether you are trying to build a web presence or running a respectful organization, it is important to keep professional and continue to stay a trusted source.
In the event that your security is at risk and your website has been defaced by a bunch of ruthless hackers, it will truly affect your image and/or brand in negative way. According to my good friend over at V.A.P.T. , updating your WordPress for the latest security patch helps but it isn’t always enough. He had explained to me that WordPress is simply just another process running on a given service out of many. Although WordPress remains to be secure after an update, there may lie flaws in the server that require far more than upgrading.
My buddy at VAPT talked to me about things like server configuration, hot fixes, or push cycles, and most importantly code! Overall, it’s very important to consider web security as these days hackers are not just interested in breaking in and making a name for themselves, instead it’s about profits, gains, and your assets!
Now there are many things you can install on a server to help you be more secure. In fact I installed Mod Security But unfortunately I don’t know much about setting that stuff up. So I let a professional do it. I definitely am not in the mood to mess up another server…
With all that being said… Keep safe… Don’t be like me… Make sure you set up protection from the beginning!
Related posts:
- BookMark Money Blog I do not know who owns BookMark Money but they have...
- Why CashTactics Will Never Be An A-List Blog A lot of forum drama and a boatload of bickering...
- Will It Bother You If Ads Were On This Blog? Just a real quick question so I can get a...
- Blog Monetization Strategies From Blogging Fingers A quick word on Matt from Blogging Fingers. He has...
- Introduction To StumbleUpon Advertising For Your Blog I was checking out StumbleUpon’s Ad Campaign Service today and was...
30 Comments on this post
Trackbacks
- andrew wee said:
Sorry to hear that.
Even on a dedicated server, the architecture is something like having a root domain and the other domains are redirected sub-directories.
I’d suggest looking for someone to do a security audit, esp on your key income sites.
November 26th, 2008 at 2:19 am - Kris said:
Oh yeah. I had a friend of mine that works at VAPT check everything out for me. He’s working on updating and securing my sites right now.
The scariest thing was when I told him to get into the server and prove to me that there were problems with the whole server. Yeah that was freaky to see.
November 26th, 2008 at 2:21 am - SkyWatcher said:
I had my blog hacked once – the hacker deleted all the posts and redirected the blog to Google – it was very scary!
One thing that didn’t bother me was that the blog wasn’t all that popular and fetched only about 30-40 uniques/day.
I suggest you install mod security to prevent it from getting hacked again
November 26th, 2008 at 2:50 am - andrew wee said:
@kris
SMF is notoriously buggy software.
Shoemoney’s site got taken down a year back because of a test install of it.I’d suggest going the vBulletin route if it’s an important part of your biz.
Else maybe something offbeat like bbPress?
There’s also a WP forum plugin out there.November 26th, 2008 at 2:57 am - Vijay Teach Me $$ said:
- AMagz said:
Dang, sorry to hear that. Never really gave a ton of thought to securing websites, but now I definitely will.
November 26th, 2008 at 1:21 pm - masterpash said:
hey man,
sorry to hear that. I’ll be more careful with that.
Thanks for keeping me updated.cheers
masterpashNovember 26th, 2008 at 1:27 pm - Jeremy said:
I had lots of sites hacked in the past. I haven’t had a site hacked in about 1 or 2 years.
I try to lock down my site with a .htaccess password before the admin login. I also try to have all of my permissions locked down. I also block all servers from the planet. Most of the servers at the planet are unprotected and used as bot nets to hack other servers.
November 26th, 2008 at 2:53 pm - Anthony said:
Sorry about the bad news Kris, thanks for the update.
November 26th, 2008 at 8:47 pm - ThemeLib.com said:
Sorry when hearing that. This world is not safe!
November 27th, 2008 at 1:03 am - ThemeLib.com said:
Btw, you should use WP Security Scan wordpress plugin to scan your WordPress installation for security vulnerabilities and get some suggests corrective actions.
November 27th, 2008 at 1:04 am - ThemeLib.com said:
Just view source of your blog and it appeared that you’re using Wordpress 2.6.3. You should upgrade it to version 2.6.5 because 2.6.3 had a big security problem
Check out my post for more advice :)
November 27th, 2008 at 1:11 am - Slow Computer said:
Wow that’s a nightmare. Not only the one Wordpress blog but the whole server.
I think I will give mod security a try. I don’t need that happening to my blogs.
November 27th, 2008 at 8:33 am - Robert said:
When the Dead Mule was hosted by Biggs there was an incident. It’s never fun – sorry to hear of the problems.
November 27th, 2008 at 2:23 pm - gman said:
Karma doesn’t forget about all the people you scammed through affiliate marketing…..Just deserts.
November 28th, 2008 at 10:59 am - David - Marketing Management Strategy said:
I’ve long been an advocate of having popular plugins added to core WordPress software. I’ve long advocated a more stringent code testing for both WordPress core and plugins before release. It’s unfortunate that this incident had to happen to bring these issues to the forefront. While I’m at it, I’m disturbed by the growing feature differences between the Wordpress.com and Wordpress.org versions of the software.
November 28th, 2008 at 4:28 pm - VoIP Reviews said:
If you have different IPs for your sites, but they’re still on the same server, how vulnerable are they?
November 28th, 2008 at 6:24 pm - Jeremy said:
If a website is hacked chances are the others can be too. Because the other sites are on the same server config.
But different IPs do help.
November 28th, 2008 at 8:23 pm - Yousif said:
yeah I do security for Kris if anyone has questions or wants a quote just send me a message
November 28th, 2008 at 9:57 pm - andrew wee said:
@VOIP Reviews,
if you’re hacked at the root level of your server, the IPs don’t factor in.
November 29th, 2008 at 2:36 am - SkyWatcher said:
I got my wordpress blog hacked. Someone started deleting some of my high ranking posts and I couldn’t do anything to recover, no backup.
Got my account changed at host level but even then couldnt recover anything – so backup your posts
November 30th, 2008 at 2:35 pm - Yousif said:
Making a backup of your website isn’t going to solve the problem. There are real issues with web security when you are hosting multiple sites on a server. Even a single site on a server can have issues if you don’t have proper web security.
I encourage everyone here to contact me so I can perform some tests against your server. I’ll be able to let you know the real problems and how I can possibly help.
Click on my name to visit my website.
Kris can tell you I do good work. Just ask him.November 30th, 2008 at 3:38 pm - ThemeLib.com said:
Backup your database regularly is a sound advice :)
November 30th, 2008 at 9:56 pm - ThemeLib.com said:
@Yousif: of course making a backup does not solve the security problem but it will make your life easier when a problem happens
November 30th, 2008 at 9:59 pm - ThemeLib.com said:
@Yousif: I’ve just visited your website. Looks good.
How much do you charge for a test? :)
November 30th, 2008 at 10:00 pm - Yousif said:
@ThemeLib.com: I can send you a proposal if you’d like; it contains our rates. Shoot me an email at Sales[@]Vapt-Sec.com and I’ll get back to you.
November 30th, 2008 at 10:48 pm - brandon alan scofield said:
@Yousif
maybe I have to hire you :) if i can afford it why not ?December 2nd, 2008 at 8:58 pm - Become Expert Guy said:
Thanks for the tips and sharing that story. That Mod security is free, also thanks for that tip!
December 4th, 2008 at 10:30 pm - Blue Host said:
One of myblog was hacked too, he/she add a new post
December 13th, 2008 at 5:11 pm - Lito | TheFilipinoEntrepreneur.Com said:
Sorry to hear that, that sound scary. Is there a way for us to know if we are already being hacked before those hackers did something harmful?
December 15th, 2008 at 4:45 am
