I’ve written extensively about the choices you have in responding to negative comments and bloggers. You can respond or ignore, but never retaliate. However, a few months ago, Darren Rowse of Problogger was the victim of a spammer and hacker and it made me want to jump up and hit back, as I’m sure it did others when they found out.
Darren didn’t know his email newsletter had been hacked until he started to get hundreds of angry emails filling his inbox with nasty threats. He plunged in immediately to determine the problem and responded back by posting announcements on his effected blogs and emailing his newsletter mailing list, and then emailing each individual who emailed him explaining what had happened and apologizing for the criminal activity imposed upon him.
He moved fast and appeared to remain calm as he methodically responded to the attack. And he learned some lessons, including how he turned a negative into a positive, gaining more readers and fans in the process.
A couple months ago, a hacker publicly announced his list of WordPress blogs he was going to hack due to a security flaw in WordPress. This came right as the security flaw was patched in WordPress 2.0.7. Those on the hackers list who didn’t upgrade were vulnerable, and many were hacked, their blogs defaced. Each were warned as soon as the news came out by fans and web watchers, but some were still attacked. The blogosphere took care of their own and many helped out to restore the defaced blogs as fast as possible.
Not long after, news hit that a hacker broke into WordPress and contaminated the latest version of WordPress. The site was shut down immediately and the international crew of WordPress developers moved in to clean up the mess and prevent this from happening in the future. The announcement came out 12 hours later alerting everyone to update their WordPress version, no matter what version, and asked WordPress fans around the world to spread the word.
Earlier this year, a lot of people were angered when they found their downloaded WordPress Theme stuffed with ad links and other unwanted content. The issue became very hot and Matt Mullenweg asked the WordPress Community to vote on what they wanted done to protect WordPress bloggers from these possible threats, and the response was overwhelming. With the overwhelming majority in the Community wanting spam links and potentially risky WordPress Themes out of the WordPress Theme Viewer and other WordPress official sites, Matt complied.
There are still sites offering free WordPress Themes that may include security vulnerabilities, ads, and other unwanted elements, so WordPress users are still warned to beware.
You might think bad things only happen to the famous and most popular bloggers and online services, but bad things by evil people can happen at any time.
Are you prepared? Would you know what to do if bad things happened to your blog?
Preparing For Evil with a WordPress Blog
The reality of having any form of site on the Internet is that there are nasty people out there just looking for trouble. The trouble they may find could be your WordPress blog.
While most are familiar with fighting the evil of comment spammers, to help you prepare for possible hacking or problems on your WordPress blog, here are some tips.
Update WordPress Regularly
Yes, upgrading WordPress is a pain, though there are now WordPress Plugins like WordPress Automatic Upgrade WordPress Plugin that promise to make the process easier. The threat of losing some of our most valuable WordPress Plugins or the possibility of breaking our WordPress Theme with serious upgrades makes the decision to upgrade a nervous one.
Protecting your blog from security flaws and vulnerabilities is critical to keeping your blog safe, so don’t use Plugins and Theme issues to justify not upgrading. It only takes one open door for a hacker to enter, and you want to make sure those doors are closed as fast as they are found.
There are two types of upgrades available currently in WordPress. One is for the latest version, with all the improvements and security fixes. The other only includes the security patches and bug fixes for an older version. These versions are called “branches”.
Currently, to upgrade WordPress to the latest version, you would use the WordPress 2.2 branch. To upgrade along the WordPress 2.0 branch, you would use the latest version in that line.
WordPress 2.2 brought some changes to some template files and database tables, which caused some popular WordPress Plugins to break in the upgrade. Many of these WordPress Plugin authors had already upgraded their Plugins to be compatible with the new version, others moved a little slower, making a lot of users unhappy.
When making a major upgrade, check for the latest version of:
- The WordPress Plugins that your blog is dependent upon.
- Your WordPress Theme.
If you make changes to the WordPress core programming, which is not recommended as many of these can be achieved with a WordPress Plugin, make sure to keep a text file with all the notes and details of all the changes you have made. Store this in a safe place or in the
wp-content folder, the one not impacted by upgrades, so you can refer to it after an upgrade.
With this as a guide, you can redo the customizations you made that may have been overwritten in the new version.
Update WordPress Plugins and Themes Regularly
Work is underway in the next version of WordPress to make it easier to get news of updates to WordPress Plugins, and hopefully it will include WordPress Themes. Until then, it’s critical that you check regularly for upgrades for the WordPress Plugins and Themes you use.
Blog Security offers a “WordPress Theme Scanner WordPress Plugin” which looks for common WordPress template flaws and security issues in your WordPress Themes, reporting on what may need changing or updating. It doesn’t get everything, but they are working on improving it all the time. Consider testing your WordPress Theme, whether or not you designed it yourself.
Currently, there is nothing similar for WordPress Plugins to check for security flaws and issues, though there are rumors that someone is working on one.
Check with the WordPress Theme and Plugin author for updates on a regular basis. From the Plugins panel, you can click on the link to the Plugin’s official page to see if they have released an update or have news you need to know about running the Plugin on your blog.
From the Presentation panel, you can do the same thing with your WordPress Theme.
If you developed and designed your own WordPress Theme, it’s important to keep up with potential flaws and security risks you may have inadvertently included of your own accord or from code you copied from another WordPress Theme or article. I recommend you add the Blog Security blog to your feed reader as well as Mark Jaquith, Weblog Tools Collection, and the WordPress Development Blog to keep track of such announcements.
Also check the WordPress Codex, the online manual for WordPress Users, regarding the new version. There are often pages added which list Plugins and Themes reported compatible with the latest version.
