How my Blog Got Hacked

HackerThose of you who read yesterday’s post know that SEOlogs got hacked. Other than using some harsh words toward the “Admins” of the site, they didn’t really do any real damage. They only uploaded a file, ‘index.html’, which contained white text on a black background, claiming my blog as being “Hacked by ….”.

Upon further inspection of my ftp logs, I found that somehow, this php file had been uploaded to my /wp-content/plugins directory. This may have been due to either my old WordPress install (v 2.1) or a lack of security in the server configuration where this blog lives. Either way, when I navigated to the file in my browser, this is what I saw:

Hacker CP

It looks like this script gave the hacker pretty much full access to the site. Not good at all, but I’ve definitely learned my lesson.

Some steps you can take to secure WordPress

  1. Backup the database and files often
    Wordpress makes it really easy to backup your database, and you should do it at least once per month, if not more. Backing up files isn’t quite as easy, but if you’re anything like me, and you’ve spent a great deal of time tweaking and customizing your WordPress theme, you definitely need to take some time and make a backup.
  2. Keep WordPress Updated
    Wordpress doesn’t work hard to release new versions just for the fun of it. Many times, these updates fix serious security flaws from the previous versions. And no matter what, it’s always only a matter of time until some hacker finds the next vulnerability.

    So keep it updated.

  3. Make sure that directories are protected
    This site is hosted wit Dreamhost, and for some reason, their default server configuration allows viewing of the contents of directories that don’t have index.html, or some other default page. I was able to remedy this by adding a line to the .htaccess file in the web root:
    Options -Indexes
    This blocks the contents of folders from being viewed.

    If you can’t do that, you should place blank ‘index.html’ files in every directory. Especially in the plugins directory. (where they got me)

  4. Don’t link to WordPress
    Hackers can easily use Google to search for a list of WordPress blogs that are potentially vulnerable to whatever hack they are using. Seriously, it’s just as easy as this: link:wordpress.org

    Don’t get me wrong, I love open source as much as the next guy, and if you really feel strongly about giving credit to WordPress, you can always use javascript to print out a credit:
    Example

    It would be pretty difficult for any spider to read that bit of javascript, and you still give props to WordPress.

  5. Don’t advertise your WordPress versions
    If I’m a hacker who knows that WordPress version x.x has a vulnerability, it’s really easy to find a list of potential victims by searching for something like this: Powered by wordpress version *.

    Get rid of lines containing: bloginfo(’version’) and $wp_version everywhere in your theme, like:
    WordPress < ?php bloginfo(’version’); ?>

  6. change your password often
    I’ll admit that I don’t do this often, because I really don’t feel like memorizing new passwords every week, but it would make things a lot more secure. If you are still feeling stubborn, then you should definitely follow the next suggestion.
  7. Use strong passwords
    This will help to prevent against dictionary attacks. Just adding some numbers and non alpha numeric characters will make it much more difficult to crack.

    So instead of using a simple password like “domainer”, try using “D0m41ner”. The numbers look like letters, so it’s easier to remember, but still strong.

  8. Rename the default “admin” login
    It is somewhat difficult to do this, since you cant change the name of the “admin” user via the WP control panel. You’ll need to have access to your MySQL database to do this. It’s easiest to use phpMyAdmin if you have it. You can edit the users table directly:

    Here’s the SQL query to use:
    UPDATE wp_users SET user_login = 'new_username' WHERE user_login = 'admin';

  9. Protect your login page
    It’s a good idea to limit the number failed login attempts allowed. It’s not an easy thing to do, but there is a good WordPress plugin (Login LockDown) available that does this for you.
  10. Keep important pages out of search engines
    Make it even harder for hackers to identify your WordPress blog by blocking spiders from viewing your important WordPress files.

    /wp-admin/
    /wp-app.php
    /wp-atom.php
    /wp-blog-header.php
    /wp-comments-post.php
    /wp-commentsrss2.php
    /wp-config.php
    /wp-content/
    /wp-cron.php
    /wp-feed.php
    /wp-includes/
    /wp-links-opml.php
    /wp-login.php
    /wp-mail.php
    /wp-pass.php
    /wp-rdf.php
    /wp-register.php
    /wp-rss.php
    /wp-rss2.php
    /wp-settings.php
    /wp-trackback.php

    Aside from /wp-login.php and /wp-register.php, most of these would never get indexed anyway, but it never hurts to be on the safe side.

    A simple solution would be to add this to your robots.txt file.
    User-agent: *
    Disallow: /wp-*

    This would work fine as long as you don’t have any pages that begin with “wp-” that you do want search engines to find. In that case, you would need to specify each of pages that you want to block.

For more information on hardening WordPress, I suggest you check out what WordPress has to say on the topic here.