Wednesday, November 26th, 2008

I had a WP blog hacked :( so sad…

I have had a terrible last couple of days… Not only did I just shatter a tooth about 3 hours ago but I had one of my large sites hacked two days ago. So I just wanted to give a little word of caution on server security.

Most bloggers/affiliates use WordPress as a standard website platform. Whether it’s for a general blog creation or for our landing pages. However, because WP is so widely used many people (both bad and good) have easy access to the code. This can be a HUGE issue. Many plugins even have exploits to SQL injections.

“SQL injection is a method that exploits the vulnerable layer of an application that relies on SQL, and is performed by injecting SQL commands into an input field that SQL unknowingly executes as a result of programming errors. Trusting user-input without validation is a cause of this.”

V.A.P.T

Not all plugin developers are professionals. This leads to mistakes that in turn lead to opening a giant security hole leading access to the WordPress administrator console, your database, and even worse your server as a whole. Many of us, if not all usually just keep our website content in one place. Many of you probably make landing pages and think to yourself “What’s the big deal? They’re just simply landing pages.

The problem is that although using simple HTML and CSS for a landing page, you may still be vulnerable if those landing pages are hosted on the same server your core websites are existing on. Websites like myipneighor.com allow people to see all other websites hosted on your IP. If you have 100 landing pages setup on a single server and one of your primary websites are hosted in the same environment and that main website is exploitable to any web attack, then your entire network can be compromised.

I found out this week that web security is one of the smartest investments I have made along with many others. Being ignorant and thinking that getting hacked wasn’t going to happen to me left myself as a target. It was plain foolishness of me to think that no one would hack my site. That if I just kept updating the script I would be fine. Everyone is a target. Whether you are trying to build a web presence or running a respectful organization, it is important to keep professional and continue to stay a trusted source.

In the event that your security is at risk and your website has been defaced by a bunch of ruthless hackers, it will truly affect your image and/or brand in negative way. According to my good friend over at V.A.P.T. , updating your WordPress for the latest security patch helps but it isn’t always enough. He had explained to me that WordPress is simply just another process running on a given service out of many. Although WordPress remains to be secure after an update, there may lie flaws in the server that require far more than upgrading.

My buddy at VAPT talked to me about things like server configuration, hot fixes, or push cycles, and most importantly code! Overall, it’s very important to consider web security as these days hackers are not just interested in breaking in and making a name for themselves, instead it’s about profits, gains, and your assets!

Now there are many things you can install on a server to help you be more secure. In fact I installed Mod Security But unfortunately I don’t know much about setting that stuff up.  So I let a professional do it.  I definitely am not in the mood to mess up another server…

With all that being said… Keep safe… Don’t be like me… Make sure you set up protection from the beginning!


You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

30 Responses

November 26, 2008

Sorry to hear that.

Even on a dedicated server, the architecture is something like having a root domain and the other domains are redirected sub-directories.

I’d suggest looking for someone to do a security audit, esp on your key income sites.


November 26, 2008

Oh yeah. I had a friend of mine that works at VAPT check everything out for me. He’s working on updating and securing my sites right now.

The scariest thing was when I told him to get into the server and prove to me that there were problems with the whole server. Yeah that was freaky to see.


November 26, 2008
SkyWatcher

I had my blog hacked once – the hacker deleted all the posts and redirected the blog to Google – it was very scary!

One thing that didn’t bother me was that the blog wasn’t all that popular and fetched only about 30-40 uniques/day.

I suggest you install mod security to prevent it from getting hacked again


November 26, 2008

@kris
SMF is notoriously buggy software.
Shoemoney’s site got taken down a year back because of a test install of it.

I’d suggest going the vBulletin route if it’s an important part of your biz.

Else maybe something offbeat like bbPress?
There’s also a WP forum plugin out there.


November 26, 2008

Hi,
Similar case happened to me also on a shared server running wp blog.

