I don’t feel safe with WordPress, hackers broke in and took things

September 5, 2009 By

A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released). At first I thought they just left some porn sites in a couple of blog entries. So we upgraded WordPress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn’t.

They broke back in, but this time they did a lot more damage. They deleted about two months of my blog. Yes, I didn’t have a backup. I should learn to do backups (we’re doing them now). Life has a way of beating you if you don’t have backups.

Anyway, this time they also put some malicious code on my archive pages. Google sent me an email saying they had removed my blog from its index. That got a whole team to look into how they broke in. Now thanks to TechCrunch and Mashable you know there was a vulnerability in WordPress which let them break in. Even more good details on Lorelle’s blog.

We’ve done some other things now to make it harder for them to break in (for instance, my admin account has been deleted and a new one doesn’t use the name “admin”), but the damage is done and I feel the same way when our childhood home was broken into. I don’t feel safe here, which might explain why I’ve been posting more over on a new Posterous blog I’ve setup.

Hopefully we’ve caught all the damage and hopefully other WordPress users haven’t had worse damage happen to them. Have you been hit by WordPress vulnerabilities? If so, what did you do to lock down the system?

Oh, and please upgrade your WordPress immediately to the latest version. That seems to have fixed the hole that the jerks got in through on my blog. Knock on wood.

So, once this happens, how do you feel safe again?

UPDATE: Matt Mullenweg, who is the guy who runs Automattic, the company that produces WordPress, wrote that I never had the problem on WordPress.com (hosted version of WordPress). That’s true. Interesting conversation going on over there with Matt.

Filed Under: Web
Older Comments
Newer Comments
  • http://frcreditrepair.com/credit-repair-blog/ frCreditRepair

    Truly, WordPress is a victim of their own success. They are so big that they will be in the radar of hackers, so it becomes up to us to be preemptive and stay up to date. I mean, WP pretty much yells at you as soon as their is an update and it takes only a couple minutes, so why wouldn't you?

    So, my answer is NO, I have not been hit with any vulnerabilities, and I do feel safe using WP. And, I definitely do not blame it on WP.

  • http://thomashawk.com thomashawk

    Somebody hacked into my WordPress blog earlier this year as well. It was a bummer because I was working on a draft copy of a blog post that was very rough and had not been edited and they published it. I was on vacation shooting in Chicago and didn't figure it out until several hours after they'd already published it. Fortunately they didn't seem to do anything malicious other than publish that post and add spam to a bunch of my other posts.

    I tried to do the upgrade myself but it failed and wouldn't work after learning that the WordPress vulnerability may have been how I was hacked. I had to pay Aaron Brazell to do the upgrade for me because I couldn't figure it out.

    Of course I don't know how I was hacked. It could have been another way. They could have guessed my password for instance. I really love WordPress though and hope that my site stays secure going forward. It is sort of a paint though that upgrading doesn't work for me and it's not something that I can do myself. Upgrading ought to be easier.

  • tim finin

    Two weeks ago we discovered that three of our blogs had been compromised. It's a jungle out there. :-(

  • http://www.elwdesign.net/ Eric Weiss

    Oh yeah you have to be careful the common hack to get in WordPress (and other management systems) is going through your system's database by changing password preset on user password encryption from SHA1 to MD5 and putting in your own password. Besides backing up a system, this is why you should have a solid password, and should be updated every 60 days. The way it's done, is there are crack programs which will run random characters to break your password. (There's a program for Linux that actually lets you do it). Once in the database of the site's database you go into the user password, change the encryption from SHA1 to MD5 and then put in your own password. The system will auto encrypt your password that you entered while in MD5 format. (This is why I don't manage a site using php My admin, I would look into managing your own server utilizing Red Hat or Fedora with good security features.) I'm sorry to hear what happen to your system and hope things turn out better.

  • http://outsidethebeltway.com/ James Joyner

    I'm paying a ridiculous amount of money for Rackspace managed hosting. They don't do WordPress upgrades for me. They pretty much don't do anything on the content side – just do what they can to get the sites back up when they go down.

