WordPress blog got hacked? Part 1 What are the common mistakes you make!

by Ruchira on January 2, 2012

hacked 300x240 Wordpress blog got hacked? Part 1 What are the common mistakes you make!

This will be a 2 part guide and this is part 1

What are the common mistakes that you make!

ever got your wordpress blog hacked? Well even my blog got hacked once icon smile Wordpress blog got hacked? Part 1 What are the common mistakes you make! Take a look at the image on the top. From this simple how to guide, Im going to explain some little facts about the common mistakes that you make against security and if you got hacked some tips that you can use to remove the malicious stuff from your blog and get back to running condition.

  • Most of us tend to CHMOD ( setting permissions about the usage of files and folders) our files and directories to 777 maybe on the start and forgets or don’t even consider to set back the permissions to something secure like 644

Thats what happens most of the time. Some scripts even wordpress requires some directories such as upload directories to be set 777 permissions recursively in order to store the uploads and temporary files.  Newbies who setting up their blogs sometimes gets mad on the directories and set whole http directory and files to 777.  Yes some of you might laugh at this but this happens. And even I did the same thing on the beginning. But fortunately wordpress has been evolved these days and its smart enough to tell you what are the permissions required and its able to check if the permissions are correct on the folders while installation. So you might be lucky these days but even today some additional plugins require the file permissions specially to be set on some folders and you should be careful while doing those things.

 

  • Never set 777 permissions on the main http folder. If your plugin require that, forget about the plugin!

 

  • Always use trusted web hosts.

 

No matter how secure your blog is there can be loopholes on your hosting.  Yes you might be short with money but still there are plenty of good web hosts on the world which you can get bang for the buck. Forget about the web host advertised on your local discussion forum. Starting a web host is like nothing these days. Anyone with a dedicated server or VPS and cpanel license, whmcs license can start a web host. But good security wont be there most of the time. So you need to be careful. Chances of leaking your data to others is very high.

 

  • Dont use your mysql database user password for something else such as your email accounts or anything.

You might be wondering why is that, its not because of someone stealing your email account password and then accessing your sql database. But I meant the reverse process. Think if your db user name and password got exposed due to a web server hack or something. Hacker will probably try the credentials for login to your email account or other online accounts. So have something special and unique as your mysql user password and never use it on anything!

 

  • Using your web host provided backup system? Good! but take your time and backup off site too!

Its not always the index.php exploit. Sometimes wordpress core gets attacked due to weak-spots on the core itself and some brutal things happened with wordpress not far ago. So backups are most important. If your database got exploited and there is no information yet about how to remove the exploit and get back running you may really enjoy if you have backups in hand. Waiting for a statement and patch from wordpress team or something is not the best way specially if you are running a busy site. So if you have backups its like cheese!

So listen we know most web hosts give you the option to backup data on their control panel so the restoration will be easy and such. But dont depend on it. Like on the previous case if the whole server gets hacked or something. You might lose the backups and will left with nothing but sorrow! So be prepared and take backups redundantly!

  • There is cool plugin on for wordpress I’m going for it! That’s not a problem. But view the ratings and read the forums on wordpress before installing a life changer plugins.

 

This is crucial. WordPress plugins emerge day by day and you need to be careful. The more plugin gets complex and interesting the better the chance of modifying the wordpress core heavily. So those plugins can really maybe weak spots later because of the modifications done to the wordpress core thus leaving possible exploit options. The best way to get around this problem is downloading your plugins from the wordpress.org plugin repository itself and read the ratings and corresponding forum ( there is separate forum for each plugin which can be found on plugin page) about the user experience! Trust me plugins are evil!

 

  • Always update the plugins and wordpress core to latest

 

See Im using LNMP on my VPS which runs this blog and Im not running FTP service on it. So wordpress updates on the control panel and the easy one click plugin updates doesnt work because they all require FTP to do the trick.

 

wordpress upgrade via sftp Wordpress blog got hacked? Part 1 What are the common mistakes you make!

 

So the get around is following the traditional way of upgrading stuff which  we did on wordpress 2.x.x That is downloading updates and overwriting files . What Im going to tell you is that always keep up to date on the plugins and wordpress core. See my way is very hard and sooo 2008 but I still do that when upgrade comes out and trust me I see upgrades very often with my 25 plugins.

 

  • Read wordpress.org about the latest news and new releases.

Do this at least twice a week. Sometimes you may not even know when a large scale attack or loop hole on wordpress gets exposed to hackers and they are doing mass destruction. WordPress.org maintains a news blog here which provide news about new wordpress releases and most importantly security releases and flows. Don’t think wordpress core itself is very secure and you don’t have to look in to that, WordPress core loop holes has been exploited many times before. So be prepared!

 

Continued to Part 2

 

I'm Ruchira Sahan and all posts on this blog are completely my thoughts and writings. I love DIY and Technology. So feel free to contact me for anything about this blog and don't forget to add a comment if this blog helped you! Thanks
 Wordpress blog got hacked? Part 1 What are the common mistakes you make!
Ruchira
View all posts by Ruchira

Last 5 posts by Ruchira

  • vishal singh

    hi…hi…i have seen ur blogs for unlocking many modems but can you help me with this particular modem model number E153du-1 thanks in advance

  • http://www.loonystuff.info/ djchamike

    Quick and nice steps to get away from being hacked. i really big fan of your ‘how to unlock huawei dongle’ guide

    This it my new post about ‘how-to-increase-torrent-download-speed’ ,3ways
    http://www.loonystuff.info/2012/01/how-to-increase-torrent-download-speed.html

  • amarildo memia

    hello ruchira ?

    model u8160 imei:356652043941598

  • http://www.pacans.com pacans

    Thanks for this information few days ago I also suffer such experience, Some one hack my blog but I restore my data through backup file……………..

  • http://ayesh.me Ayesh

    Aren’t plugins hosted on wp.org checked against security practises ? (I don’t know seriously – a Drupal guy)

    • http://www.ruchirablog.com Ruchira

      yes but it doesnt preventing from hackers entering malicious code into poorly coded plugins :(

Previous post:

Next post: