I don’t feel safe with WordPress, hackers broke in and took things

September 5, 2009 By

A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released). At first I thought they just left some porn sites in a couple of blog entries. So we upgraded WordPress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn’t.

They broke back in, but this time they did a lot more damage. They deleted about two months of my blog. Yes, I didn’t have a backup. I should learn to do backups (we’re doing them now). Life has a way of beating you if you don’t have backups.

Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index. That got a whole team to look into how they broke in. Now thanks to TechCrunch and Mashable you know there was a vulnerability in WordPress which let them break in. Even more good details on Lorelle’s blog.

We’ve done some other things now to make it harder for them to break in (for instance, my admin account has been deleted and a new one doesn’t use the name “admin”), but the damage is done and I feel the same way when our childhood home was broken into. I don’t feel safe here, which might explain why I’ve been posting more over on a new Posterous blog I’ve setup.

Hopefully we’ve caught all the damage and hopefully other WordPress users haven’t had worse damage happen to them. Have you been hit by WordPress vulnerabilities? If so, what did you do to lock down the system?

Oh, and please upgrade your WordPress immediately to the latest version. That seems to have fixed the hole that the jerks got in through on my blog. Knock on wood.

So, once this happens, how do you feel safe again?

UPDATE: Matt Mullenweg, who is the guy who runs Automattic, the company that produces WordPress, wrote that I never had the problem on WordPress.com (hosted version of WordPress). That’s true. Interesting conversation going on over there with Matt.

Filed Under: Web
Older Comments
Newer Comments
  • http://scobleizer.com Scobleizer

    fredericsidler: they upgrade wordpress.com automatically, and have other security measures in place. But, yes, I'm wondering when we'll see a mass breakin on there too.

  • http://scobleizer.com Scobleizer

    Sheamus: did you delete the admin account and start a new admin account that's not named “admin?” There are a variety of other WordPress security best practices that are being passed around. I'll try to get one of the security guys at Rackspace to write up what they are learning, both internally and on the Net.

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • http://www.ferodynamics.com/ Ferodynamics

    Disqus is a worse problem. All your comments managed by the Eye of Sauron.

    Don’t be a wimp, you’re supposed to be a “tech” blogger. Remember?

  • michelei

    “Time is healing the wounds..”

    hum..I think a physical break in is a much more traumatic experience indeed, but I understand that we are actually talking about brand image (=money and personal time) here.

    About Rackspace and other similar managed solutions: money can't buy happiness, but it surely can buy peace of mind. And maybe you could even get a specific hacker insurance, search Google for that.

    In conclusion, a little note for the people choosing to host in the cloud, you are STILL responsible for the security side of your specific virtual machine and for updating the scripts you uploaded to it, never forget it.

  • http://www.twitter.com/guiambros guiambros

    really sad to hear, Robert. But c'mon man, you had a first break-in and still didn't do a full backup and full reinstall? That was a really bad move.

    There's no such thing as safe place. As any security admin will tell you, it's not IF; it's WHEN. You must have your mitigation plans in place, and be able to minimize your damages should something nasty as this happens.

    WordPress is a nice platform. At least they have at least dozen of really professional eyes looking at potential flaws everyday. Posterous is closed source, and nothing worse than security by obscurity.

  • http://twitter.com/tinythoughts Jodi Church

    I can understand and can't really say when you will feel safe again. My last personal blog was on Journalspace. It was one of the oldest ones on there, just about 6 years old. Then they went and destroyed the site and lost everyone's pages, years and years of people's writing, comments, photos, memories, even connections with others. I didn't regularly backup, but had some of it on my old hard drive, so basically felt that 6 years of tinythoughts were gone and it was far more devastating than I had imagined it would be. This happened at the end of last year and I haven't been able to return to personal blogging yet, but part of me really wants to, so maybe I am finally getting over it.

    I'm happy that even with such a violation against you, you still keep at it. I can't imagine you not writing and sharing anymore. So I guess people will work hard to make sure this doesn't happen to you again and with that you may feel more secure. I'm sorry it happened to you. I guess we can hope that something good, like a more secure WP or more discussions and actual strategies for more security on the web in genera, will be the outcome. One thing I always admire you for is that you have the personality to always go beyond, “whaaa….this is what happened to me…big stupid jerks,” and use your voice to positively start a discussion and find solutions. This time will be no different.

  • http://twittercism.com Sheamus

    I did. And I've just done it again, as – and you can't make this stuff up – almost as soon as I wrote my comment above my blog was hacked again, and Google marked it as a major threat.

    I've removed the script exploit (again) and added a new admin account and deleted the old one (again).

