I don't feel safe with WordPress, hackers broke in and took things

A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released). At first I thought they just left some porn sites in a couple of blog entries. So we upgraded WordPress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn’t.

They broke back in, but this time they did a lot more damage. They deleted about two months of my blog. Yes, I didn’t have a backup. I should learn to do backups (we’re doing them now). Life has a way of beating you if you don’t have backups.

Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index. That got a whole team to look into how they broke in. Now thanks to TechCrunch and Mashable you know there was a vulnerability in WordPress which let them break in. Even more good details on Lorelle’s blog.

We’ve done some other things now to make it harder for them to break in (for instance, my admin account has been deleted and a new one doesn’t use the name “admin”), but the damage is done and I feel the same way when our childhood home was broken into. I don’t feel safe here, which might explain why I’ve been posting more over on a new Posterous blog I’ve setup.

Hopefully we’ve caught all the damage and hopefully other WordPress users haven’t had worse damage happen to them. Have you been hit by WordPress vulnerabilities? If so, what did you do to lock down the system?

Oh, and please upgrade your WordPress immediately to the latest version. That seems to have fixed the hole that the jerks got in through on my blog. Knock on wood.

So, once this happens, how do you feel safe again?

UPDATE: Matt Mullenweg, who is the guy who runs Automattic, the company that produces WordPress, wrote that I never had the problem on WordPress.com (hosted version of WordPress). That’s true. Interesting conversation going on over there with Matt.

Comments

  1. I saw the Mashable story this morning and I found the “stealth 2nd administrator” on my blog. I exported, wiped everything out and reinstalled the newest WP version. Luckily I haven't found anything deleted or tampered with.

  2. Robert, no excuse on the database backups – there’s even a WordPress plugin that handles that.

    I just had a hacker get in to a WordPress blog yesterday, and i wasn’t the only one. But they were exploiting holes in older WordPress versions, which i had. And this is the only time i’ve been hacked in 3 years (and some of my blogs actually get above average traffic).

    In your situation, perhaps you didn’t remove all the bad code the first time around. Upgrading won’t erase existing code, and that’s maybe how they broke in.

    Best advise is to (1) keep backups and (2) make sure you have the latest version.

  3. Robert, how can you be sure that Posterous it's safer?

    The only difference, as you know, is that they take care of the security side and of the updates, just like WordPress.com does.

    And anyway, both of them remain safe only if they fix bugs before they get noticed.

    There is nothing 100% safe, only a disconnected machine hidden in an undisclosed location maybe.

    That said, I think that you and all of your readers should post wherever they want, as long as they keep backups as you wisely suggested.

    ps. did you already forgot what happened to mag.nolia?

  4. So what about a wordpress site hosted at automattic? If this can happen for you it can happen for them too.

  5. So what about a wordpress site hosted at automattic? If this can happen for you it can happen for them too.

  6. Robert, major bummer, man! Like the song says “Backing up is hard to do” ….especially in WP! Serious bloggers should consider moving to more robust and secure content mgmt platforms like Drupal or Joomla… easy automated or one-button back-up available for both those platforms. Anyway, I know how hacking makes you feel violated. I'm still fuming about how someone hacked my @freddavis twitter account and changed my name to Jose Perez, a notorious child molester. My freddavis brand was violated by some nasty hacker… makes me feel dirty just thinking about it. Anyway, you have my heartfelt sympathy!

    1. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    2. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    3. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    4. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    5. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    6. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    7. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    8. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    9. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    10. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

    11. @FredDavis, WordPress has a 1-click backup in the dashboard built-in, and there are many popular plugins that create automated backups. In addition, backups should happen on the server/host level for anyone running any kind of site.

  7. Unless it's a security update I don't upgrade until the version has been in the wild for a few months. ie – when you are at the front of the pack, you're the first to fall off the cliff.

  8. ya, i saw the warning and upgraded but now something broke and no blog. (googling for the location of the php log file!) :) i'm rethinking my overall strategy as well… posterous is cool (a little disconcerting the login doesn't use ssl by default) (and how do they handle spoofed stuff?). the lions will always be able to kill one zebra though.

    i guess the idea environment would be hosted and updated frequently by the host yet backed up to you and remotely as well.

  9. Couple things I do to lock down my wp site:
    1 – I run a SSL cert on the wp-admin pages. This encrypts my data so users can't just use Wireshark to go in and extract my password
    2 – I lock down the wp-admin directory and require a password to get in. This works for me because we don't allow guest accounts, although if you have subscribers or other authors this may not work.
    3 – I delete the original admin account.
    4 – I create a new account with a really complex password.
    5 – Check all of the permissions on the wp-admin and wp-content pages. Thing like themes and whatnot should not be writeable (which means the WP built in theme editor will be read only).
    6 – My provider has a 'snapshot' option (I assume they are on a SAN of sorts). I keep a couple of snapshots of not only the database but also the codebase.

    It sounds like this was a problem with WP code and as such many of the above steps wouldn't help, but just because they got in via a security vulnerability this time does not mean that can't brute force next time. Most of the items above are free or inexpensive (you can get an SSL cert for $60.00 and add define('FORCE_SSL_ADMIN', true); to your wp-config file).

    If it runs code it can be hacked or cracked. WP is no more or less safe, in my opinion, than any other blog provider. The same thing could just as easily happen elsewhere, which sucks, but that is life. The only thing we can do is make it as hard as possible to let these people in!

