Photo by Mike_3D
A few weeks ago I had the unpleasant surprise of finding out that my blog got automatically hacked by spam bots, due to a WordPress exploit, and in course also got infected with malware. Google, vigilant as always, was quick on scanning LOAB for any malicious software, found some corrupted code and immediately flagged the blog. What happened next was very predictable: who ever tried to search to for something on Google and found LOAB among the search results wasn’t able to access the blog, as it was “quarantined.” I lost hundreds of visitors daily during the course of two weeks, my rankings were shattered and of course the blog’s reputation was stained; as a side note I’d like to thank all the loyal readers that confidently continued to read my blog during that tough period.
So what basically happened was me, a innocent blogger, got hacked and unjustly suffered a great deal for nothing. And I’m not alone either, my horror story was shared by thousand of other bloggers all over the world, reporting almost the same “symptoms” as me. But was I entirely fault-less? Of course not, much of the blame of getting flagged by Google belonged to me, I’m as much responsible for it, as the devious persons behind the attack, just for letting something like this happen in the first place. Only after It was too late I realized I was never really ready for any similar situation, that could’ve happen to anyone at any time. I never took the necessary precautions and I got burned. Fortunately I got unbanned and all is well now, but it all could’ve been much worse. If there’s anything this nightmare’s taught is to be always prepared; so to spare some bloggers of sleepless nights and burnt neurons, I’ve decided to do a write up about protecting your blog against hacks. Note: this article is mainly aimed at WordPress blogs.
Preventing Attacks on Your Blog
Photo by Elaine_Vigneault
Hackers, whether they’re human or automated scripts, to infiltrate you’re blog, must first find a breach, a hole in the system, which sadly can always be found in the WordPress CMS. You can always count on finding various gaps to be exploited by hackers, trust me there’s no full-proof safe blogging CMS right now (doubt there’ll ever be), but some “holes” are much more common and easy to find then others and as consequence, must be immediately “plugged.” Bellow you can find a few solid tips, that can at least help avoid a tragedy. Some of these pointers may prove more or less technical, but I promise I’ll try to keep it all in layman’s terms as best as possible.
Securing Your Blogging Platform
Photo by Micke-Fi
If you really want to keep your blog squeaky clean and pest free, then it’s for the best you start playing it safe from the very start, or in our case, since you first install WordPress on the server. Here’s just a few quick tips I’ve learned over a lot of time and over even more failed WordPress installs:
- Change your database table prefix. One of the most common types of hacking acts are those based on SQL injection, and 99% of time the whole process is automated. So you can spare yourself a lot of trouble, by trying to fool any potential intruders, just by changing your default Wordpress table prefix from “wp_” to something really unrelated like “sad213.” The reason why this will help a great deal is because there are thousands of treats all over the net, that will look for any vunerable databases that have table prefixes starting with “wp_” (provided they get the chance to scan your blog’s database). You should keep this in mind when installing any kind of popular CMS.
Don’t use the ‘root’ user in any way. This is really really important, or else you’ll be risking a heck load. Think of it like this: you’ve let wordpress access the database via a root user, but you get hacked. Bummer, but this time, because you’ve been using the root user, all of your other websites on the server, if any, will be at great risk. Never happened to me, but if heard some pretty scary stuff…
- Change your default user name. When you install WordPress the first user will be called “admin,” and much like the point above, this can be reason of some uninvited trouble. What you need to do is change the user name and you’ll have one less thing to worry about. If you try to edit your user name you’ll soon see that it’s not possible from within WordPress, but only through altering the database. Login to your PhpMyAdmin and run the following line of code:
tableprefix_users set user_login='newuser' where user_login='admin';
Oh and more thing: please use a decent password! If you feel unsure on how to pick a secure password, check out this excellent article by Lorelle.
- Restrict access. When you installed wordpress on your domain for the first time, you were prompted to change CHMOD permission to various .php files and folders from “read” to “read/write.” What I’d recommend you do is write down all the folders and files you’ll be checking the permissions to and after you’ve successfully installed wordpress, revert the permissions. We could take restricting unauthorized access a step further by using .htacess to disallow any kind of access to the wp-content and wp-includes directories, besides some images, CSS and js files:
Deny from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
If, God forbid, a certain attack is successful, then some of your .php files might become readable and among them is your highly important wp-config.php, from your root install. The wp-config file, as you may remember from when you first installed WordPress, contains precious, private data concerning your database like the username and password. What we have to do, to make suer they don’t fall into the wrong hands, is restrict the access to the file via .htaccess procedure.
