A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released). At first I thought they just left some porn sites in a couple of blog entries. So we upgraded WordPress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn’t.
They broke back in, but this time they did a lot more damage. They deleted about two months of my blog. Yes, I didn’t have a backup. I should learn to do backups (we’re doing them now). Life has a way of beating you if you don’t have backups.
Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index. That got a whole team to look into how they broke in. Now thanks to TechCrunch and Mashable you know there was a vulnerability in WordPress which let them break in. Even more good details on Lorelle’s blog.
We’ve done some other things now to make it harder for them to break in (for instance, my admin account has been deleted and a new one doesn’t use the name “admin”), but the damage is done and I feel the same way when our childhood home was broken into. I don’t feel safe here, which might explain why I’ve been posting more over on a new Posterous blog I’ve setup.
Hopefully we’ve caught all the damage and hopefully other WordPress users haven’t had worse damage happen to them. Have you been hit by WordPress vulnerabilities? If so, what did you do to lock down the system?
Oh, and please upgrade your WordPress immediately to the latest version. That seems to have fixed the hole that the jerks got in through on my blog. Knock on wood.
So, once this happens, how do you feel safe again?
UPDATE: Matt Mullenweg, who is the guy who runs Automattic, the company that produces WordPress, wrote that I never had the problem on WordPress.com (hosted version of WordPress). That’s true. Interesting conversation going on over there with Matt.
unless there is some 0 day exploit they get hit with, it's not going to happen soon.
Robert,
Someone said it a few tweets down, but there's a really easy plugin down below that will automatically back up your blog to a server or email address, and you can schedule it to backup things once a week.
It's called WP-DB-Backup (http://wordpress.org/extend/plugins/wp-db-backup/). I'm running it on Jeremiah Owyang's blog, and it allows me to have a weekly backup of what's going on in case his site goes down. You guys are putting out so much great content that you really don't' have any other option but to make sure it goes somewhere safe.
I'll even help you set it up if you would rather it.
There are other measures you can take to make sure your site doesn't get hacked / make it harder to hack.
1). Set your permissions to disallow public writing (it makes your themes uneditable in the editor, but if you have FTP access go in and enable one at a time until you're done, then re-disable it).
2) Move your WordPress directory somewhere else. There are tutorials (like this one: http://codex.wordpress.org/Giving_WordPress_Its...) that show you how to set WordPress up to live in a subfolder, which you can name whatever you want, but have it live in the root directory (keep the root folders clean too)
3) Create a username that's not the default admin username, and delete the admin user. That's the first place they check because it's the default.
Simple stuff, takes minutes to do, but a stitch in time saves nine, I guess. Good luck in the recovery process, and if you need some advice let me know.
PostRank has a fairly extensive archive of your blog:
http://www.postrank.com/feed/65b2b7c99c37d4c027...
We have a full content archive as well – just the descriptions, titles dats are on the postrank app itself.
Lemme know if you'd like us to extract some posts – or even the entire archive and you can select the missing ones?
Ready a willing if you think it would help.
I hope this entry shows up in this years Darwin awards…
I have a diffierent point to make here. Why do you need the plugins? I have been reading you for years, and your blog design is not relevant. Content and comments are important. Then when you added things like that annoying Google Friend Connect visiting the site became less enjoyable. Anyhow thats why I am happy I am sticking with wp.com. Cloud hosting is no different than having your own server in that it takes tender love and constant care and 24 hour monitoring. Thats not what blogging is.
Its open source at the end of the day Mr. Scoble. Last versions of wordpress had an export to RSS WXR feature and the newer versions do as well.
Lots of other ways to back up but the above is the easiest. Interesting to see the structure in the exported file…
Good points Erica..
Amiable of you Robert, I know you want to play the role (and thats great!) but if it eases your mind you should have someone monitor your blog and back it up for you periodically. Peace of mind is what matters most – besides you got other fish to catch and great posts to write.
Sure we are all techies at the end of the day, and i dont blame you for scratching that itch
Agree with you here man, especially with the nature of the web!
There are a lot of ways to make your wordpress blog safe and secure. I think you should first look for these and then blame wordpress… else u'll b the one who'll look lame.
Do make sure that all of the loop holes are filled up and that your blog a great one.
Oh yes btw,
WordPress Rocks.
Well, so nice post, haah! Your mind helps me so much! I'm not sure if you mind the thing I'll do here. Im an online seller for the Timberland shoes, Gucci shoes, Prada shoes and Gucci bags, Coach bags, Prada bags, they are the most hot items on my sites, are u interest in them?
<h2 align=”center”>What Makes the Ugg Bailey Button Boot Such a Hit?</h2>
It's simple. UGG Australia has morphed together their two most popular styles. They started with the ever-popular UGG Classic Short Boot and then added a Wooden Button from their best-selling, as seen on Oprah, UGG Cardy. Put them together and you get this year's must have UGG style – the Ugg Bailey Button.