  10. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  11. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  12. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  13. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  14. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  15. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  16. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  17. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  18. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  19. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  20. WordPress does seem to be a much bigger target than say, Drupal, or at least that’s been my experience. As you’ve learned, it is extremely important to both make regular backups, and always stay up to date on your version of WordPress. Once you get things locked up tight, it’s reasonably safe.

  21. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  22. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  23. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  24. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  25. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  26. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  27. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  28. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  29. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  30. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  31. Now, this is an interesting one… a lot of folk believe that WordPress is the key problem here when in fact a lot can be done by ‘hardening’ your server.

    Ultimately, if there’s a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren’t well set up for the kind of application that WordPress is. They allow php to modify php, and they don’t split the user rights the way they should. As a consequence they make a hacker’s job far easier.

    Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.

    There are hosts and people who could help make your site a lot safer. I’d like to wave at ourselves, but that’ll probably just make us more of a target ;-)

  32. Robert, my blog (Twittercism.com) has been hacked three times since I upgraded to 2.8.4 (and five times from 2.8 upwards). I have no fake admin accounts or anything like that – they're just repeatedly finding a way in. Fortunately the worst they did for me was add malware (which was easily enough contained and removed). Pre WP 2.7, I never had any problems. Something that has been done since then has opened up a gold mine for exploiters and a world of pain for bloggers.

    Hopefully the next major release will close all these holes for good. It's frustrating as I love WP but it's getting a little tiresome.

  33. I can't be sure. Anyway, I'm not leaving here, just like we didn't leave our family home after it got broken into. Time is healing the wounds and I'm pretty sure they aren't breaking in again. Got a lot of people at Rackspace helping me with security now (and backups!)

  34. @Sheamus — sounds more likely that your server has been compromised, since there are no known reports of security issues with 2.8.4. Until you fix the server setup they will continue to hack your site regardless of the version of WP that you are running until the backdoors are removed. I would contact your hosting provider asap about this.

  35. I have wondered if it was host-related. However, I've had several members of my Twitter network have similar problems with 2.8+ on different hosts (some have downgraded back to 2.7, and are now worried about this current scare).

    I've been strongly considering changing hosts for other reasons – maybe this should be the final straw. That said, perhaps my report about 2.8.4 may just be the first. :)

  36. Sheamus: did you delete the admin account and start a new admin account that's not named “admin?” There are a variety of other WordPress security best practices that are being passed around. I'll try to get one of the security guys at Rackspace to write up what they are learning, both internally and on the Net.

  37. “Time is healing the wounds..”

    hum..I think a physical break in is a much more traumatic experience indeed, but I understand that we are actually talking about brand image (=money and personal time) here.

    About Rackspace and other similar managed solutions: money can't buy happiness, but it surely can buy peace of mind. And maybe you could even get a specific hacker insurance, search Google for that.

    In conclusion, a little note for the people choosing to host in the cloud, you are STILL responsible for the security side of your specific virtual machine and for updating the scripts you uploaded to it, never forget it.

  38. really sad to hear, Robert. But c'mon man, you had a first break-in and still didn't do a full backup and full reinstall? That was a really bad move.

    There's no such thing as safe place. As any security admin will tell you, it's not IF; it's WHEN. You must have your mitigation plans in place, and be able to minimize your damages should something nasty as this happens.

    WordPress is a nice platform. At least they have at least dozen of really professional eyes looking at potential flaws everyday. Posterous is closed source, and nothing worse than security by obscurity.

  39. I can understand and can't really say when you will feel safe again. My last personal blog was on Journalspace. It was one of the oldest ones on there, just about 6 years old. Then they went and destroyed the site and lost everyone's pages, years and years of people's writing, comments, photos, memories, even connections with others. I didn't regularly backup, but had some of it on my old hard drive, so basically felt that 6 years of tinythoughts were gone and it was far more devastating than I had imagined it would be. This happened at the end of last year and I haven't been able to return to personal blogging yet, but part of me really wants to, so maybe I am finally getting over it.

    I'm happy that even with such a violation against you, you still keep at it. I can't imagine you not writing and sharing anymore. So I guess people will work hard to make sure this doesn't happen to you again and with that you may feel more secure. I'm sorry it happened to you. I guess we can hope that something good, like a more secure WP or more discussions and actual strategies for more security on the web in genera, will be the outcome. One thing I always admire you for is that you have the personality to always go beyond, “whaaa….this is what happened to me…big stupid jerks,” and use your voice to positively start a discussion and find solutions. This time will be no different.

  40. I did. And I've just done it again, as – and you can't make this stuff up – almost as soon as I wrote my comment above my blog was hacked again, and Google marked it as a major threat.

    I've removed the script exploit (again) and added a new admin account and deleted the old one (again).

    Getting VERY tiresome. I hope, in a way, that it is my host, as at least that's a workable solution.

  41. Remembering to upgrade wp & plugins and scheduling backups?
    Every system is vulnerable, to hackers, to lamers, to crash. It's like “I have to do backups” for months, and crying at the fail of HD :) … I'ts frustrating, but we have to learn the lesson :)
    PS: oh, yes it's happened to me too :)

  42. I just read the point about the multiple touchpoints that you recently added to your comment and I liked it. I was just thinking the same while writing my previous reply.

    Do you think we are going to see something like a “mass social mirror” sometime soon?

    My ideas about what it could do:

    1) just relay your posts across multiple social sites (eg. RT read my blog post here..)

    and/or

    2) store all your social activity in a single place, allowing you to easily export it

    what would you think of it, could you help me raise any seed stage money for that? :)

  43. One thing I would suggest is that WordPress when you attempt to login will tell if either your username is, your password is wrong, or both are wrong.

    Make it so that even if you get the username wrong it always says “username/password are wrong” instead of “username is wrong”.