Deny from All
- Hack-proof your wp-admin directory.Your wp-admin directory, much like your wp-config.php file are both extremely valuable for the wellbeing of your blog, but unfortunately are also very vulnerable to attacks. What you need to do is to protect your wp-admin by adding a few more layers of security, which we’ll achieve through a series of .htaccess inputs and WordPress plugins. A really great way to make sure 99% of your uninvited guests, that try to access your wp-admin file, get quickly ejected, is to disallow all other IPs, other then yours. Here’s the code to add to your .htaccess. Very Important: Do not add the following lines of code to your root blog address (/public_html), but in a new a .htaccess file, that you’ll have to create, in the wp-admin directory (/public_html/wp-admin).
AuthName “Access Control”
deny from all
# whitelist home IP address
allow from 220.127.116.11
# whitelist work IP address
allow from 18.104.22.168
allow from 22.214.171.124
This can be pretty stressful if your ISP assigns you a dinamic IP address, that changes with each PC reboot or if you try to access your wp-admin from a remote address. It certainly does its job well nevertheless. However there’s little this little hack can do when faced with a brute force attacks; but here’s where the Login Lockdown plugin comes in. What the plugin does is it logs all failed login attempts and after a set amount of failed logins, it blocks an IP range for 1 hour by default. Quite a nifty tool, but be careful though how you misspell your password.Another WP plugin that’s worth mentioning is the AskApache Password Protect, which, when enabled, will prompt anyone trying to access the wp-admin directory to fill in a username and password, assigned by you (which of course should be different from your wordpress login details). The plugin will automatically create a .htaccess and .htpasswd file, without messing anything up and will also automatically assign the appropriate file permissions.
- Hide your WP version information. Meta tags are a great way to let search engine robots better know what your content is all about and also help them read it better, but for spam bots they’re perfect for finding out your weaknesses. The following meta tag can be found in your header and will display your current WP version; look for it and delete it.
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats please -->
- Hide your WP plugins. Some WordPress plugins are very fragile to attacks and some are full with exploit holes, so naturally what you’d like to do is hide what plugins you’re using from everyone else, so that nobody’s aware of their existence. You can do this just by creating a simple empty index.html file like wp-content/plugins/index.html. That’s it!
Various Security Pointers
Photo by cobalt123
- Update, update, update! Virtually, outdated software is like a welcome mat for hackers, who are always on the prowl for such foolish victims, such as myself who felt to lazy to update my WP version from 2.2 to 2.3.3. That particular laziness took its toll. Don’t be a fool and always update your software and I’m not only talking here about WordPress, but any kind of other auxiliary software as well, like plugins, that can prove to be quite damaging. Now , since the new WP 2.3 version, you’ll always get prompted whenever a new plugin version is available for download, so in a few quick minutes you’ll be able to download, upload and activate your new plugins.
- Religiously follow security updates. When a new security breach pops out, it’s advised to find out about it as quickly as possible and fix it. The fine folks down at WordPress are most of the time very capable when dealing with this and will immediately release updates to fix various issues. So I’d heartly recommend you subscribe to the WordPress development blog asap!
- Backup! This is a golden rule for any responsible web developer, especially bloggers. What I’d recommend is you make a database backup of your blog each week and a full blog backup (with files, databases etc.) every few months. If you’d like to have automated database backups generated and sent to your e-mail during a specific time interval, you can always try to use the WordPress Database Backup plugin. Works like a charm.
- Report bugs. Be a fine fellow/lady and report any kind of security disturbance or vulnerability that you might find. This way you’ll help improve future versions of WordPress and in term your blog as well. Just a e-mail the security staff from WP at firstname.lastname@example.org and they’ll swiftly take care of it.
- Limit user registration. Actually remove the option all together and if someone needs a user, then you can just manually create it. Why is this important? We’ll there’s a lot of automate spam bots out there that scan WP blogs, register at the respective blogs (most of them don’t have anti-automated registration security) and start wrecking havoc where they can.
