Quite a few people have asked me questions about ProBlogger being hacked last week. Questions have ranged from ‘do you know who did it?’ to ‘have you found out how they did it?’ to ‘how can we protect ourselves from being hacked?’
By the way – my blogging buddy Andy Wibbels has had his blog hacked in the last couple of days also and his blog is currently down. This is unfortunately becoming more common.
I’m not going to go into great detail of what happened, how or who it was (I’m not sure how wise it is to get into those details for a variety of reasons) but I will make a few general comments and give a few pieces of advice when it comes to blog security and protection.
Disclaimer – I am not (and never will be) an expert in web security. Don’t take my advice as gospel for all systems/set ups and seek professional advice if in doubt.
1. Update your Blog Software – blog platforms periodically update their versions for a variety of reasons one of which is security. Old versions of some platforms expose your blog and server to being hacked.
2. Keep an Eye on Dead Blogs – I suspect that of the 50 million or so blogs that technorati are tracking that many of them are non active blogs on old blogging platforms. One of the dangers of retiring a blog and not updating it is that you can have old and un-updated blogging platforms sitting on your server which could prove to be a vulnerability in your set up. Even if you’re not actively updating a ‘dead blog’ you should consider updating it’s version.
3. Backup your Blog – being hacked does happen, even to the smartest bloggers from time to time. When it does happen you need to have some way of getting your blog back up and running and a backup is an essential part of this.
4. Protect Your Passwords – this goes without saying but I’m constantly surprised by the stories I hear of people using obvious passwords or giving them out. Basic password protection strategies and common sense should prevail.
5. Choose Your Host Carefully – I am in the fortunate position of having a quality host who offers me personal and comprehensive help in those times when things go wrong. Without this I don’t know what I’d have done.
As I say above, I’m no blog security expert and I would invite those that have expertise and experience in this area to comment below for the benefit of the wider blogging community.
If you’ve written or know of posts on this topic with good solid advice please feel free to give us links to them below as it’d be helpful to have a bit of a collection of advice on the topic.
I have been running blogs since 2002 and over this time have been hacked about 3 times. Not always through wordpress but rather my host.
A good host should provide backups, (my current does every night I believe) unfortunately my last did not. I made backups, but my last was over a month old, lost many posts and forum posts etc.
I now regularly backup my blogs!, I have learnt my lesson.
Darren, you should listen to your own advice point #1 :). 2.0.4 has been out for over a month now and has over 50 bug / security fixes!
Backups really are the best defense for getting up quickly, and my best advice for ensuring you’re always covered is to activate the backup plugin which comes with WordPress, and then download the ‘WP-Cron’ plugin from the same author here:
http://www.skippy.net/blog/category/wordpress/plugins/wp-cron/
Cron can interact with a number of things such as making your dashboard page only update once an hour rather than whenever you load it thus slowing you down, but its beauty lies in the ability to automatically back up and email you a copy of your database every day.
I simply installed it a few months ago and let it fire off its daily backups to my Gmail address. You can also have it store them on the server (less secure though if your whole FTP gets nuked).
Very useful.
I am surprised no one has mentioned the obvious:
Try not to make people mad. Although I am sure Darren never got on anyone hit list by making them mad, a lot of hack-attacks occur because of anger.
And, try to keep your own computer up to date. Whether your on Mac OS X, Windows, or Linux keeping up to date with security updates is critical. All it takes is a simple keylogger to ruin your day.
First line of defense will be your password. Always use numbers, letters and special characters (shift+1,2,3etc). Always use upper and lower case letters. If you use a dictionary word for your password then there is a chance that a cracker can get in with in minutes.
Second line of defense will be your updates. When a security flaw is discovered it gets released like wild fire to certain underground blogs and web forums. I’ve seen full tutorials on how to hack stuff and all a cracker needs to do is follow a step by step tutorial for some certain unpatched software and they’ll get in. They actively use google to search for version numbers. Just type in something like “Vbulletin version x.x” or something and you’ll get a bunch of unpatched forums that have cracks available for them. Ofcourse, it is always a good idea to hide your version number from visitors. Lots of software just displays version numbers to the public so they can google and find your unpatched site and attack it.
Finally, find a reputable host. You get what you pay for. I actually knew 13 year old kids selling web hosting after they got an unmanaged server from everyone.net for $100 per month. Their prices were great but everything else was terrible. I personally use http://www.asmallorange.com (If you decide to use them please put “garg” in the who refered you field ;) )
So yeah.. security is a very important part of a probloggers job :)
You’ve forgot to mention the best way to protect your blog comments from being hacked: Don’t have blog comments at all. This is the only way to guarantee that you are protected.
Ian Anderson > How does disabling blog comments guarantee that you are protected? I don’t think that would guarantee anything :)
The Big Chris’ blog was hacked by some Iranians recently. He was featured on lovelyblogs for having a nice layout. I saw the original, then dropped by at the time it was hacked, and it was some green/black matrix type of crap. Blog security (especially for popular blogs) is a developing field.