I am still in talks with my hosting provider as to what happened.

Stay Secure
Vijay


November 26, 2008

Dang, sorry to hear that. Never really gave a ton of thought to securing websites, but now I definitely will.


November 26, 2008

hey man,

sorry to hear that. I’ll be more careful with that.
Thanks for keeping me updated.

cheers
masterpash


November 26, 2008

I had lots of sites hacked in the past. I haven’t had a site hacked in about 1 or 2 years.

I try to lock down my site with a .htaccess password before the admin login. I also try to have all of my permissions locked down. I also block all servers from the planet. Most of the servers at the planet are unprotected and used as bot nets to hack other servers.


November 26, 2008

Sorry about the bad news Kris, thanks for the update.


November 27, 2008

Sorry when hearing that. This world is not safe!


November 27, 2008

Btw, you should use WP Security Scan wordpress plugin to scan your WordPress installation for security vulnerabilities and get some suggests corrective actions.

http://wordpress.org/extend/plugins/wp-security-scan/


November 27, 2008

Just view source of your blog and it appeared that you’re using WordPress 2.6.3. You should upgrade it to version 2.6.5 because 2.6.3 had a big security problem

Check out my post for more advice :)

http://themelib.com/2008/11/wordpress-265-is-released/


November 27, 2008

Wow that’s a nightmare. Not only the one WordPress blog but the whole server.

I think I will give mod security a try. I don’t need that happening to my blogs.


November 27, 2008

When the Dead Mule was hosted by Biggs there was an incident. It’s never fun – sorry to hear of the problems.


November 28, 2008

Karma doesn’t forget about all the people you scammed through affiliate marketing…..Just deserts.


I’ve long been an advocate of having popular plugins added to core WordPress software. I’ve long advocated a more stringent code testing for both WordPress core and plugins before release. It’s unfortunate that this incident had to happen to bring these issues to the forefront. While I’m at it, I’m disturbed by the growing feature differences between the WordPress.com and WordPress.org versions of the software.


November 28, 2008

If you have different IPs for your sites, but they’re still on the same server, how vulnerable are they?


November 28, 2008
Jeremy

If a website is hacked chances are the others can be too. Because the other sites are on the same server config.

But different IPs do help.


November 28, 2008

yeah I do security for Kris if anyone has questions or wants a quote just send me a message


November 29, 2008

@VOIP Reviews,

if you’re hacked at the root level of your server, the IPs don’t factor in.


November 30, 2008
SkyWatcher

I got my wordpress blog hacked. Someone started deleting some of my high ranking posts and I couldn’t do anything to recover, no backup.

Got my account changed at host level but even then couldnt recover anything – so backup your posts


November 30, 2008

Making a backup of your website isn’t going to solve the problem. There are real issues with web security when you are hosting multiple sites on a server. Even a single site on a server can have issues if you don’t have proper web security.

I encourage everyone here to contact me so I can perform some tests against your server. I’ll be able to let you know the real problems and how I can possibly help.

Click on my name to visit my website.
Kris can tell you I do good work. Just ask him.


November 30, 2008

Backup your database regularly is a sound advice :)


November 30, 2008

@Yousif: of course making a backup does not solve the security problem but it will make your life easier when a problem happens


November 30, 2008

@Yousif: I’ve just visited your website. Looks good.

How much do you charge for a test? :)


November 30, 2008

@ThemeLib.com: I can send you a proposal if you’d like; it contains our rates. Shoot me an email at Sales[@]Vapt-Sec.com and I’ll get back to you.


December 2, 2008

@Yousif
maybe I have to hire you :) if i can afford it why not ?


December 4, 2008

Thanks for the tips and sharing that story. That Mod security is free, also thanks for that tip!


December 13, 2008

One of myblog was hacked too, he/she add a new post


Sorry to hear that, that sound scary. Is there a way for us to know if we are already being hacked before those hackers did something harmful?