    Been hacked before, figured out that is how they did it. Hackers aren't wizards, they just have a lot of time.

  44. One thing I would suggest is that WordPress when you attempt to login will tell if either your username is, your password is wrong, or both are wrong.

    Make it so that even if you get the username wrong it always says “username/password are wrong” instead of “username is wrong”.

    Been hacked before, figured out that is how they did it. Hackers aren't wizards, they just have a lot of time.

  45. Hello Robert,

    Really Sorry to hear about the hacker attack. Its awful. They have no freaking idea, how much hard work is wasted when they mess up the content from blogs.

    Anyway, I wanted to let you know that anyone can access the login page for your blog, via the wp-login Url. I would urge you to use HTACCESS or an excellent plugin like WP Stealth Login to make your login page private and accessible only to you.

    Secondly, right now if anyone can get to your login page, they can try brute force or dictionary login attack to try and break your Password. Please use WP Login Lockdown to avoid such attacks and keep hackers at bay.

    I really like you work, and would hate to see more hard work wasted. Please do consider reading about these plugins and applying them, if you find them useful for better security (I am sure you would). Good Luck.

    1. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    2. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    3. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    4. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    5. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    6. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    7. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    8. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    9. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    10. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    11. @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

  46. I do not know how you have skipped the most important thing in blogging, which is, taking regular backups. Whole blogosphere goes nuts in exclaiming that a backup is required regualrly and the more consistently you blog and update, the more you need a backup.

    I do hope that in the days to come, you will definitely backup your blog regularly using a plugin which sends the backed up DB file to any specified email address.

    WordPress is the safest CMS until and unless we follow the general security guidelines. Hope you would be more careful the next time.

    And, I hope I haven't sounded like your mom ;)

  47. Feel your pain! A site of mine got hacked thanks to the hosting company having their servers exploited. Loads of malicious code and links of dubious merit got inserted into my footer, all hidden so it was there a few days and Google dropped me (thankfully didn't take long to get back into the ranks). Not a good experience.

    Sadly nowhere is totally safe and often self hosted CMS/blog apps are the most vulnerable as the hackers just know most people don't upgrade regularly.

    Your not the first person I've heard recently starting to use Posterous. Seems to be gaining in popularity quickly.

  48. ” I delete the original admin account.”

    Better yet – keep it but give it subscriber privs. So even if they do get in they'll get foiled into thinking it all worked, and then leave. (the automated bots that do all this..)

    and I backup everything on my server more or less every few days – databases, theme, images, etc – to S3 with a script I wrote. http://paulstamatiou.com/how-to-bulletproof-ser

    I also have a plugin that changes the default location of wp-login.php to anything you want. it doesnt actually move the files but just does redirection trickery.

    As for FORCE_SSL_ADMIN – I'm in the process of setting that up on my server soon.

  49. Dude,
    How can you report on the IT industry, previously loose your early blog writings and STILL loose data because you didn't do a backup?

    What about all your pictures of the family? Got that backed up?

    I triple backup stuff at home and still hope I don't ever loose anything.

    Come on and admit it, being on the bleeding edge isn't all it is racked up to be.

  50. What if you're using third party plugins having tons of data in their own non-standard tables? The export-reinstall-import routine may work for some, but definitely won't for the more complicated WordPress installs.

  51. I am less and less inclined to continue my 1 month old WP project. It's not worth the risk in terms of security. and there are other issues withWP that has me worried. Scobble do your self a big Favour and start using EE core (Expression Engine) … the best damn CMS on the planet. bar none! and it sucks in WP just fine, so migration is painless.

  52. We also got hit by the hacker.

    It is important to make sure that you can actually recover your permalink structure once you have kicked the hacker out, if you don't get it exact, then you may well loose serps/traffic :-(

    I posted here about recovering permalinks if you don't know what they were (I know, I know… We should all know or backup this info, but let's face it – not everyone does!) Permalinks: http://www.kingpin-seo.co.uk/press-releases/how

  53. I have a dormant WP blog. I don't use it. However, it is patched to the latest version of WP at all times and I have daily, weekly and monthly backups.

    You never cease to amaze me. Isn't your blog content worth anything (to you) ?

  54. Don't get me wrong Andy C, we backup daily! – Not only the wordpress section, but the whole server!

    I was just trying to help out those that don't, as we had a fair few requests on how to recover from this! – perhaps after this, more people will be backing up!!!

  55. I am going to upgrade as I don't have a very complicated setup on my blogs, I have already upgraded one of them, and I think the rest will handle the upgrade with out problems on plugins, just need some cleaning work after upgrade!

    Thanks for the information, I really found great stuff on your blog!

  56. Mine got affected by this new exploit that 2.8.4 fixes. In fact, looks like it is affecting everybody that with older versions, the thing is just out of control. I didn't lost anything nor had any other problem other than wasting 1 hour upgrading and cleaning everything. Shit happens, wordpress give us great powers, but you all know what comes with them. Just keep the thing up-to-date and you will be happy :)

  57. Mine got affected by this new exploit that 2.8.4 fixes. In fact, looks like it is affecting everybody that with older versions, the thing is just out of control. I didn't lost anything nor had any other problem other than wasting 1 hour upgrading and cleaning everything. Shit happens, wordpress give us great powers, but you all know what comes with them. Just keep the thing up-to-date and you will be happy :)

  58. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  59. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  60. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  61. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  62. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  63. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  64. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  65. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  66. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  67. no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  68. Sorry to hear about this Robert. Some people are just juvenile. Thanks for sharing the reminders to back up and keep wordpress current. While my blog doesn't quite get your level of interest It's good stuff to practice.

