WordPress bloggers beware because you can be attacked and hacked due to vulnerabilities in the WordPress platform. This article covers what’s happening and then gives you 12 ways to avoid it from happening to you.
That’s right my friends WordPress blogs are being attacked, hacked and redirected to other websites without the owners of the blogs being aware. Sounds scary doesn’t it? Imagine if you had a blog or website earning you hundreds of dollars daily!
Let me back up for a moment for those that aren’t in the know:
It all started for me on June 11, 2009 when I received a desperate call from one of my friends that run a very successful, well-known and profitable wordpress blog.
They were almost in tears because the wordpress attack and hacker used a loophole in their self-hosted blogging platform to accomplish two tasks:
1) Re-direct the traffic away from his wordpress blog to another website that was full of links to different affiliate products
2) Replaced all of his static websites using Iframe redirection to erectile dysfunction drugs and other pharmacy type websites.
How did the blog owner find out? One of their readers clicked on a link in the blog to read a post they were interested in and they were taken to an affiliate website that had nothing to do with the topics being discussed on the blog.
Thinking it was just an error they tried again and was taken to a completely different website than they were directed to the first time. That sent up red flags for the reader and they contacted the owners of the blog.
The really sad part is that by the time the owners of the blog were able to correct the wordpress attack and hack they had lost approximately $ 700 in sale that day alone. What’s worse is that here we are exactly a week later and they are still working on repairing the damage done to their static websites.
What can you do to protect you name, brand, reputation, revenue and WordPress blog from being attacked and hacked?
1. Secure Your WordPress Database –
Create a database for WordPress. WP uses only a few tables but creating a whole database just for the blog is more likely to limit its access.
Create and grant limited access to a database user. Create a user to access this database only and grant limited access to SQL commands in the database (select, insert, delete, update, create, drop and alter).
Pick a strong database password. Make it as random as possible since you don’t have to remember it.
2. Populate http://wp-config.php Properly – Use WordPress secret key generation tool to generate random WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies.
You also want to modify the WordPress table prefix to something other than wp_ by adding random characters and numbers to the end of wp, such as wp64mlm_manual.
3. Replace the Default “admin” Username – Fantastico users are able to pick admin user and password as part of the installation process. Replace the default so that “admin” user name is now myadm instead of admin.
4. Pick Secure WordPress Password for “Admin” – Your password should combine uppercase and lowercase characters and include numbers.
5. Use Secure Login via Encrypted Channel – WordPress bloggers who have SSL enabled for their domain should use that encrypted channel to access their WordPress Dashboard. You can force admin sessions over HTTPS by setting the FORCE_SSL_ADMIN variable in http://wp-config.php file to TRUE.
6. Upgrade as New Version Becomes Available – WordPress bloggers should upgrade once newer versions are issued because the upgrades address know security vulnerability issues.
7. Update Word Press Plug-in’s – It only makes sense to do so once you upgrade to a newer version of WP.
8. Backup Your Database and Files – Install a plug-in or use cronjob to create backups of your wordpress blog database and files on a regular basis.
9. Disable Directory Browsing – By default in most hosting, indexes of directories are shown in web browsers revealing any content of a directory that has no index.html or http://index.php. You can modify this behavior with Apache by adding a line of code into the .htaccess file in the root directory.
10. Protect WordPress Administration Files – WordPress administration files reside in wp-admin directory of your WordPress blog. You may use .htaccess to restrict access or allow only specific IP addresses to enter this directory and file. You may also allow access from a range of IPs by way of mod_access.
12. Hide The WordPress Version in the Header Tag.
These practices are nothing new and WordPress has been telling their self hosted bloggers that they should be implementing these tactics since day one.
Now the wordpress attack and hack is in full effect and millions of bloggers are going to wake up one day and find that all their hard work, efforts and revenue is gone.
I beg all WordPress users to take emergency steps to protect themselves starting today! While I have listed what can be done in this article there is so much more that wasn’t covered so I highly recommend that you take the time to research the resource I will mention in my bio below because it is how my friend and I are now protecting ourselves from the WordPress attack and hack.