Protecting Your Blog from Hackers

Want to know what one of my pet hates is these days? WordPress blogs that are targeted by hackers. There are people out there who have nothing better to do with their obvious not so precious time than to figure out ways to piss bloggers off by hacking their WordPress installs and doing all manner of damage from replacing the homepage with some piece of mindless bollocks to even destroying the whole database. Why does this annoy the hell out of me?

So far I’ve had my fair share of hackers replace the homepage of a number of my blogs with some anti-American slogans. Pity I’m not American or I might have been a tad upset by the hatred that certain factions level at that country’s people, but as I’m not, I’m not. I’ve even had a whole database wiped out on one site by some clever hacker and to be honest, I would love to know how they did it. Like getting past the supposed WordPress security. But there is another kind of hack that is happening here and there that is probably more worrying, or it would be if it were perpetrated by anyone with a few brain cells.

Its where a hacker is getting access to a blog’s content and somehow replacing in-post links with their own urls. Now, so far this hasn’t happened to me but it has happened to a few blog owners I know. Luckily for them, the hacker has very limited SEO knowledge, because they are just replacing a lot of links with the same url or urls pointing to the same site. Not very bright. Its too easy to spot for one and for another, it provides whatever Internet policing agency that is concerned with this kind of thing a line of investigation so they can catch the perpetrators.

But again, I would be very interested in knowing how they are doing this. It is potentially very powerful information when put into the right hands. In the wrong hands, it is just a means to spam and is soon uncovered and eliminated.

I know a much better use for this knowledge, but I won’t disclose how it could be used to great effect, just in case anyone is reading this. But enough of that. More importantly, how do you protect yourself from this kind of attack, or any of the other hacks that are being perpetrated on WordPress users?

There are a number of things you can do to if not eliminate the threat, at least minimize it.

Worpress Blog Security

If you have a weak user password, then now might be a good time to change it to something stronger. Go for at least 12 characters and include special characters like “$”, “?”, etc as well as upper and lowercase letters and numbers. Jumble it all up so it is incomprehensible and then keep a record of it in a book or diary somewhere so it is not kept anywhere it can be accessed by hackers. Like your own PC or laptop.

Computer Security

Your own PC or laptop is vulnerable to trojan programs and other tricks that can read your keystrokes and files and transmit them to servers where hackers can then use the information to gain access to your computer. If you use a public WIFI, chances are it is unsecured and any hacker with minimal knowledge can access your laptop’s files. Protect your computer by at least having a good virus checking program and back that up with a third party firewall. Don’t rely on the Microsoft firewall that came with your computer because every hacker and his dog are constantly looking at ways to “get Bill Gates” and infiltrate the MS software. better a program like ZoneAlarm or something similar.

Server Security

This is one that most novices will not have a clue about, but is worth investing some time in learning. If you have your own hosting account for your blog, then make sure that the security is set to the right parameters for your files. A standard WP install will set the file security to what it is supposed to be, but if you have changed anything, make sure you change it back. Never chmod any files to 777 and not reset them to the 644 which is what most of the files should be.

Database Security

Make sure the mysql database password is something nice and strong, although there is a big problem with the way WordPress interacts with mysql, at least from where I’m looking. There is a file called wp-config.php and in this file is stored the mysql database user name and password. The file is anyone readable, usually with a 755 security setting. That means anyone who can get access to your server via ftp can then read that file. If they can read that file, they can access your database, change things in it or delete it if they want. That’s why it is important to have a secure server, but servers get hacked and accounts get accessed. It happens.

This is a great vulnerability not just for WordPress, as that’s the way it and most other database CMS systems work.

Another Line of Blog Defence

There is another line of defence that you can use to protect your blog, or at least have you notified immediately anyone tries to hack into it. There is a free plugin called “Worpress Firewall II” that you can easily install using the Pligin Installed that you’ll find in the left toolbar in your Admin panel. Its just another level that hackers have to fight their way past to gain access to your blog. It will alert you via email whenever there is an attempted attack on your blog and it will tell you what files or areas of your database the attempts have been made on and whether it has successfully blocked them or not.

If you haven’t got it already, then you might want to get it. It has saved some of my blogs just lately.

Last Resort Defence

There is one last line of defence that really is a last resort and one that I am increasingly turning to with my sites. I have a lot of self hosted websites, we’re talking well over 100 and managing that many blogs is just not possible for one person. So I made a conscious decision a long time ago to stop installing WordPress blogs on new domains I was buying and instead set the sites up as static html pages instead. It is not as convenient and posting content takes a little more work, but the advantages for me far outweigh any inconveniences.

Static sites have no database to manage, and therefore no database for hackers to attack. The overhead on the server is minimal compared to a CMS. I host my sites across a number of different hosts and hosting companies. It happened recently where I was dissatisfied with one host and decided to pull my sites off and host them elsewhere. It took me just the time to tell the old host that I was cancelling, ftp the files up to the new host and change the nameservers at my registrar. No backing up databases and moving blogs. Easy peasy!

I also know of at least one hosting company that gave a friend of mine some real headaches when they locked his account and would not give him access to his files. That meant he could not move his blogs. Now if those sites had been static, it would not have been a problem.

So 90% of my sites are now static. I have even changed several smaller blogs back to static sites and now only have a handful of large blogs to manage, which is much easier, especially as WordPress are forever bringing out new updates and plugins get updated frequently too. Only having to make sure a handful of blogs are up to date with their software is far easier than going through a hundred or so blogs and updating them all!

Just food for thought. If you only have one or two blogs, then of course its not such an issue for you. But if you could run those sites as static and really have no need of them even being blogs, then you can save yourself a lot of headaches if and when some nice hacker decides to set their radar on your blog and do all kinds of not very nice damage to it. Changing them to static (if you have the html knowledge to do that, of course) stops them dead in their tracks.

For me, blogs with a dozen or so posts or less are prime candidates for converting to static because they just don’t warrant being blogs! Anyway, what you do with your sites/blogs is up to you. I’m just saying how I run mine and protect as much as I can from blog hackers.

Terry Didcott