    Getting VERY tiresome. I hope, in a way, that it is my host, as at least that's a workable solution.

  • Facebook User

    Remembering to upgrade wp & plugins and scheduling backups?
    Every system is vulnerable, to hackers, to lamers, to crash. It's like “I have to do backups” for months, and crying at the fail of HD :) … I'ts frustrating, but we have to learn the lesson :)
    PS: oh, yes it's happened to me too :)

  • michelei

    I just read the point about the multiple touchpoints that you recently added to your comment and I liked it. I was just thinking the same while writing my previous reply.

    Do you think we are going to see something like a “mass social mirror” sometime soon?

    My ideas about what it could do:

    1) just relay your posts across multiple social sites (eg. RT read my blog post here..)

    and/or

    2) store all your social activity in a single place, allowing you to easily export it

    what would you think of it, could you help me raise any seed stage money for that? :)

  • http://www.dennisoneil.com dennisoneil

    Are you reusing the same SQL database? The reports I read earlier said the hack goes deep into the database, so you need to export the blog, and create a fresh database with a new install. http://lorelle.wordpress.com/2009/09/04/old-wor…

  • holdenpage

    One thing I would suggest is that WordPress when you attempt to login will tell if either your username is, your password is wrong, or both are wrong.

    Make it so that even if you get the username wrong it always says “username/password are wrong” instead of “username is wrong”.

    Been hacked before, figured out that is how they did it. Hackers aren't wizards, they just have a lot of time.

  • holdenpage

    One thing I would suggest is that WordPress when you attempt to login will tell if either your username is, your password is wrong, or both are wrong.

    Make it so that even if you get the username wrong it always says “username/password are wrong” instead of “username is wrong”.

    Been hacked before, figured out that is how they did it. Hackers aren't wizards, they just have a lot of time.

  • http://tdhurst.com tdhurst

    And why were you still running 2.7?

  • http://scobleizer.com Scobleizer

    I didn't upgrade because the reputation of WordPress upgrades is that it breaks things. So I was waiting to see what the community said about the latest upgrades. I also was busy and hadn't been blogging much, so didn't jump on it very fast. I won't make that mistake again. See the FriendFeed discussion on this with Matt Mullenweg. http://friendfeed.com/scobleizer/cd43c6c3/i-don…

  • Viki

    Hello Robert,

    Really Sorry to hear about the hacker attack. Its awful. They have no freaking idea, how much hard work is wasted when they mess up the content from blogs.

    Anyway, I wanted to let you know that anyone can access the login page for your blog, via the wp-login Url. I would urge you to use HTACCESS or an excellent plugin like WP Stealth Login to make your login page private and accessible only to you.

    Secondly, right now if anyone can get to your login page, they can try brute force or dictionary login attack to try and break your Password. Please use WP Login Lockdown to avoid such attacks and keep hackers at bay.

    I really like you work, and would hate to see more hard work wasted. Please do consider reading about these plugins and applying them, if you find them useful for better security (I am sure you would). Good Luck.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

    • http://scott.wilsonsway.net/ ScottW

      @Viki: Seems the plugin you refer to (WP Stealth Login) is good only up to 2.7.1. Maybe the author will update it to work with the latest version of WP soon.

  • teamnirvana

    I do not know how you have skipped the most important thing in blogging, which is, taking regular backups. Whole blogosphere goes nuts in exclaiming that a backup is required regualrly and the more consistently you blog and update, the more you need a backup.

    I do hope that in the days to come, you will definitely backup your blog regularly using a plugin which sends the backed up DB file to any specified email address.

    WordPress is the safest CMS until and unless we follow the general security guidelines. Hope you would be more careful the next time.

    And, I hope I haven't sounded like your mom ;)

  • http://twitter.com/steve_e Steve Evans

    Feel your pain! A site of mine got hacked thanks to the hosting company having their servers exploited. Loads of malicious code and links of dubious merit got inserted into my footer, all hidden so it was there a few days and Google dropped me (thankfully didn't take long to get back into the ranks). Not a good experience.

    Sadly nowhere is totally safe and often self hosted CMS/blog apps are the most vulnerable as the hackers just know most people don't upgrade regularly.

    Your not the first person I've heard recently starting to use Posterous. Seems to be gaining in popularity quickly.

  • http://twitter.com/moon moon

    Your Feed is still out there, grap-it, save it and then re-publish it

  • http://paulstamatiou.com Paul Stamatiou

    ” I delete the original admin account.”

