Blogosphere Alert: Prevent your WordPress blogs from being hacked!

June 19, 2009 | By | 21 Replies More

Reading time: 6 – 10 minutes

I was surprised knowing today that my blog was almost hacked The situation had shaken me that I almost freaked out but the good thing is that I’ve managed to put myself back together. I told myself that this could not happen so I didn’t panic instead I collectively put my thoughts into tracking the traces of the hacker on my site, and figuring out how it became possible.

The Discovery
I was editing previous posts when suddenly right after hitting “Update Post”, I became curious to check the post attribution drop down option. To my amazement, I have seen two other names on the drop down option which are not even contributors nor editors on this blog. When I checked the “user settings,” it became clear to me that there were really two guys with obscure names registered on my blog both marked as “admin.” While it had me marked as “administrator” with all the posts attributed to my name, it came into me that there’s something I needed to find out how these guys where able to register on my blog.

The Tracking Begins
I went first into the General settings. I found out that the “anyone can register” option box was ticked. Perhaps, that became their point of entry into my blog so I unticked it and saved the settings. So guys, don’t place the “Meta widget” on your webpage and don’t allow anyone to register especially when there’s no pre-defined user privileges or multiple users in your blog.

A bit paranoid that I am, I’ve decided to change my admin username and password. Changing WordPress default username “admin” to your preferred name can give you more protection since if you leave it at default “admin“, hackers would only have to figure out your password via brute force recovery and voila! You’re screwed. If you don’t have any idea how to change the default username “admin” in WordPress, follow these simple steps:

1. Back up your database first. This is the most important thing to do because you would not want your hard work go to waste.

2. Use phpMyAdmin to access your database.

3. Select the table labeled WP_Users, click the browse icon and select the record labeled Admin and click edit. The edit button looks like a pencil.

4. Go to the field labeled user_login and change the name to your preference. Save the changes.

5. Log out and login again to verify the changes.

If you don’t want to get into modifying it via phpmyadmin database, you can use a plugin to change admin username in WordPress found on www.w-shadow.com.

The next thing I did was to check if there had been some changes in the php scripts particularly in header.php file. Good thing is that I’ve found no trace of suspicious codes within the scripts, so I’m good. You can view here an example of a wp-blog-header.php file that has been hacked. I’ve also checked .htaccess file but it seems clean.

I’ve also downloaded the WordPress Exploit Scanner plugin which searches the files and database of your website for signs of suspicious activity, although its not a guarantee that it would stop anyone from getting into your site’s backend but it may help you figure out any uploaded, modified or compromised files left by a hacker.

Also, I have edited wp-config.php and created the SECRET_KEY, i.e., define(‘SECURE_AUTH_KEY’, ‘You unique phrase here’); a password containing elements that would make any hacking attempt unsuccessful to penetrate a security barrier since it generates a code that is almost impossible to decipher. Get instructions on editing wp-config.php here.

Lastly, I’ve made a backup of my database and files. If you need help on backing up your database, go seek your webhost for assistance as there are so many ways to do this depending on the MySQL version you are using.

There’s so much information overload here since internet security nowadays can really screw up anything you’ve accomplished in just a breeze. Don’t be a victim. I may have been saved for the day but who knows so I’m paying much attention to details now while doing a lot of extra protective measures. What happened was a false alarm though I’m keeping myself extra vigilant. So, do yourself a favor and learn as early as possible while you still have the chance. I cannot emphasize this more than enough because we’re all vulnerable here.

The Advice
To sum up, I can simply advice you to remember the acronym–B.U.C.K.S

B–Backup database regularly.
U–Upgrade to the latest version of WordPress if you haven’t. I haven’t upgraded yet but eventually I would. I’m still looking at some factors especially the plugins because they are the ones mostly affected during upgrades aside from bugs. So far, I’m fine with 2.7.1 and I’m keeping my blog secured. It is advisable that you upgrade once your blog has been hacked.
C–Configure wp-config.php for added security.
K–Know how to do simple php script and database editing. It’s pay a lot to learn.
S–Seek help when needed. Don’t pretend that you know all things. It doesn’t hurt to ask questions.

That’s all for now, I’ll keep you posted once I’ve found out something new. Cheers!

P.S.

While finalizing this post, I just came across this plugin called Login LockDown, an enhanced login security plugin that records the IP address and timestamps of every failed WordPress login attempt within 5 mins. After three unsuccessful attemps, all requests from that range of IP will be disabled as this prevents brute force password discovery.

Login LockDown is a wordpress login security plugin

Login LockDown is a wordpress login security plugin

The IP lockout time is set to a default of an hour but is modifiable via the options panel and administrators can also release locked out IP ranges manually. Login LockDown is downloadable from this link: http://www.bad-neighborhood.com/login-lockdown.html (Just copy paste the URL into your browser).