  • Name

    Robert – and everyone else – there is a VERY simple solution out there: WP-DB-Backup.
    http://wordpress.org/extend/plugins/wp-db-backup/

    I have configured it to AUTOMATICALLY send me a weekly email witht the SQL structure of the database tables. My gmail filter simply archives the email and the attachment. If ever poop hits the fan, I simply restore from my inbox… Now if Gmail looses all my stuff then I'm in the poop but here's to hoping I wont get double whammed :)

  • http://alexrunyan.us/ Alex

    Wow, they did all that? I need to go update my blog! …

  • http://pauloflaherty.com Paul OFlaherty

    Robert, first let me say “good on you for” posting about your experience, but second let me say that post title is nothing but pure link bait and only serves to damage WordPress and take the attention away from the fact that you failed to administer your blog properly.

    How many releases were there between 2.7 and 2.8.4? Have many of them were specifically security releases! And you were notified of all of them in your WordPress Dashboard.

    I'm sorry Robert but the post title sounds like your blaming WordPress because you spilt the milk.

    If you can't or aren't willing to update your WordPress install when security releases are released then maybe you shouldn't be using it.

  • http://www.interconnectit.com/ David Coveney

    In the end I decided it was now time to put what I know and feel about security, and how it’s to be tackled with WP (and other systems) into a fairly lengthy article on my company site at http://www.interconnectit.com/679/a-common-sense-wordpress-security-primer/

    Hopefully it’s of some use to folk.

  • http://nikolay.com Nikolay Kolev

    When I enable FORCE_SSL_ADMIN, my admin page crashes Google Chrome. Doesn't work smoothly on IE8 either.

  • http://nikolay.com Nikolay Kolev

    BTW, there are many ways to get free SSL certificates from respected CAs – you are just not entitled to badges and insurance, which are questionable benefits anyway.

  • http://www.bynkii.com/ John C. Welch

    (tried to leave this on FF, but FF comments suck)

    I find it interesting, and depressing that people are blaming Rackspace, they're blaming WordPress, they're blaming Robert, but no one, *no one* seems to be willing to blame the only, ONLY people who deserve blame: the evolutionary failures that attacked Robert's blog. I'm sincerely hoping that either Robert or Rackspace reported this to the FBI, so that a criminal investigation is started, and with any luck, the little mongoloids responsible will end up with a felony charge on their record

    Robert should have been backing up not because of security, but because things break, and it's just good to have a backup.

    but the idea, even the vague concept that anyone other than the wastes of carbon that ran the attack are responsible, on any level, for this is absolutely insane, and more than slightly offensive.

  • http://wendelbrume.com Tom Wood

    I have to agree with Matt's comment that you should not be using any plugins that aren't quickly upgraded to be compatible with the latest WordPress release. I try to use as few plugins as possible for that reason.

    Also, there are a lot of simple tasks being taken on by plugins that could be done with tools that are already built in to WordPress anyway. The ones that manipulate pretty permalinks and custom fields come to mind. Those tools are automatically updated with WordPress.

  • http://lowtechtimes.com/ S.P. Gass

    Reading about the attacks finally gave me the push to upgrade from 2.3 to 2.8.4 on my blogs. I'm planning to stick with WP for now.

  • http://www.vikitech.com Viki

    Hello Scott,

    I am glad that you took the time to check the plugin and the version of WordPress its compatible with. I haven't checked that since I installed it, few months back.

    However, from firsthand experience, I can vouch for this plugin as its working like a charm on my blog (WP version 2.8.4), so feel free to install it without any fear of breaking things.

    Hope this helps!

  • https://www.twitter.com/VinitSharma Vinit Sharma

    Did the mail that I sent you, which had your lost posts helped you?

  • http://www.facebook.com/DJOmarUddin Omar Uddin

    Hi Scoble,

    I had been having the same concerns about Drupal, but they have a security advisor newsletter and mechanism to keep you updated on core and third party modules. I also found an interesting article that might be useful to readers on this post. http://lorelle.wordpress.com/2008/04/28/wordpre

    According to that article it seems WordPress is more insecure than Drupal over the last couple of years.