The Bailey Button is available in 5 colors including Black, Chestnut, Grey, Chocolate and Sand. California-based retailer Footwear etc. has received all 5 colors into stock at their 7 stores and is already seeing positive results. Footwear etc. Manager, Andrew Monarch, said "It is not a matter of IF the Bailey sells out, but how quickly. We highly recommend that our customers secure their boots early before it's too late."
Right, it is not a matter of IF the Bailey sells out, but how quickly. So we highly recommend that our customers secure their pair early before it's too late.
The UGG Bailey Button is also very versatile as it can be worn up or folded down for a different look. They feature a soft foam insole and a genuine sheepskin lining. If you haven't experience the comfort of authentic UGG Australia Boots yet then your feet have been missing out. Give the new UGG Bailey Button a try today or if it's not for you, there's always the popular classic styles including UGG Classic Short, UGG Classic Tall and UGG Classic Cardy.
But remember… don't wait to get your UGGs. Every year people procrastinate and then they can't find the UGG Boots they want. UGG Sale–Shop early for the best selection. The closer to Christmas you get the harder it gets to find UGGs.
What SSL cert vendor should I look at, such a range of pricing, need a cheat sheet.
I'm cheap and lazy so I use instantssl.com but there are a bunch that will work for you. Since the WP-Admin section is just to encrypt my password data and whatnot I opted for the lowest end cert as I don't need any badges, etc.
Thanks.
As a WordPress blogger who can't upgrade (my dashboard doesn't have that facility for whatever reason), I must say I am pleasantly surprised to find Matt's comment at the very top here. I wrote to WordPress several months ago with exactly the same complaint and I still haven't had the luxury of a response. It was very disappointing, but we live and we learn.
Oh, Hackers! They are very terrible. Fortunately you wrote this post. So amateur wordpress users like me learned this event. I will backup my blog. Very thank you.
Do you know any blog site better than wordpress?
Mitch,
Thanks for sharing that plugin. I have a ton of clients who use WordPress, and one had her site hacked as well. The host did restore the backup, but I know of other folks who have more of a DIY setup like Robert had.
Well, so nice post, haah! Your mind helps me so much! I'm not sure if you mind the thing I'll do here. Im an online seller for the Timberland shoes, Gucci shoes, Prada shoes and Gucci bags, Coach bags, Prada bags, and the pretty Adidas sunglassess, D&G sunglasses , Dior sunglasses are my products also. Alright, seems I have to make the apology for my MLB jerseys, NFL jerseys, NBA jerseys, NHL jerseys, they are the most hot items on my sites, are u interest in them?
is moving to posterus, which is indeed a great service, but is none the less a hosted provider on a service that you don't control, more secure?
I think we could hash through the dynamics of this security problem (e.g. posterous, running your own server, etc) at some length, but I'm not sure if that discussion would be particularly useful…
Sorry for the very late reply Viki and thanks for the heads up on it working on the latest version.
<h2 align=”center”>Don't Do For Ugg Boots UK</h2>
–>If you own a pair of Ugg boots, ugg classic short, be sure to take proper care of them and clean them regularly. With the proper care and cleaning, Uggs can last several years or even a lifetime.
You love sheepskin footwear and ugg classic because they are comfortable and fashionable. How to keep them looking great? The following are a few tips to help you to know what you don't do for your natural beauty and functionality uggs.
–>Tip one, don't store your cardy boots ugg in a light place. Because they can bleach in extreme sunlight.
–>Tip two, ugg boots should not be worn in extremely moist or muddy conditions as moisture can cause problems.
–>Tip three, don't clean the exterior of? your uggs knightsbridge with a hard brush or cloth at first time dirty.
–>Tip four, trying not to saturate the sheepskin footwear with water, especially warm or hot water. And don't clean them in a washing machine or dryer, this will cause problems with shrinkage and can adversely change the sheepskin.
–>Tip five, if need, except specially detergent for sheepskin product, just like classic ugg mini, don't use any wool detergent. Also don't use high concentration cleaning solution.
–>Some suggestions for you to protect your natural beauty and functionality uggs long periods of time. And also hoping to help you solving your hesitation, spending little time to know more information about ugg boots.
–>All rights reserved, reprint, please specify source comes from http://www.goodugg.co.uk –bailey button,ugg knightsbridge boots,cardy boots,ugg tall classic
I agree with spidersilk on that too. It is a rich environment with several points of failure and wordpress is only one of them. I've had application hacks, malicious stuff installed and even a rootkit attack on my servers. It was even worse when I used managed servers since I had to depend on others to fix it which took more time.
Backing your data is always a good step of achieving an acceptable peace of mind level with web endeavors.
I agree with spidersilk on that too. It is a rich environment with several points of failure and wordpress is only one of them. I've had application hacks, malicious stuff installed and even a rootkit attack on my servers. It was even worse when I used managed servers since I had to depend on others to fix it which took more time.
Backing your data is always a good step of achieving an acceptable peace of mind level with web endeavors.