I don’t feel safe with WordPress, hackers broke in and took things

September 5, 2009 By

A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released). At first I thought they just left some porn sites in a couple of blog entries. So we upgraded WordPress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn’t.

They broke back in, but this time they did a lot more damage. They deleted about two months of my blog. Yes, I didn’t have a backup. I should learn to do backups (we’re doing them now). Life has a way of beating you if you don’t have backups.

Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index. That got a whole team to look into how they broke in. Now thanks to TechCrunch and Mashable you know there was a vulnerability in WordPress which let them break in. Even more good details on Lorelle’s blog.

We’ve done some other things now to make it harder for them to break in (for instance, my admin account has been deleted and a new one doesn’t use the name “admin”), but the damage is done and I feel the same way when our childhood home was broken into. I don’t feel safe here, which might explain why I’ve been posting more over on a new Posterous blog I’ve setup.

Hopefully we’ve caught all the damage and hopefully other WordPress users haven’t had worse damage happen to them. Have you been hit by WordPress vulnerabilities? If so, what did you do to lock down the system?

Oh, and please upgrade your WordPress immediately to the latest version. That seems to have fixed the hole that the jerks got in through on my blog. Knock on wood.

So, once this happens, how do you feel safe again?

UPDATE: Matt Mullenweg, who is the guy who runs Automattic, the company that produces WordPress, wrote that I never had the problem on WordPress.com (hosted version of WordPress). That’s true. Interesting conversation going on over there with Matt.

Filed Under: Web
Older Comments
Newer Comments
  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://www.playlist.pk/ mair

    yeh having a same problem but not i have fixed alot of bugs till now hoping to renew my whole blog again.

  • http://twitter.com/robblewis Robb Lewis

    Sorry to hear about this Robert. Some people are just juvenile. Thanks for sharing the reminders to back up and keep wordpress current. While my blog doesn't quite get your level of interest It's good stuff to practice.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • NfoRed

    I work at a hosting company, and every day someone calls in that their site is gone, either maliciously or otherwise and ask about backups. The answer is always the same, we don’t keep them, they are always shocked and go one about how this is their business and lively-hood.

    I am always amazed that people don’t have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn’t see this we see stories like yours, and yet people still don’t back up. What really gets me is people who have a problem once with no backups and then still don’t backup and then end up with a worse problem before starting to back up.

    I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.

  • queenzeal

    You feel safe by switching to another blogging package. I mean, seriously, WordPress has a security track record worse than phpBB. It's so bad that even Stefan Esser, the founder of the PHP Security Response Team, has commented on it. I, personally, switched after the 2007 hackings.

    What's really funny, though, is this: when people were having their phpBB's hacked in 2005, they switched, immediately. But when people are hacked multiple times through WordPress, they still don't switch – they're too wrapped up in WordPress's cult of personality to even consider that. Mao Zedong has nothing on Matt Mullenweg.

  • queenzeal

    You feel safe by switching to another blogging package. I mean, seriously, WordPress has a security track record worse than phpBB. It's so bad that even Stefan Esser, the founder of the PHP Security Response Team, has commented on it. I, personally, switched after the 2007 hackings.

    What's really funny, though, is this: when people were having their phpBB's hacked in 2005, they switched, immediately. But when people are hacked multiple times through WordPress, they still don't switch – they're too wrapped up in WordPress's cult of personality to even consider that. Mao Zedong has nothing on Matt Mullenweg.

  • Enric

    I'm a bit surprised you didn't keep backups since your so connected with tech and savvy.

  • http://twitter.com/bencredible Bencredible

    I'm always 50/50 on the “Better yet – keep it but give it subscriber privs” technique. If they can get in that easily, it is possible they can force the account back to admin, but then again, you're also tricking the bot so it may just leave.

    IMO backups and FORCE_SSL_ADMIN are the two big things that most bloggers could do today but don't. You post is awesome, may I suggest turning it in to a WP plugin? I think that would be an amazing option for a ton of WP users.

  • http://twitter.com/sharisax Shari Weiss

    Oh, Robert, I'm just getting started with WordPress.org SO it seems fortunate that I started with 2.8.4

  • http://twitter.com/sharisax Shari Weiss

    Oh, Robert, I suspect I started using WordPress.org at the right time, i.e., last week SO I began with 2.8.4. But I will heed the Archive Warning!!

  • http://twitter.com/sharisax Shari Weiss

    Oh, Robert, I suspect I started using WordPress.org at the right time, i.e., last week SO I began with 2.8.4. But I will heed the Archive Warning!!

  • http://mistersnitch.blogspot.com/ Mister Snitch

    Sorry to hear about this, Robert.

  • http://billbennett.co.nz billbennett

    Can anyone reading this recommend a really good guide to basic WordPress security? I've found a number of sites claiming to offer this information but some of the advice on offer is contradicted elsewhere.

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://jeremy.zawodny.com/blog/ Jeremy Zawodny

    Ugh. Sorry to hear that. Keeping up with security patches is a full-time job some days. :-( That and spam are two of the reasons I stopped running my own mail server a few years back. I just pay Google to handle it.

    But, christ on toast, NO BACKUPS?!?!

    How long have you been in this industry, anyway?

    Wasn’t a major hard disk company a big sponsor of your work for a while?

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

  • http://lorelle.wordpress.com/ Lorelle

    Thought you were still on WordPress.com (remember the P, my friend). The millions of WordPress users on WordPress.com have no fear. If you’d upgraded sooner, this probably wouldn’t have been an issue. Your attacks also sound different from the wide spread attacks, so it might have been directed at you.

    I’m sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It’s clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it’s the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.

    Oh, and I don’t see your web hosting service joining in on that conversation, but Matt is sure there. :D

Older Comments
Newer Comments