    I'd love to see a similar update system for WordPress but cannot find any.

    Thanks.
    Omar

  • http://www.trade-exporter.com KBC

    I have 5 blogs with WP, I used it is the new WP,that isnot very safe.but you must be careful of …:)

  • http://theprogressbar.com daveevans

    Lots of people talking about locking down WP admin login section with a SSL certificate. There are many providers out there with a huge range of pricing. GoDaddy is $10, Thawte is a few hundreds dollars. Before I pay over $100 a year I would like to know what SSL certificates are people using.

  • wauczie

    Thanks for the update as I am new and didnt know about the vulnerability in WordPress.Sorry about your loss and I will follow.

  • http://www.after5pc.net/ Bryan – After5PC

    This is terrible. I’m sorry your WordPress blog/site has been compromised. I am glad I was not affected. What a relief!

  • http://nbrightside.com/blog Andy C

    Thomas – sorry to hear of your troubles. However, WP upgrade is a 1-button click. Unless you have a variety of plugins that don't work with the latest version (if this is the case, consider ditching them), it is seamless, quick and reliable for me.

    In fact, as I don't even use WP, it's probably the single feature I miss most in Habari :-)

    How could WP make upgrades any easier unless they booked an appointment and came round in person to upgrade your blog ?

  • spidersilk

    The problem isn't specific to WordPress. There's no such thing as a fully, permanently secure web application. Applications evolve, and add new features, which sometimes open up new security holes, and there are also tons of people out there who are constantly working on trying to find or create new vulnerabilities. So no matter what blog program, CMS, etc. you use, it's always a constant race between hackers trying to find a way in and developers trying to keep them out.

    The ONLY solution is to keep an eye on upgrades and apply them as soon as they come out, at least if they're security upgrades. If it's just a new version adding features you don't necessarily need, then you don't need to worry about it as much, but security upgrades are vital. Any upgrade announcement will usually say which it is.

    Also, it's usually only major upgrades that are likely to break plugins, themes, etc. – going from version 1.x to 2.x, for example, or maybe occasionally something like 2.5. Smaller upgrades like going from 2.8.3 to 2.8.4 or something like that are very unlikely to cause trouble.

    I know it's usually a good idea with desktop software applications to wait a while after an upgrade is released for the bugs to be worked out, and with major upgrades to web applications the same is often true. But the big difference between desktop and web applications is that security is MUCH more of a concern on the web. By their very nature, web applications are sitting out there on the internet, much more accessible to people who want to break them than anything on your own computer at home is. So security upgrades are considerably more urgent.

    The basic point is: while this sort of thing is definitely a headache, it's not anything in the nature of WordPress as such. Rather, it's in the nature of the web.

  • spidersilk

    I think that's mainly because it's a simpler program, and thus more widely used. I love Drupal, and use it for the majority of the sites I create these days, but it does have a bit of a learning curve, and is thus likely to be daunting to the average blogger.

    Also, security vulnerabilities either in Drupal core or contributed modules do turn up fairly often, though they also tend to be fixed quickly. But staying on top of upgrades there is just as important.

    One thing I do especially like about Drupal, though, compared to just about any other web application, is that all the contributed modules and themes are handled through a central CVS, which among other things allows you to subscribe to a single mailing list for any and all security upgrades, be they for the core or for third-party modules. It's about the best-organized open source project out there. Though WordPress is probably a pretty close second, and is actually the quicker and easier of the two to upgrade.

  • mcinvale

    it sounds like you have something malicious on your computer that is causing repeated problems. take a look at your server's FTP logs (or more likely, have your hosting provider do it) for more details.

  • mcinvale

    unless there is some 0 day exploit they get hit with, it's not going to happen soon.

  • http://twitter.com/studionashvegas Mitch Canter

    Robert,

    Someone said it a few tweets down, but there's a really easy plugin down below that will automatically back up your blog to a server or email address, and you can schedule it to backup things once a week.