Changing WordPress Themes – Check It First
Have you checked your WordPress Theme for evil? Recently, there were a lot of announcements of security flaws and unwanted advertising links embedded in WordPress Themes. Some didn’t realize that the WordPress Themes they had recently downloaded and installed on their blogs had hidden links, unwanted advertising, and other nasties.
Testing it with the WordPress Theme Scanner WordPress Plugin may help, but Pro Blog Design offers a few more suggestions, which you might want to try, along with these tips which include searching your WordPress Theme template files before you upload them to your web host server:
- Search the Theme Files for http://: Search the template files and check every link reference within the files. If there is a link going somewhere you don’t want it to go, remove it or try another Theme.
- View the Generated Page Source: Using your browser’s View > View Page Source feature, view the source code for your generated WordPress blog’s web page. You might not understand all of it, but look closely at all the code to see if something it linking to an off-site location or a bit of code that looks odd or like an advertisement. It could be.
Protect Your WordPress Blog Files
Quick Online Tips offers “3 New WordPress Security Tips I Learnt from Matt Cutts”, tips to help you better secure your WordPress blog and files.
In general, they are:
Remove the Version Meta Tag: In your blog’s
header.php template tag, remove the meta tag named “generator” which states which version of WordPress you are using. Why help hackers know which version you are using so they can easily choose the scalpel to hack away at your blog.
Prevent Access to Your WordPress Folders: If you check your Plugins directory in a browser with
http://www.example.com/wp-content/plugins you may see a listing of all of the Plugin files and directories. So can everyone else. The same may go for some of your other WordPress directories. There are a few ways to deal with this.
- Create a blank HTML or PHP file and put it in that directory.
- Put a password on the directories to prevent access. This is done through your host server’s backend management program, such as with Cpanel’s guide on protecting directories with passwords.
- Restrict access to those directories or files as explained in Hardening WordPress with .htaccess.
robots.txtfile for these directories to stop search engines and other bots from indexing them.
While these seem easy, there are some drawbacks. If you restrict access to the
wp-admin directory, it may block registered users from seeing parts of the Administration Panels, especially if they log on with a different IP address than they normally use. As I travel a lot, I frequently log in from various IP addresses, which would mean this method wouldn’t work for me.
Change File Permissions: You can set some of your files and directories to allow various degrees of access, be it to totally prevent all access to changing the file in any way, to only allowing access to change a file by a user/program authority. “Changing File Permissions” from the WordPress Codex explains how to change those file and folder permissions on your server, but if you do change them to make them have temporary wide open access, change them back afterwards.
For more on file permissions, see A Quick And Dirty CHMOD Tutorial from evolt.org.
Prevent Login Access
The new Login LockDown WordPress Plugin claims to:
…help increase security and reduce the chance of someone hacking into your WordPress installation.
…Login LockDown takes a different approach. Every failed login attempt is recorded, along with the timestamp of the attempt and the IP address of the user. If a user tries (and fails) to log in too many times within a certain time period, the system then blocks any login requests coming from that IP range until the lock-out is released. The lock-out period defaults to 1 hour, although that can be changed within the admin panel. The number of retires and the time period that they occur within in order to trigger a lock-out are also configurable from the admin section, and admins do have the ability to release an IP block manually (assuming of course that they haven’t locked themselves out).
There have been many requests to WordPress developers to improve the login and registration features to prevent hackers and registration spam. Hopefully, this will improve the security of logins in general.
Backup, Backup, Backup
If something does happen to your WordPress blog, be it for evil reasons or just “one of those glitches in the system” reasons, how recent is your most recent WordPress backup?
There are three steps to backing up your WordPress blog:
- Backup your WordPress blog database.
- Backup your WordPress Themes and Plugins directories.
- Backup your files and images and all non-WordPress specific files.
For more information on backing up WordPress, see:
- WordPress Codex – Backing Up Your Database
- Backing Up WordPress
- Annual Reminder (and some options) to Backup Your WordPress Blog
- Fast Computer Crash Recovery with WordPress
Monitor Your Blog For Downtime and Breakdowns
A blog can break for many reasons, though rarely caused by evil doers. It’s usually something the blog owner has done that breaks the blog. The breakdown can happen immediately, or be overlooked, or happen unpredictably.
Before installing and activating a WordPress Plugin or Theme, or making any changes to your WordPress blog, back it up! This way, if something does happen, you have a replacement to put it right – back to the time and place where it was last right.
It also helps to monitor your blog for problems by checking your blog’s feeds or using a site monitoring service.
Don’t Do Dumb Stuff
The last tip I have for protecting your WordPress blog is to not do dumb stuff.
- Don’t work without a net. Backup EVERYTHING. Even as you are working on it – just in case.
- Do not use a simple password like your name or the word “password”. Use a complicated and strong password.
- Don’t tell people your password, put it in emails, or publish it (you think I’m kidding? It happens.)
- If you change file permissions, change them back.
- RTFM. Read tutorials, guides, instructions, and
readme.txtfiles and follow them to the letter. They were written for a reason – with you in mind – so follow them first, before rushing to the Support Forums.
- If you need help, don’t ask me first. Search first, check the WordPress Codex, then hit the Support Forums appropriate for your version of WordPress.
- If you are not technically included, and the underlying code terrifies you, don’t go digging. Use a WordPress Plugin to make the changes you want, or get someone who knows what they are doing to do it for you, or help teach you how to do it yourself.
- When in doubt, don’t.
Site Search Tags: wordpress tips, wordpress security, wordpress threats, blog hacks, hackers, monitoring your blog, evil, wordpress themes, wordpress plugins, blogging tips, protect your blog, protect your wordpress blog, theme vulnerabilities, at risk, protection, blog protection, prevention
Subscribe Via Feedburner Subscribe by Email
Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.