An interesting related topic is people hijacking a site for the SERPs. Apparently there’s messy ways of playing with code that can redirect a ranking site to some hacker’s. Just goes to reinforce the importance of protection … consider the commercial losses to a site dependant upon search engine traffic!
How can your comments be hacked if they are turned off? If they can be, then someone better tell me because I feel safe not using them.
No matter how up-to date your software is hackers always find a way. The best way to protect your blog is to back it up daily as Darren mentioned.
Ian, this post isn’t about comments being hacked and thus far you’re the only one who’s mentioned them.
This post is talking about either server or WordPress flaws that can be exploited to take down a server. Whether you have comments enabled or disabled would make no difference whatsoever in such a case.
This is very instructive: is an ‘online’, hosted blog by a large firm less vulnerable to hacking than a smaller blogging organization? I know of one firm which lost a bunch of servers to … who knows … but they lost the servers … and it took months to get them to restore some blogs.
Great post Darren. We lost everything on http://www.CrimsonLight.com a few years back due to a hacker. That is a terrible thing to have happen.
My first love is computer security (well, maybe women, wine and song first): That said:
Yes, backup absolutely.
Chose long complex passwords – non-alpha numeric like “ahs%^gg6**” – preferably something you can remember! How about “1wRnRenaped” – short hand for the songtitle “I wanna Rock n Roll every night and party every day” – complex yet easy to remember. Hopefully y’all get the idea.
Keep software updated.
** Turn off any unused and unnecessary services. Often it’s the host, NOT the blog software, that gets hacked and allows a hacker to get in initially.
** Protect again the SANS top 20 vulnerabilities (sans.org)
Now if you use a hosted service like typepad.com, it’s their responsibilty (you still need a good password), but it’s STILL your problem if hacked.
My apologies. For some reason I had comments in my head. And I don’t know how it got there. I must have got the idea stuck in my head from another blog or something. Please disregard my previous posts. And thanks for the corrections. I’ve had a bad day, so it shouldn’t surprise me that I got this confused..
I had my main site hacked, it ended up being at the host level. But I have since established separate logins for the blog – if a password somehow is compromised maybe I won’t lose both.
The solution to having a BLOG that is more difficult to hack is to not manage it. Instead of installing wordpress yourself and then updating it periodically, a user is better off using blogspot.
It is easy to direct post from blogspot onto your own server and then backup the files that were created.
Backup is not a solution. It’s just a bandage. If you don’t find the security hole, even a hundred backups won’t help — you’ll still get hacked right after you restore your blog.
Here are my suggestions:
1) Check for the latest news/updates from your blog application especially for vulnerability reports.
2) Inspect each and every blog plugin/extension you are using and make sure you are using the latest version.
3) Check and double-check you blog’s file permissions. For example, WordPress files should only have at most CHMOD 755 or 644. Watch out for files or folders with CHMOD 777 as these are open to anyone to modify or upload malicious scripts.
4) Check your PC for keyloggers/emailers which could sniff your passwords.
5) If on a public Wifi network, make sure to enable your firewall and use some sort of encryption when connecting to FTP or your web host Control Panel.
Ryan Williams has a great point, and that is what I do. I use the backup that comes with wordpress, plus the same author’s cron agent, and I have it email the backup to a gmail account every night. This way, if my host goes down or decides that they do not like me, they will not have my emails held hostage. With 2 GB of storage, you can keep a lot of backups in a gmail account.
Security is important. Coming up with a system for updating everything as quick as the updates are available is important.
A good, strong password is also great to have.
This is something I can’t and never will understand. What joy does one get by hacking blogs?
I’d been hacked a number of times on other blogs. A couple of them was beyond salvage. I cried for a few nights and couldn’t concentrate on writing for weeks.
As bloggers, you know the amount of time/energy (blood) pour into the writing. No matter how prolific the blogger is, it’s very difficult to get in the ‘zone’ after an attack.
I’m not a revengeful person by nature, but I always believe in one thing – What goes around comes around! It just a matter of time for it to happen.
I have to admit, I love this blog. I’m VERY new to blogging and reading all of this helps me to understand the dangers of the internet a little bit more. It’s kinda interesting how people evolve. Before, people just mugged and hijacked cars, now they hijack websites and ranking! Now, when you say “back everything up” does that mean having a copy of everything you wrote on your computer as well? Why is that? Why would you lose everything? Sorry, I am a bit of a novice when it comes to the computer and everything else with it.
Teresa, anything you write on your computer is probably safe from anyone hacking your blog/host. Of course, it’s a good habit to regularly back up files on your computer too just in case you get hit by a virus or something. :)
As long as you do the automatic database backup I mentioned in my comment above, you should be able to easily restore all posts (perhaps with a little help from your host) should your blog get taken out.
It’s worth noting that a database backup doesn’t include the files physically on your (FTP) hosting account, so it’s a good habit to occasionally download the contents of your /wp-content/ folder. Then, when reinstalling your blog after a hack you can simply download/install the latest WordPress, then replace the included /wp-content/ folder with your own.