    It's called WP-DB-Backup (http://wordpress.org/extend/plugins/wp-db-backup/). I'm running it on Jeremiah Owyang's blog, and it allows me to have a weekly backup of what's going on in case his site goes down. You guys are putting out so much great content that you really don't' have any other option but to make sure it goes somewhere safe.

    I'll even help you set it up if you would rather it.

    There are other measures you can take to make sure your site doesn't get hacked / make it harder to hack.

    1). Set your permissions to disallow public writing (it makes your themes uneditable in the editor, but if you have FTP access go in and enable one at a time until you're done, then re-disable it).

    2) Move your WordPress directory somewhere else. There are tutorials (like this one: http://codex.wordpress.org/Giving_WordPress_Its…) that show you how to set WordPress up to live in a subfolder, which you can name whatever you want, but have it live in the root directory (keep the root folders clean too)

    3) Create a username that's not the default admin username, and delete the admin user. That's the first place they check because it's the default.

    Simple stuff, takes minutes to do, but a stitch in time saves nine, I guess. Good luck in the recovery process, and if you need some advice let me know.

  • http://twitter.com/jimmurphy Jim Murphy

    PostRank has a fairly extensive archive of your blog:
    http://www.postrank.com/feed/65b2b7c99c37d4c027

    We have a full content archive as well – just the descriptions, titles dats are on the postrank app itself.

    Lemme know if you'd like us to extract some posts – or even the entire archive and you can select the missing ones?

    Ready a willing if you think it would help.

  • http://www.markstahler.ca Mark

    I hope this entry shows up in this years Darwin awards…

  • chender

    I have a diffierent point to make here. Why do you need the plugins? I have been reading you for years, and your blog design is not relevant. Content and comments are important. Then when you added things like that annoying Google Friend Connect visiting the site became less enjoyable. Anyhow thats why I am happy I am sticking with wp.com. Cloud hosting is no different than having your own server in that it takes tender love and constant care and 24 hour monitoring. Thats not what blogging is.

  • http://blogspot.fluidnewmedia.com featureBlend

    Its open source at the end of the day Mr. Scoble. Last versions of wordpress had an export to RSS WXR feature and the newer versions do as well.

    Lots of other ways to back up but the above is the easiest. Interesting to see the structure in the exported file…

  • http://blogspot.fluidnewmedia.com featureBlend

    Good points Erica..

  • http://blogspot.fluidnewmedia.com featureBlend

    Amiable of you Robert, I know you want to play the role (and thats great!) but if it eases your mind you should have someone monitor your blog and back it up for you periodically. Peace of mind is what matters most – besides you got other fish to catch and great posts to write.

    Sure we are all techies at the end of the day, and i dont blame you for scratching that itch :-)

  • http://blogspot.fluidnewmedia.com featureBlend

    Agree with you here man, especially with the nature of the web!

  • http://www.jonfr.com/ jonfr

    I use wordpress to. But there is a diffrence between you and me. I get off my lazy ass and update my wordpress once in a while.

  • http://www.hamroawaaz.com/ GodMode

    There are a lot of ways to make your wordpress blog safe and secure. I think you should first look for these and then blame wordpress… else u'll b the one who'll look lame.

    Do make sure that all of the loop holes are filled up and that your blog a great one.

  • http://www.hamroawaaz.com/ GodMode

    Oh yes btw,

    WordPress Rocks.

  • BillPalm

    Well, so nice post, haah! Your mind helps me so much! I'm not sure if you mind the thing I'll do here. Im an online seller for the Timberland shoes, Gucci shoes, Prada shoes and Gucci bags, Coach bags, Prada bags, they are the most hot items on my sites, are u interest in them?

  • angelia110

    <h2 align=”center”>What Makes the Ugg Bailey Button Boot Such a Hit?</h2>

    It's simple. UGG Australia has morphed together their two most popular styles. They started with the ever-popular UGG Classic Short Boot and then added a Wooden Button from their best-selling, as seen on Oprah, UGG Cardy. Put them together and you get this year's must have UGG style – the Ugg Bailey Button.

