Yesterday morning I woke up early to make my wife breakfast in bed for Mother’s day. I didn’t have buttermilk for my waffle recipe, so I mixed milk and lemon juice to make my own buttermilk. It actually works quite well, it needs to sit for about 5 minutes to go sour, so I figured I would check my email real quick while I waited.
“You site has compromised,” was the email from Peter my webmaster.
My WordPress blog had been hacked, and I wasn’t sure what to do about it. There has been a scourge of malware attacks on WordPress blogs lately, and it seems to be attacking Godaddy, Dreamhost, Blue Host and Media Temple servers. With the help of a friend at WordPress and my webmaster, we had the hack on my blog fixed in just a couple of hours. No privileged information was compromised (why would I put confidential information on my blog?) and luckily, it hit on the weekend when I have decreased traffic to my site- but the fact remains that my site was vulnerable. That wasn’t a good feeling.
The bug basically redirected visitors to a site that tries to do a scan of your computer to identify security threats. You can find more information about it on the WordPress discussion board:
WordPress has already come up with a plugin to identify the bad code so that you can delete it. Here it is:
The bigger questions remains, how do I assure that my site is never hacked again? In one sense, I can understand that using WordPress is like using Windows, it is so hugely popular that more developers means more hackers. You can find thousands and thousands of awesome free plugins, but you also have a higher likelihood of being attacked. I would still rather never be hacked. So what can be done to guarantee your blog is safe?
This Friday, May 14th at 12:00 PM EST I have coming on the conference call Raanan Bar-Cohen, VP of Media Services for Automattic and the open source project WordPress. Having been a Technology Strategy Consultant to Time Magazine and Director of Product Strategy for Dow Jones (Wall Street Journal), Raanan knows his technology. So the big question he will be answering this Friday is:
Can professionals trust WordPress to host their blogs?
With companies like the BBC, New York Times and CNN all using WordPress platforms, obviously there are ways. So what steps do professionals firms need to take to guarantee security for their blogs? He will also be giving some pointers to help professionals make the most out of their blogs.
One question we won’t be answering on the call: how do you make buttermilk waffles? That will have to be the topic for another blog post.
Click here to sign up for this Friday, May 14th. Starting this month, we will now be holding calls at 12:00 PM EST. If you have any questions for Raanan or myself feel free to email them to email@example.com and we will answer them during the call.
Security and safety is a shared responsibility between your hosting company and yourself.
Simple things you can do.
1. Strong password. I use a phrase that is easy to remember. I take the first later of each word in the phrase. Make sure to capitalize a few of the letters, add some numbers and extra characters.
ex. Jack and Jill went up the hill J&jwutHi1!
2. Keep WordPress updated with the latest versions.
3. Change passwords on regular basis.
4. Receive the security update notices from WordPress and your hosting company.
Minimize the damage and downtime after being hacked.
1. Schedule regular backups of the database (free plug in) and files, usually you can set that in your hosting service control panel. Either have the files emailed to you or if they are too large for email, save temporarily to the server and download the files to be stored on your local machine. Delete the backup copies from the server after downloading. Typically, after the initial back up of the files, you do not have to backup unless you have made changes to the core files. The directory most likely requiring backup regularly is anything uploaded by users.
2. Change the user name and password of all your accounts immediately. If you used the same password on other accounts, change those immediately.
3. Check online to see if this is an isolated case, you only, or a major case. Implement any suggested fix either by the hosting company or WordPress.
Article about securing your WordPress Blog. The latest rash of break in at Godaddy begs who is at fault? http://psweb.me/securewordpress
I wanted to add one more thing to the list. If you happen to get redirected to a site that does a bogus virus scan, do not click on any pop-up buttons even to cancel it. Right-click on the task bar, and select Task Manager. Select the browser that is running with the pop-up and force quit. (steps may vary depending on version of operating system) Immediately update any virus software on your computer and run. I also use MalwareBytes Anti-Malware http://www.malwarebytes.org
I think that any blog is subject to hackers if you are not careful. It is a sad thing that many people want to even do this, but that is the world i guess.