  69. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  70. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  71. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  72. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  73. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  74. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  75. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  76. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  77. I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  78. You feel safe by switching to another blogging package. I mean, seriously, WordPress has a security track record worse than phpBB. It's so bad that even Stefan Esser, the founder of the PHP Security Response Team, has commented on it. I, personally, switched after the 2007 hackings.

    What's really funny, though, is this: when people were having their phpBB's hacked in 2005, they switched, immediately. But when people are hacked multiple times through WordPress, they still don't switch – they're too wrapped up in WordPress's cult of personality to even consider that. Mao Zedong has nothing on Matt Mullenweg.

  79. You feel safe by switching to another blogging package. I mean, seriously, WordPress has a security track record worse than phpBB. It's so bad that even Stefan Esser, the founder of the PHP Security Response Team, has commented on it. I, personally, switched after the 2007 hackings.

    What's really funny, though, is this: when people were having their phpBB's hacked in 2005, they switched, immediately. But when people are hacked multiple times through WordPress, they still don't switch – they're too wrapped up in WordPress's cult of personality to even consider that. Mao Zedong has nothing on Matt Mullenweg.

  80. I'm always 50/50 on the “Better yet – keep it but give it subscriber privs” technique. If they can get in that easily, it is possible they can force the account back to admin, but then again, you're also tricking the bot so it may just leave.

    IMO backups and FORCE_SSL_ADMIN are the two big things that most bloggers could do today but don't. You post is awesome, may I suggest turning it in to a WP plugin? I think that would be an amazing option for a ton of WP users.

  81. Can anyone reading this recommend a really good guide to basic WordPress security? I've found a number of sites claiming to offer this information but some of the advice on offer is contradicted elsewhere.

  82. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  83. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  84. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  85. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  86. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  87. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  88. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  89. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  90. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  91. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  92. Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  93. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  94. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  95. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  96. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  97. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  98. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  99. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  100. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  101. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  102. Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  103. So sorry to hear that Robert. So uncool what they did. But thanks for being of the solution to make it safer for all of us. We're now all a neighborhood watch for each other. Appreciate so much consistently great work from you. Simon Mainwaring

  104. I feel your pain…

    This is a good example of why I believe hosted solutions are the way to go (as the fact that this didn't happen on wordpress.com testifies).

    With a hosted solution, the team that runs the service can invest in keeping the platform secure, amortizing this effort across hundreds or thousands of sites. And they automate backups, monitoring, etc.

    (Disclaimer: I lead a startup, http://www.webvanta.com, that is just launching a new hosted CMS…)

  105. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  106. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  107. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  108. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  109. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  110. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  111. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  112. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  113. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  114. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  115. Quite frankly, you were an idiot and you had it coming. You used a version of WordPress with known vulnerabilities and you didn’t have backup. When you say you don’t trust WordPress, what you’re really saying is you don’t trust yourself.

    What to do to feel safe again? Get a clue.

  116. I can only assume you were being facetious about backups in WP. One-click backup has been part of WordPress since well before version 2.6.2, the out-of-date version you are running on fredtime.com (although the site hasn't been updated in a year).

  117. To determine if your blog is infected you can use any web browser to do a view source on your WordPress users page. Then search that source for “user_superuser” — if you see it in amongst some javascript then you are likely infected.

  118. To determine if your blog is infected you can use any web browser to do a view source on your WordPress users page. Then search that source for “user_superuser” — if you see it in amongst some javascript then you are likely infected.

  119. To determine if your blog is infected you can use any web browser to do a view source on your WordPress users page. Then search that source for “user_superuser” — if you see it in amongst some javascript then you are likely infected.

  120. To determine if your blog is infected you can use any web browser to do a view source on your WordPress users page. Then search that source for “user_superuser” — if you see it in amongst some javascript then you are likely infected.

  121. To determine if your blog is infected you can use any web browser to do a view source on your WordPress users page. Then search that source for “user_superuser” — if you see it in amongst some javascript then you are likely infected.

  122. To determine if your blog is infected you can use any web browser to do a view source on your WordPress users page. Then search that source for “user_superuser” — if you see it in amongst some javascript then you are likely infected.

  123. To determine if your blog is infected you can use any web browser to do a view source on your WordPress users page. Then search that source for “user_superuser” — if you see it in amongst some javascript then you are likely infected.

  124. To determine if your blog is infected you can use any web browser to do a view source on your WordPress users page. Then search that source for “user_superuser” — if you see it in amongst some javascript then you are likely infected.

  125. Yeah, I stopped using wordpress pretty much, so I'm out of touch with it. My
    bad… sorry. So, like anything, just back up, don't use the default admin
    name, and make sure you update your software….

  126. I agree with Matt's comments on FriendFeed; this makes Rackspace look really bad. You're hosted with Rackspace, who charges a pretty penny for managed hosting, and they don't upgrade your blog (or remind you to) and you have no backups?

    Truly embarrassing.

    My blog was hacked recently, too, but I'm not on a managed hosting platform. It was my fault. I also do nightly backups, and pulled down a manual backup right after I discovered the hack. Fortunately, I had enough security features in place that they weren't able to do any real damage. I'm on 2.8.4 now.

    Rackspace needs to figure its stuff out.

    -Erica

  127. I've seen this before, and it's usually that you have a rogue script in your public_html directory (or whatever your web-accessible directory is) that is enabling hackers to exploit it.