    The Bailey Button is available in 5 colors including Black, Chestnut, Grey, Chocolate and Sand. California-based retailer Footwear etc. has received all 5 colors into stock at their 7 stores and is already seeing positive results. Footwear etc. Manager, Andrew Monarch, said "It is not a matter of IF the Bailey sells out, but how quickly. We highly recommend that our customers secure their boots early before it's too late."

    Right, it is not a matter of IF the Bailey sells out, but how quickly. So we highly recommend that our customers secure their pair early before it's too late.

    The UGG Bailey Button is also very versatile as it can be worn up or folded down for a different look. They feature a soft foam insole and a genuine sheepskin lining. If you haven't experience the comfort of authentic UGG Australia Boots yet then your feet have been missing out. Give the new UGG Bailey Button a try today or if it's not for you, there's always the popular classic styles including UGG Classic Short, UGG Classic Tall and UGG Classic Cardy.

    But remember… don't wait to get your UGGs. Every year people procrastinate and then they can't find the UGG Boots they want. UGG Sale–Shop early for the best selection. The closer to Christmas you get the harder it gets to find UGGs.

  • http://theprogressbar.com daveevans

    What SSL cert vendor should I look at, such a range of pricing, need a cheat sheet.

  • http://www.spacevidcast.com Bencredible

    I'm cheap and lazy so I use instantssl.com but there are a bunch that will work for you. Since the WP-Admin section is just to encrypt my password data and whatnot I opted for the lowest end cert as I don't need any badges, etc.

  • http://theprogressbar.com daveevans

    Thanks.

  • http://johnmyr.wordpress.com/ John Myrstad

    @Robert: Hopefully your ignorance when it comes to website security will hep lots of other people.

    You run a hi-profile site, attractive to hack, with no security and then you get caught with your pants down and embarrassed. Twice.

    Now the word goes around; dont do as Robert, be smart, do the basics and keep up to date, and lots of ignorant people understand why they have to take some responsibility to avoid problems.

    So, once this happens, how do you feel safe again?

    By investing one hour in checking your install/server security and by upgrading as you know you should do.

    btw: Why did you not upgrade from 2.7.1 and what did you do prior to the hacking to secure your blog ?

  • http://churumuri.wordpress.com/ Krishna Prasad

    As a WordPress blogger who can't upgrade (my dashboard doesn't have that facility for whatever reason), I must say I am pleasantly surprised to find Matt's comment at the very top here. I wrote to WordPress several months ago with exactly the same complaint and I still haven't had the luxury of a response. It was very disappointing, but we live and we learn.

  • http://fvrit.com/ Allen Harkleroad

    This is exactly the sort of reason why I prefer asp.net applications such as BlogEngine.Net. PHP seems to get hacked a *lot* more than asp.net applications. Don’t get me wrong I like FOSS, but refuse to use PHP as a web server platform.

  • http://fvrit.com/ Allen Harkleroad

    This is exactly the sort of reason why I prefer asp.net applications such as BlogEngine.Net. PHP seems to get hacked a *lot* more than asp.net applications. Don’t get me wrong I like FOSS, but refuse to use PHP as a web server platform.

  • http://www.wpbeginner.com/ Syed Balkhi

    It’s really sad to hear that happened to you Robert. Make sure that you always keep a backup of WordPress. I suggest use WP-DB plugin and set a 24 hour daily backup emailed to you.

    Also look at this article for further ways to securing your WP-Admin

    http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/

  • http://www.wpbeginner.com/ Syed Balkhi

    It’s really sad to hear that happened to you Robert. Make sure that you always keep a backup of WordPress. I suggest use WP-DB plugin and set a 24 hour daily backup emailed to you.

    Also look at this article for further ways to securing your WP-Admin

    http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/

  • While1

    Oh, Hackers! They are very terrible. Fortunately you wrote this post. So amateur wordpress users like me learned this event. I will backup my blog. Very thank you.

    Do you know any blog site better than wordpress?

  • orange_county_seo

    Mitch,

    Thanks for sharing that plugin. I have a ton of clients who use WordPress, and one had her site hacked as well. The host did restore the backup, but I know of other folks who have more of a DIY setup like Robert had.

Older Comments
Newer Comments