This post was originally posted on 16 June 2009 but for some reasons, the post disappeared from the exported WordPress XML file containing all the posts, comments, etc. so I had it republished.

Update
A few hours after this post went live, I went back to this site to check how it was doing in terms of views when all of a sudden I got struck when all I’m seeing was “Index of/” when I type this blog’s URL on the browser. I contacted my host about this matter and they told me that the index.php file was missing.

Findings
1. My blog was hacked. The index.php was compromised by unscrupulous cyber criminals trying to stop me from exposing the realities of today’s WordPress blogs from this vulnerability. Here’s the screenshot of the index.php after it was compromised:

hacked index.php

hacked index.php

Yes, silence is golden but this incident just awakened my spirit and flared up my eagerness to continue writing. It seemed like somebody wants me to shut up but whoever they are, I’m just getting started.

Tags: , , , , , , , , , , , , ,

Category: open source

Comments (21)

Trackback URL | Comments RSS Feed

  1. Tracy Wheeler says:

    Great post! Something all bloggers should know and do to keep their blogs safe!

  2. Mathdelane says:

    Thank you for visiting my blog. It’s my pleasure to share helpful and relevant information in today’s highly unsecured blogosphere.

  3. BunnygotBog says:

    Thanks for this post. This has issue has been bugging me a lot.

  4. You're welcome and thanks for visiting! It was indeed alarming and it doesn't make anyone less vulnerable. The fact that this happened to me, it can also happen to anyone else. As long as I can write something as valuable as this, I'll certainly do so.

  5. Andrei says:

    Happened to me too, and i cannot access my wp-admin anymore. The only way i can connect is through FTP. The main thing is that i have no idea what to do o.O

  6. Mathdelane says:

    Hi, Andrei. I’m sorry to hear that. Can you still access your blog admin Cpanel? Go to your account’s File Manager and double check if there are PHP files that had been compromised via text editor. Also, inform your host about it and seek assistance. I cannot recommend right now that you download your database because of risks that it could be injected with malware or malicious codes that would allow them to keep coming back even if you decide to transfer them and do a clean install. The problem has to be tracked down first. I hope this helps.

  7. David@Wedding Photographer Nottingham says:

    This is really useful stuff. And just the sort of info. I’ve been searching for recently. I have installed Word Press but so far I’m just tinkering and reading scary stories about what can go wrong if you run a blog. Maybe I’ll get around to going for it around New Year but I’m not ready yet. This really helps. Many thanks.

  8. Mathdelane says:

    Thanks for dropping by David. Let me know if there’s anything I could help you set up a blog.

  9. David@Wedding Photographer Nottingham says:

    Many thanks Mathdelane. I’ve noticed there’s a big debate going on about types of ‘Follow’. I don’t actually know what that means, what the options are or which is best. I don’t suppose you have a basic explanation for me?

  10. Mathdelane says:

    Hi David.
    For SEO (Search Engine Optimization), links are classified into two–“nofollow” and “dofollow”. When your site for example has outbound links or URLs going to different sites, Google follows the links and trust a vote on the site you are linking to and that is if the link is set to “dofollow”, if it’s a “nofollow”, Google will not follow the links and therefore there will be no vote cast on the site you are linking to.

    Google gives a higher page rank on the sites who has numerous pages linking to it as long as the sites linking to it are of high page rank or is trusted by Google. However, with the current changes in Google’s algorithm and its take against page rank sculpting, they will still follow the links on a web page whether it has a “nofollow” attribute.

    Normally, URLs embedded on a page uses this code–> rel=”nofollow” if the site owner doesn’t want to share page rank juice.

    I hope this helps as this is what I thought could be the simplest way I could explain it.

  11. David@Wedding Photographer Nottingham says:

    Many thanks Mathdelane. Much appreciated.

  12. Mathdelane says:

    You’re very welcome. Let me know if there’s anything I could help.

  13. dani says:

    Very interesting post. I have some blogs and realy usefull this post.

  14. Louis vuitton handbags says:

    I agree when trying to find the plugins I always spend a few minutes trying to remember how to get there again, and there is no “clear” way to download.

    louis vuitton handbags

  15. Dave says:

    Thanks for the tips, I found the silence of golden php index file in 3 of my web site folders and I also found 2 users that were admin status in my wp. My site isn’t that much so I never checked it but those files were there for 5 months! the secure tips you gave are needed and I think I got things straight. Thanks again!

  16. Mathdelane says:

    You’re welcome Dave! I’m glad I was able to help.

  17. on my blog http://www.howtophotoshop.co.uk i think i have been hacked too, i have had a user added recently and then the next day i have the silence is golden message on the / of the site but the rest of the pages load, admin works just not the root / it has silence is golden. ive deleted the user but how do i get my homepage back?

Leave a Reply