    Find a capable admin who understands how to ferret it out. If you move to another host, you may just take the problem with you. If you insist on doing it yourself, you'll need to do a full backup, delete EVERYTHING, reinstall WordPress, reinstall your theme and the latest version of your plugins, then do a XML export/import of your posts database. It's worth it to pay someone to figure this out.

    -Erica

  128. Erica: my blog is on Rackspace Cloud servers. Those are NOT managed. It's the same thing as if I were hosted on my own Linux server. I'm responsible alone for making sure the stuff I run on those servers is updated and backed up. So, no, you're totally wrong here.

  129. Robert, thanks for the reply. Why would you choose an unmanaged hosting solution knowing that system administration is not your specialty? I don't mean this to be hostile; I'm genuinely confused. Were you aware that you were responsible for all of this? As an employee of Rackspace, why not let their capable managed hosting team handle it instead of you doing it yourself?

    -Erica

  130. Robert, thanks for the reply. Why would you choose an unmanaged hosting solution knowing that system administration is not your specialty? I don't mean this to be hostile; I'm genuinely confused. Were you aware that you were responsible for all of this? As an employee of Rackspace, why not let their capable managed hosting team handle it instead of you doing it yourself?

    -Erica

  131. I wanted to run my own blog. Mostly so I could use various plugins and play around. I didn't realize that WordPress had major holes in it. I figured that since it was several years old that the nasties had been found and removed and that it wasn't so brittle. Turns out my assumptions were wrong. I was also overly scared of upgrades, because of how software works. Look at Snow Leopard from Apple. People are complaining all over the place because it's breaking various things. Same at Microsoft whenever they did upgrades. And lots of my friends, including Mike Arrington, are having troubles with all the upgrades at WordPress (Mike told me just a few days ago that upgrades break because of their custom plugins). So I didn't stay on top of it, was waiting to see what the community said about upgrades and got bitten. The not backing up thing is just plain my fault. Never backed up when I was on WordPress.com either and didn't get bitten there. Anyway, now my account is being watched by other people as well and I'm also watching it a lot more closely.

  132. Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index.

    This sounds not like a wordpress problem, do you ever changed the FTP login for that website?

  133. Hi Robert,

    You need to be aware of a problem: There is a HUGE misconception as to what managed hosting is.

    People (like you, as evidenced by the comment I'm replying to) believe that managed hosting means inflexibility. WordPress.com is an example of a limited, managed platform. But managed hosting in general is an entirely different animal.

    In the web hosting industry, “fully managed” simply means the hosting provider takes care of updates (and typically backups, as well.) You'll want to understand exactly what's covered under their management agreement so you don't get burned. Some only manage hardware. Some only manage hardware+OS. Some manage everything (those are expensive.)

    In summary: Managed hosting is NOT just WordPress.com. Managed hosting is having the hosting provider do these tasks for you. The hosting company installs WordPress.org on your own server, backs it up, and maintains/upgrades it. That's what Rackspace does best! That's how they can charge so much money. And as a very visible employee of Rackspace, you HAVE to understand the difference between what their managed platform offers, what their unmanaged platform offers, and what WordPress.com offers.

    Their cloud hosting platform has both a managed and an unmanaged variety. You need to understand the difference between those, too.

    Sit down with their sales guys. They explain it every day–I know I did as a former managed hosting company CEO.

    I am disappointed they didn't explain this to you; after all, it's a core component of their business. But maybe they assumed you already knew; I probably would have, too.

    -Erica

  134. Yup, they assumed I could upgrade my own servers on my own and live with the consequences of my actions. Of course, even TechCrunch hasn't upgraded its servers yet due to incompatibilities with some plugins they use. I didn't realize just how nasty not keeping up to date on WordPress would be. Yeah, being on a managed system would have been better for that. It certainly would have been better for backups. Both of those we're now taking care of. But you make a good point: be certain about what your hosting company is doing for you. IE, learn from my mistakes.

  135. Robert,

    You can get all of your lost blog post text out of Google Reader. I'm not sure how to link Disqus back, maybe it's as simple as re-adding the old posts with the same Url!

    Yet another reason to use full RSS feeds (instead of summary).

    See RSS isn't dead.. it's now a backup tool too!!

  136. Um..about the deleted work. Have you tried to look at the google cache of the page? And just copy and past it back…. ?? Google backs up your junk…it’s all in the cache…

  137. Um..about the deleted work. Have you tried to look at the google cache of the page? And just copy and past it back…. ?? Google backs up your junk…it’s all in the cache…

  138. Um..about the deleted work. Have you tried to look at the google cache of the page? And just copy and past it back…. ?? Google backs up your junk…it’s all in the cache…

  139. Um..about the deleted work. Have you tried to look at the google cache of the page? And just copy and past it back…. ?? Google backs up your junk…it’s all in the cache…

  140. Um..about the deleted work. Have you tried to look at the google cache of the page? And just copy and past it back…. ?? Google backs up your junk…it’s all in the cache…

  141. Um..about the deleted work. Have you tried to look at the google cache of the page? And just copy and past it back…. ?? Google backs up your junk…it’s all in the cache…

  142. thanks for all you guys posts, i have upgraded to the latest version.

    I keep posting about, “how timely backups helps” and now that i read posts like these, i suddenly remembered that my own blog is running on an outdated version and no backup had been made for months…

    thankfully, nothing bad happened, updated wordpress, made backups, time to take rest now….

  143. Robert,

    Kudos on sharing your experiences and being ‘big’ enough to admit you screwed up the admin of your blog. Hopefully, others will learn and realise the need to back-up and update from your experiences.