The last tip isn’t quite as important to do as the database backup though since all the /wp-content/ folder contains is plugins, themes, and uploaded images. Sure, they’re good to keep safe, but nowhere near as much as your posts. ;)
Renée, there are many reasons why people might hack someone’s blog. You need to realize that many of these hackers are high school kids who are doing this for fun.
Some may think it is funny to destroy someone’s blog. In fact, they would get a huge kick out of knowing that you were so devastated over your site being killed.
Others are doing it because they are bored and it gives them something to do. Just like kids who go out and toilet paper people’s lawns at night.
And still others may do it for the challenge. They get a sense of accomplishment out of breaking your sites security.
There are many other reasons, but it is important to know why people may hack you blog. The more you know how people think, they better off you’ll be.
Backups would be important even if hackers did not exist. I do regular blog backups with SuperBot, which requires no plugins, passwords, or integration with WordPress.
Unlike a set of emails or database files, the backups created by SuperBot can be viewed as web pages inside your browser (including theme style and comments).
After my main blog been hacked by Indonesians, Turkish and Brazilians, I wrote an article about the ‘template and push-button blog’ vs ‘complete CMS/blog soft’, and ‘self-made/installed blog’ vs ‘hosted’ ones, considering security isues and task loads.
Considering security issues, general tips as these ones wroten by Darren are common, so are they interesting and so is it necessary to follow them. But each of these choices that I pointed, need particular check-list to be followed, and some can be time-consumming.
The Ian Anderson’s comment is not so bad, I have to say it’s an important one, and isn’t off-topic: if you disable comments, you -can- improve security. But don’t forget that most hackers and crackers are… hackers! I mean: coders, programmers or whatever you call it. So, if they know your blog system/software, they know which files does manage comments on the server, and their path, and can find a way to exploit them anyway! Disabling comments (or any other functionality) can’t be the ultimate solution, as it depends of the hacker/cracker ability, and of the blog system programmer. If you can rename or remove these files from the server, yeah you’re safe! But depending of the software and of your knowledges, this solution can be risky (disclaimer, here ;-)). But it worked for me, even if the bad boys try to hack my main blog… everyday!
That’s why the first point in the Darren’s list is important: ‘Update your Blog Software’: even if you can’t rename or delete files, hackers/developers secure them… day by day, really!
Great post, I agree that updating and backing up your blog is the best idea. Keep the posts coming!
[…] Problogger has included a post on Blog Security – Tips on Keeping Your Blog from being Hacked which is quite topical considering the number of high profile blogging hackings lately […]
I have add some trouble, at times, to log on, and i think, its so vital to make backups…
so many times, you say, i will do it later, then you relaize, when you lose things, its so heart breaking…
key word; backup! even now..
john
http://www.justworkhome.com
[…] Problogger has another post that you should definitely check out if you’re a blogger or own a web site. If you read Darren’s blog regularly or subscribe to his feeds, you’ll remember that his blog was hacked a short while ago. He has posted Blog Security – Tips on Keeping Your Blog from Being Hacked in response to the attack. […]
Thankfully it wasn’t a real hacking – just outages mixed with strangeness. I’m typing it all up for the week. Back in business. Thnx!
Blog Security – Tips on keeping your blog from being hacked…
Blogging tips on how to keep your blog hacker free…
I forgot to update my personal blog to WordPress 2.0.4 and, what do you know, it got hacked rightaway..
Thank god I run even non-wordpress sites
http://www.pimplabs.com
[…] Professional bloggers like Darren Rowse reflects here on a few security tips he has for keeping your blog safe from hackers, after his friend just recently got hacked. […]
[…] chances of your blog being hacked and some of the best tips i found were in the Problogger article Blog Security – Tips on Keeping Your Blog from being Hacked which […]
Darren, some great points. Can I suggest you check out http://blogsecurity.net
Our guys have spent alot of hours putting together security resources for bloggers and social networks.
Great work Darren, keep it up.
Here are a few WordPress Plugins that will help out with upgrading the WP version, and backing up WordPress:
InstantUpgrade (backup before using this, just in case.)
BackUpWordpress
Oh, and I like (mt) for my web hosting. :)
nice post :), I sure do not want my blogs being hacked!
Good advice. I’d never been hacked then last week two of my blogs got hit.
Guess who didn’t have back-ups? Stupid I know, especially when I discovered how easy it is. Now I have automated back ups and once a week I back up the entire hosting account. Takes 2 minutes.
Like you say, virtually impossible to stop but now if it happens I can be back to normal in an hour instead of wondering how to recover a years worth of posts.
I think blog hacking always starts on your computer. So why don’t we try to start on defending our own computer first. As alway we start on a really reliable Antivirus and Antispyware. Well to acquire a good reviews try searching on site that gives studies and good information. Like this sites (http://onecare.live.com/standard/en-us/3/default.htm) and (http://www.systemsecurityinstitute.org/) this sites can provide good reviews and will help you out on protecting your system. Also have a good web host for your site. The ones that I can recommend is Blogger and Host gator. Just try to follow this blog and you will have the secured blog site that you want.