    Better yet – keep it but give it subscriber privs. So even if they do get in they'll get foiled into thinking it all worked, and then leave. (the automated bots that do all this..)

    and I backup everything on my server more or less every few days – databases, theme, images, etc – to S3 with a script I wrote. http://paulstamatiou.com/how-to-bulletproof-ser…

    I also have a plugin that changes the default location of wp-login.php to anything you want. it doesnt actually move the files but just does redirection trickery.

    As for FORCE_SSL_ADMIN – I'm in the process of setting that up on my server soon.

  • hhorton

    Dude,
    How can you report on the IT industry, previously loose your early blog writings and STILL loose data because you didn't do a backup?

    What about all your pictures of the family? Got that backed up?

    I triple backup stuff at home and still hope I don't ever loose anything.

    Come on and admit it, being on the bleeding edge isn't all it is racked up to be.

  • http://ma.tt/ Matt

    On the WordPress site I've written a much longer response to this, if you guys could spread the link I'd appreciate it:

    http://wordpress.org/development/2009/09/keep-w…

    The more people who stay up to date the better place the web is.

  • http://nikolay.com Nikolay Kolev

    What if you're using third party plugins having tons of data in their own non-standard tables? The export-reinstall-import routine may work for some, but definitely won't for the more complicated WordPress installs.

  • http://twitter.com/bici vanni di ponzano

    I am less and less inclined to continue my 1 month old WP project. It's not worth the risk in terms of security. and there are other issues withWP that has me worried. Scobble do your self a big Favour and start using EE core (Expression Engine) … the best damn CMS on the planet. bar none! and it sucks in WP just fine, so migration is painless.

  • mikekingpin

    We also got hit by the hacker.

    It is important to make sure that you can actually recover your permalink structure once you have kicked the hacker out, if you don't get it exact, then you may well loose serps/traffic :-(

    I posted here about recovering permalinks if you don't know what they were (I know, I know… We should all know or backup this info, but let's face it – not everyone does!) Permalinks: http://www.kingpin-seo.co.uk/press-releases/how…

  • http://nbrightside.com/blog Andy C

    I have a dormant WP blog. I don't use it. However, it is patched to the latest version of WP at all times and I have daily, weekly and monthly backups.

    You never cease to amaze me. Isn't your blog content worth anything (to you) ?

  • mikekingpin

    Don't get me wrong Andy C, we backup daily! – Not only the wordpress section, but the whole server!

    I was just trying to help out those that don't, as we had a fair few requests on how to recover from this! – perhaps after this, more people will be backing up!!!

  • http://zebida.com/main/ Hesham

    I am going to upgrade as I don't have a very complicated setup on my blogs, I have already upgraded one of them, and I think the rest will handle the upgrade with out problems on plugins, just need some cleaning work after upgrade!

    Thanks for the information, I really found great stuff on your blog!

  • http://nikolay.com Nikolay Kolev

    WordPress.com is very limited. For example, you can't use JavaScript widgets. The same applies to themes due to the fact that in WordPress themes are in fact executable code.

  • http://www.sanainside.com Diego Sana

    Mine got affected by this new exploit that 2.8.4 fixes. In fact, looks like it is affecting everybody that with older versions, the thing is just out of control. I didn't lost anything nor had any other problem other than wasting 1 hour upgrading and cleaning everything. Shit happens, wordpress give us great powers, but you all know what comes with them. Just keep the thing up-to-date and you will be happy :)

  • http://www.sanainside.com Diego Sana

    Mine got affected by this new exploit that 2.8.4 fixes. In fact, looks like it is affecting everybody that with older versions, the thing is just out of control. I didn't lost anything nor had any other problem other than wasting 1 hour upgrading and cleaning everything. Shit happens, wordpress give us great powers, but you all know what comes with them. Just keep the thing up-to-date and you will be happy :)

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

  • cracks

    no offense Scoble, but you can’t blame WordPress for your poor security protocol. using “admin” as your username is akin to locking the front door of your house, but leaving your windows open, THEN 1) being shocked you were burgled, and 2) blaming your neighbourhood for being too insecure WHEN someone steals you stuff.

    it’s 2009.
    you live on the internet.
    you know the internet is vulnerable.
    you choose to use WordPress – a FREE, powerful and incredible platform.
    you get hacked, but you still don’t care enough to take the most basic security precautions.
    it takes 24 seconds to create a new administrator account and delete “admin” from the backend.
    there’s an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.

    seriously, you shouldn’t feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you’re at it, please change the title of this article to something more appropriate, like “I got hacked largely because I was VERY lazy, and yes, I do know better”. (because I’m sure you)

    irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don’t pay money for it, so you don’t cry if it’s not 100% perfect every second of the day.

Older Comments
Newer Comments