  144. Truly, WordPress is a victim of their own success. They are so big that they will be in the radar of hackers, so it becomes up to us to be preemptive and stay up to date. I mean, WP pretty much yells at you as soon as their is an update and it takes only a couple minutes, so why wouldn't you?

    So, my answer is NO, I have not been hit with any vulnerabilities, and I do feel safe using WP. And, I definitely do not blame it on WP.

  145. Somebody hacked into my WordPress blog earlier this year as well. It was a bummer because I was working on a draft copy of a blog post that was very rough and had not been edited and they published it. I was on vacation shooting in Chicago and didn't figure it out until several hours after they'd already published it. Fortunately they didn't seem to do anything malicious other than publish that post and add spam to a bunch of my other posts.

    I tried to do the upgrade myself but it failed and wouldn't work after learning that the WordPress vulnerability may have been how I was hacked. I had to pay Aaron Brazell to do the upgrade for me because I couldn't figure it out.

    Of course I don't know how I was hacked. It could have been another way. They could have guessed my password for instance. I really love WordPress though and hope that my site stays secure going forward. It is sort of a paint though that upgrading doesn't work for me and it's not something that I can do myself. Upgrading ought to be easier.

  146. Oh yeah you have to be careful the common hack to get in WordPress (and other management systems) is going through your system's database by changing password preset on user password encryption from SHA1 to MD5 and putting in your own password. Besides backing up a system, this is why you should have a solid password, and should be updated every 60 days. The way it's done, is there are crack programs which will run random characters to break your password. (There's a program for Linux that actually lets you do it). Once in the database of the site's database you go into the user password, change the encryption from SHA1 to MD5 and then put in your own password. The system will auto encrypt your password that you entered while in MD5 format. (This is why I don't manage a site using php My admin, I would look into managing your own server utilizing Red Hat or Fedora with good security features.) I'm sorry to hear what happen to your system and hope things turn out better.

  147. I'm paying a ridiculous amount of money for Rackspace managed hosting. They don't do WordPress upgrades for me. They pretty much don't do anything on the content side – just do what they can to get the sites back up when they go down.

  148. Robert – and everyone else – there is a VERY simple solution out there: WP-DB-Backup.
    http://wordpress.org/extend/plugins/wp-db-backup/

    I have configured it to AUTOMATICALLY send me a weekly email witht the SQL structure of the database tables. My gmail filter simply archives the email and the attachment. If ever poop hits the fan, I simply restore from my inbox… Now if Gmail looses all my stuff then I'm in the poop but here's to hoping I wont get double whammed :)

  149. Robert, first let me say “good on you for” posting about your experience, but second let me say that post title is nothing but pure link bait and only serves to damage WordPress and take the attention away from the fact that you failed to administer your blog properly.

    How many releases were there between 2.7 and 2.8.4? Have many of them were specifically security releases! And you were notified of all of them in your WordPress Dashboard.

    I'm sorry Robert but the post title sounds like your blaming WordPress because you spilt the milk.

    If you can't or aren't willing to update your WordPress install when security releases are released then maybe you shouldn't be using it.

  150. BTW, there are many ways to get free SSL certificates from respected CAs – you are just not entitled to badges and insurance, which are questionable benefits anyway.

  151. (tried to leave this on FF, but FF comments suck)

    I find it interesting, and depressing that people are blaming Rackspace, they're blaming WordPress, they're blaming Robert, but no one, *no one* seems to be willing to blame the only, ONLY people who deserve blame: the evolutionary failures that attacked Robert's blog. I'm sincerely hoping that either Robert or Rackspace reported this to the FBI, so that a criminal investigation is started, and with any luck, the little mongoloids responsible will end up with a felony charge on their record

    Robert should have been backing up not because of security, but because things break, and it's just good to have a backup.

    but the idea, even the vague concept that anyone other than the wastes of carbon that ran the attack are responsible, on any level, for this is absolutely insane, and more than slightly offensive.

  152. I have to agree with Matt's comment that you should not be using any plugins that aren't quickly upgraded to be compatible with the latest WordPress release. I try to use as few plugins as possible for that reason.

    Also, there are a lot of simple tasks being taken on by plugins that could be done with tools that are already built in to WordPress anyway. The ones that manipulate pretty permalinks and custom fields come to mind. Those tools are automatically updated with WordPress.

  153. Hello Scott,

    I am glad that you took the time to check the plugin and the version of WordPress its compatible with. I haven't checked that since I installed it, few months back.

    However, from firsthand experience, I can vouch for this plugin as its working like a charm on my blog (WP version 2.8.4), so feel free to install it without any fear of breaking things.

    Hope this helps!

  154. Hi Scoble,

    I had been having the same concerns about Drupal, but they have a security advisor newsletter and mechanism to keep you updated on core and third party modules. I also found an interesting article that might be useful to readers on this post. http://lorelle.wordpress.com/2008/04/28/wordpre

    According to that article it seems WordPress is more insecure than Drupal over the last couple of years.

    I'd love to see a similar update system for WordPress but cannot find any.

    Thanks.
    Omar

  155. Lots of people talking about locking down WP admin login section with a SSL certificate. There are many providers out there with a huge range of pricing. GoDaddy is $10, Thawte is a few hundreds dollars. Before I pay over $100 a year I would like to know what SSL certificates are people using.

  156. Thanks for the update as I am new and didnt know about the vulnerability in WordPress.Sorry about your loss and I will follow.

  157. Thomas – sorry to hear of your troubles. However, WP upgrade is a 1-button click. Unless you have a variety of plugins that don't work with the latest version (if this is the case, consider ditching them), it is seamless, quick and reliable for me.