- Fight comment spam. Ah spam, spam bacon, spam sandwich, spam eggs, spam sausages etc, but what us bloggers are faced with daily isn’t a delicious breakfast, but rather with horrific comment spam. Besides the fact that spam comments are really annoying and can fill your blog with pr0n links, they can also infect your blog with some nifty malware. Luckily there are a lot of solutions to spam, like anti-spam WP plugins (see Akismet or Spam Karma 2) or how I personally prefer it (together with Akismet of course): manually moderating comments. Bellow you can find the official WP codex on fighting spam:
Winning The Battle Against Malware
Photo by keso
As I’ve already said at the beginning of the post, a few weeks ago my blog got hacked and infected with malware code. What I want to do now is to tell you, step by step, how I managed to disinfect and get the blog deflagged by Google, because this is the most common hacking scenario you’ll bound to face. Hacking bots will scan for vulnerable blogs and quickly infect them when they find a weak spot to breach. Soon after they’ll add a small snippet of code in your source code, most of the time harmless, hidden under a false tracking script. After they gather enough infected blogs, they’ll sell their loose code space to the highest bidder, which are most of the time fellow Viagra or warez spammers. It’s rough, I know, but when it happens it’s important to keep your cool and keep on walkin.’ I followed this simple steps and got Lost Art Of Blogging deflagged by google in 6 business days.
- Realizing your blog’s infected. The first step to solving any problem is realizing what it is. I never knew my blog was infected with malware, until a few readers e-mailed me, letting me know that I was flagged by Google. So how do I know if my blog’s infected? There’s no real helpful way to scan a blog for malicious code, but you can always do it by hand if you suspect something. Just open your homepage, hit code view and quickly scan the code for anything devious; a quick tip would be to look for anything that contains <iframe> tags or hidden code to visitors (width=”0″, hight=”0″). It isn’t very practical but it works. If you don’t find anything you’re home free, if you do, then you’ll might as well continue reading this.
- Delete the malicious code. After you find out that your blog’s been infected with malware, the first step you need to take, towards eradicating it, is to look though all your archive under code view for suspicious code. It can take a few hours, but I haven’t found any other way.
- Remove any suspicious outgoing links. Most of the time, when a WP blog gets infected with malicious code, the respective spam script will also insert some spam links advertising the services of their “clients.” Some of these domains may be banned and flagged by Google as spam, malware heavens etc., so any blog linking to them will be penalized or in our case, coupled with identified malware presence, will get you flagged big time. You can use the link analysis tool from SEO Chat to check for both inbound and outgoing links. If find anything that points towards warez, viagra, pr0n or anything remotely spamish remove the link at once.
- Ask for a StopBadware.org review. StopBadware.org describes itself as a “neighborhood watch,” a Internet malware policeman if you will, that’s job is to find infected websites and flagging them at Google (they have a direct partnership) for quarantine. After you’ve successfully cleansed your blog, following the above steps, you can apply for a site review from StopBadware, which will check for signs of spam and according to this will or will not unflagg you.What you first need to [digg-reddit-me]do is fill in the review form, type in your blog’s url in the clearinghouse section and query the search. After that all you have to do is fill in some general info about your blog, along with any additional notes that the reviewer should take in consideration and press send. Depending how lucky you are and if you’ve correctly removed all the malware, you should get a positive response in 5-7 business days. If you’ve still got unresolved questions concerning StopBadware, then you should consider heading over to their discussion board and opening a thread.
Blog security has developed into a very delicate issue over the years, as more and more security breaches have occurred, even at the big houses (Al Gore’s blog hacking is the first thing that comes to mind), proving how truly fragile they can be in the face of attacks. It’s up to you and only you, to make sure that your blog’s integrity and privacy rights aren’t comprised in any way.
- Blogging in a Twitter World: Is There Any Room For Both?
- Why Perfectionism Can Be Harmful: The 80/20 Rule of Blogging
- Why An Ad Free Blog Rocks!
- The Homeric Way of Blogging: Storytelling
- Images: An Essential Part of Any Blog Post
- Cut Out The Middle Man: Direct Blog Ad Sales
- The 10 Commandments of Unique Blogging
- The Comment Etiquette: The Guide to Proper Blog Commenting
- 22 Essential Habits Towards Blogging Success
- 10 Easy Ways to Get in The Habit of Blogging
Why should I donate?