    In fact, as I don't even use WP, it's probably the single feature I miss most in Habari :-)

    How could WP make upgrades any easier unless they booked an appointment and came round in person to upgrade your blog ?

  158. The problem isn't specific to WordPress. There's no such thing as a fully, permanently secure web application. Applications evolve, and add new features, which sometimes open up new security holes, and there are also tons of people out there who are constantly working on trying to find or create new vulnerabilities. So no matter what blog program, CMS, etc. you use, it's always a constant race between hackers trying to find a way in and developers trying to keep them out.

    The ONLY solution is to keep an eye on upgrades and apply them as soon as they come out, at least if they're security upgrades. If it's just a new version adding features you don't necessarily need, then you don't need to worry about it as much, but security upgrades are vital. Any upgrade announcement will usually say which it is.

    Also, it's usually only major upgrades that are likely to break plugins, themes, etc. – going from version 1.x to 2.x, for example, or maybe occasionally something like 2.5. Smaller upgrades like going from 2.8.3 to 2.8.4 or something like that are very unlikely to cause trouble.

    I know it's usually a good idea with desktop software applications to wait a while after an upgrade is released for the bugs to be worked out, and with major upgrades to web applications the same is often true. But the big difference between desktop and web applications is that security is MUCH more of a concern on the web. By their very nature, web applications are sitting out there on the internet, much more accessible to people who want to break them than anything on your own computer at home is. So security upgrades are considerably more urgent.

    The basic point is: while this sort of thing is definitely a headache, it's not anything in the nature of WordPress as such. Rather, it's in the nature of the web.

  159. I think that's mainly because it's a simpler program, and thus more widely used. I love Drupal, and use it for the majority of the sites I create these days, but it does have a bit of a learning curve, and is thus likely to be daunting to the average blogger.

    Also, security vulnerabilities either in Drupal core or contributed modules do turn up fairly often, though they also tend to be fixed quickly. But staying on top of upgrades there is just as important.

    One thing I do especially like about Drupal, though, compared to just about any other web application, is that all the contributed modules and themes are handled through a central CVS, which among other things allows you to subscribe to a single mailing list for any and all security upgrades, be they for the core or for third-party modules. It's about the best-organized open source project out there. Though WordPress is probably a pretty close second, and is actually the quicker and easier of the two to upgrade.

  160. it sounds like you have something malicious on your computer that is causing repeated problems. take a look at your server's FTP logs (or more likely, have your hosting provider do it) for more details.

  161. Robert,

    Someone said it a few tweets down, but there's a really easy plugin down below that will automatically back up your blog to a server or email address, and you can schedule it to backup things once a week.

    It's called WP-DB-Backup (http://wordpress.org/extend/plugins/wp-db-backup/). I'm running it on Jeremiah Owyang's blog, and it allows me to have a weekly backup of what's going on in case his site goes down. You guys are putting out so much great content that you really don't' have any other option but to make sure it goes somewhere safe.

    I'll even help you set it up if you would rather it.

    There are other measures you can take to make sure your site doesn't get hacked / make it harder to hack.

    1). Set your permissions to disallow public writing (it makes your themes uneditable in the editor, but if you have FTP access go in and enable one at a time until you're done, then re-disable it).

    2) Move your WordPress directory somewhere else. There are tutorials (like this one: http://codex.wordpress.org/Giving_WordPress_Its…) that show you how to set WordPress up to live in a subfolder, which you can name whatever you want, but have it live in the root directory (keep the root folders clean too)

    3) Create a username that's not the default admin username, and delete the admin user. That's the first place they check because it's the default.

    Simple stuff, takes minutes to do, but a stitch in time saves nine, I guess. Good luck in the recovery process, and if you need some advice let me know.

  162. I have a diffierent point to make here. Why do you need the plugins? I have been reading you for years, and your blog design is not relevant. Content and comments are important. Then when you added things like that annoying Google Friend Connect visiting the site became less enjoyable. Anyhow thats why I am happy I am sticking with wp.com. Cloud hosting is no different than having your own server in that it takes tender love and constant care and 24 hour monitoring. Thats not what blogging is.

  163. Its open source at the end of the day Mr. Scoble. Last versions of wordpress had an export to RSS WXR feature and the newer versions do as well.

    Lots of other ways to back up but the above is the easiest. Interesting to see the structure in the exported file…

  164. Amiable of you Robert, I know you want to play the role (and thats great!) but if it eases your mind you should have someone monitor your blog and back it up for you periodically. Peace of mind is what matters most – besides you got other fish to catch and great posts to write.

    Sure we are all techies at the end of the day, and i dont blame you for scratching that itch :-)

  165. There are a lot of ways to make your wordpress blog safe and secure. I think you should first look for these and then blame wordpress… else u'll b the one who'll look lame.

    Do make sure that all of the loop holes are filled up and that your blog a great one.

  166. <h2 align=”center”>What Makes the Ugg Bailey Button Boot Such a Hit?</h2>

    It's simple. UGG Australia has morphed together their two most popular styles. They started with the ever-popular UGG Classic Short Boot and then added a Wooden Button from their best-selling, as seen on Oprah, UGG Cardy. Put them together and you get this year's must have UGG style – the Ugg Bailey Button.

    The Bailey Button is available in 5 colors including Black, Chestnut, Grey, Chocolate and Sand. California-based retailer Footwear etc. has received all 5 colors into stock at their 7 stores and is already seeing positive results. Footwear etc. Manager, Andrew Monarch, said "It is not a matter of IF the Bailey sells out, but how quickly. We highly recommend that our customers secure their boots early before it's too late."

    Right, it is not a matter of IF the Bailey sells out, but how quickly. So we highly recommend that our customers secure their pair early before it's too late.

    The UGG Bailey Button is also very versatile as it can be worn up or folded down for a different look. They feature a soft foam insole and a genuine sheepskin lining. If you haven't experience the comfort of authentic UGG Australia Boots yet then your feet have been missing out. Give the new UGG Bailey Button a try today or if it's not for you, there's always the popular classic styles including UGG Classic Short, UGG Classic Tall and UGG Classic Cardy.

    But remember… don't wait to get your UGGs. Every year people procrastinate and then they can't find the UGG Boots they want. UGG Sale–Shop early for the best selection. The closer to Christmas you get the harder it gets to find UGGs.

  167. I'm cheap and lazy so I use instantssl.com but there are a bunch that will work for you. Since the WP-Admin section is just to encrypt my password data and whatnot I opted for the lowest end cert as I don't need any badges, etc.

  168. @Robert: Hopefully your ignorance when it comes to website security will hep lots of other people.

    You run a hi-profile site, attractive to hack, with no security and then you get caught with your pants down and embarrassed. Twice.

    Now the word goes around; dont do as Robert, be smart, do the basics and keep up to date, and lots of ignorant people understand why they have to take some responsibility to avoid problems.

    So, once this happens, how do you feel safe again?

    By investing one hour in checking your install/server security and by upgrading as you know you should do.

    btw: Why did you not upgrade from 2.7.1 and what did you do prior to the hacking to secure your blog ?

  169. As a WordPress blogger who can't upgrade (my dashboard doesn't have that facility for whatever reason), I must say I am pleasantly surprised to find Matt's comment at the very top here. I wrote to WordPress several months ago with exactly the same complaint and I still haven't had the luxury of a response. It was very disappointing, but we live and we learn.

  170. This is exactly the sort of reason why I prefer asp.net applications such as BlogEngine.Net. PHP seems to get hacked a *lot* more than asp.net applications. Don’t get me wrong I like FOSS, but refuse to use PHP as a web server platform.

  171. This is exactly the sort of reason why I prefer asp.net applications such as BlogEngine.Net. PHP seems to get hacked a *lot* more than asp.net applications. Don’t get me wrong I like FOSS, but refuse to use PHP as a web server platform.

  172. Oh, Hackers! They are very terrible. Fortunately you wrote this post. So amateur wordpress users like me learned this event. I will backup my blog. Very thank you.

    Do you know any blog site better than wordpress?

  173. Mitch,

    Thanks for sharing that plugin. I have a ton of clients who use WordPress, and one had her site hacked as well. The host did restore the backup, but I know of other folks who have more of a DIY setup like Robert had.

  174. Well, so nice post, haah! Your mind helps me so much! I'm not sure if you mind the thing I'll do here. Im an online seller for the Timberland shoes, Gucci shoes, Prada shoes and Gucci bags, Coach bags, Prada bags, and the pretty Adidas sunglassess, D&G sunglasses , Dior sunglasses are my products also. Alright, seems I have to make the apology for my MLB jerseys, NFL jerseys, NBA jerseys, NHL jerseys, they are the most hot items on my sites, are u interest in them?

  175. is moving to posterus, which is indeed a great service, but is none the less a hosted provider on a service that you don't control, more secure?

    I think we could hash through the dynamics of this security problem (e.g. posterous, running your own server, etc) at some length, but I'm not sure if that discussion would be particularly useful…

  176. <h2 align=”center”>Don't Do For Ugg Boots UK</h2>

    –>If you own a pair of Ugg boots, ugg classic short, be sure to take proper care of them and clean them regularly. With the proper care and cleaning, Uggs can last several years or even a lifetime.

    You love sheepskin footwear and ugg classic because they are comfortable and fashionable. How to keep them looking great? The following are a few tips to help you to know what you don't do for your natural beauty and functionality uggs.

    –>Tip one, don't store your cardy boots ugg in a light place. Because they can bleach in extreme sunlight.

    –>Tip two, ugg boots should not be worn in extremely moist or muddy conditions as moisture can cause problems.

    –>Tip three, don't clean the exterior of? your uggs knightsbridge with a hard brush or cloth at first time dirty.

    –>Tip four, trying not to saturate the sheepskin footwear with water, especially warm or hot water. And don't clean them in a washing machine or dryer, this will cause problems with shrinkage and can adversely change the sheepskin.

    –>Tip five, if need, except specially detergent for sheepskin product, just like classic ugg mini, don't use any wool detergent. Also don't use high concentration cleaning solution.

    –>Some suggestions for you to protect your natural beauty and functionality uggs long periods of time. And also hoping to help you solving your hesitation, spending little time to know more information about ugg boots.

    –>All rights reserved, reprint, please specify source comes from http://www.goodugg.co.ukbailey button,ugg knightsbridge boots,cardy boots,ugg tall classic

  177. I agree with spidersilk on that too. It is a rich environment with several points of failure and wordpress is only one of them. I've had application hacks, malicious stuff installed and even a rootkit attack on my servers. It was even worse when I used managed servers since I had to depend on others to fix it which took more time.

    Backing your data is always a good step of achieving an acceptable peace of mind level with web endeavors.

  178. I agree with spidersilk on that too. It is a rich environment with several points of failure and wordpress is only one of them. I've had application hacks, malicious stuff installed and even a rootkit attack on my servers. It was even worse when I used managed servers since I had to depend on others to fix it which took more time.

    Backing your data is always a good step of achieving an acceptable peace of mind level with web endeavors.