WordPress Security Scare, Are You Impacted?
While getting ready yesterday for a webinar we held for our subscribers I did a bit of research and was quite amazed by results. News search for “wordpress” in Google has produced majority of results talking about WordPress security and latest hack that many reputable hosts experienced.
What makes it even more interesting to me is that MOST of the problems people have experienced could have been easily avoided! Today I will once again share my own method for creating an overall defense perimeter to ensure that your blog will be as secure as possible while still retaining functionality!
While WordPress seem to take the front stage with latest massive hack attack, as seen in screen shot below
…I think it is important to note that this hack attack is also impacting other scripts and as reported – WordPress actually gets infected as result of attack against other scripts. I’m not going to recite all the gory details on this one as there are couple great blogs that already do the event tracking as well as providing you with solutions, IF your blog fell victim to one of the forms of attacks:
- Sucuri Security – official blog for Sucuri Security labs and provides you with a lot of technical info as well as solutions
- WPSecurityLock – blog dedicated to WordPress security and managed by very knowledgeable blogggers. Highly recommended for anyone conscious of their blog well being or perhaps knowing details on what happened. NOTE: If your blog was already impacted and you are in desperate need for cleanup, they provide a service for extremely reasonable fee, just click on Services Navigational Tab!
And what if you haven’t been impacted by latest scare and would like to MAKE ABSOLUTELY, POSITIVELY SURE that it will not happen to you, or if it does – you will be able easily recover it?
Answer is actually extremely simple and will involve a shameless self promotion! But it is because I KNOW that if you have followed instructions I provide in my free informational post “Triple “P” Of Total WordPress Security” and created a complete defense for your blog – you would be if not 100% protected, at least be notified quickly when attack happened against your blog and KNOW exact files you would have to cleanup, recover in order to restore your blog to full glory!
And if you prefer a more visual guidance – my FREE DVD – Lock Your Blog is still available! Just pay shipping and handling and get access to physical DVD order form as well as instant access to digital streaming version of entire DVD. Yeah, we do ask that you pay for shipping and handling but we have to cover our shipping expenses as well as S3 storage and bandwidth expenses.
lock your blog free dvd
Related WordPress Security articles
- Getting Security Warnings? Please Let Us Know (newspaperdeathwatch.com)
More Options Print This Page! Subscribe With RSS Reader Subscribe by EmailFiled under WordPress |
Related posts: |
About The Blog Author
Alex Sysoef is an IT Consultant, Internet Marketer and ProBlogger who shares his passion and knowledge of WordPress, SEO, Social Media and traffic strategies on his blog WordPress Howto Spotter. Connect on Twitter or Facebook
20 Responses to “WordPress Security Scare, Are You Impacted?”
Trackbacks/Pingbacks
-
[...] you’ve lived under the rock I’m sure you heard about all the latest attacks against several hosts which initially believed to be a WordPress issue. Quite frankly I will disagree here that WordPress [...]
-
[...] I saw an article from my good friend Alex Syseof about “WordPress Security Scare, Are You Impacted?” I recommend you check it out but it brought to mind something that is important but often gets [...]
Yes prevention is always easier than the cure. Wish more people would take the time before they get hacked and listen then to fight to fix it after the fact.
.-= Mike Paetzold´s last blog ..Your blogging learning curve just got shattered =-.
Yeah, unfortunately this is how it works, most of the time. People become “security conscious” only when exposed to problem.
I had just blogged about wordpress security issues myself when I heard about the hosting companies, GoDaddy etc., who were affected.
If the malware scripts was injected into the shared server by it finding its way into just one of the domains on that server ( as has been suggested) -and then gaining access to the other domains on that server – is using the security measures you describe going to protect you? Especially if the attack was made via the script getting FTP access details?
.-= Clive at BlogBriefing.com´s last blog ..WordPress Security – Evil Is Among Us! =-.
Just found a hand removal script for this hack at http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html There is a txt file to download, rename to php, upload to site and run.
Hope it helps someone else.
Twitter: kathypop
says:
Hi Alex, how effective is the allowed IP lines ( so only folks from those IPs could log-in) in our .htaccess files against attacks like this?
.-= Kathy Pop´s last blog ..Hosting Special ~ Get 3 Months For The Price Of 1! =-.
Kathy, from everything I have seen so far – this is a host based attack, meaning that someone else’s account on same shared server gets compromised or even host itself and from that point attackers exploit all accounts on that server.
No matter how secure your personal account might be in this case – you will be exposed, unfortunately, this is how my own account was exploited a while back with a hack very similar to what is happening now. I highly recommend implementing “WordPress file monitor” plugin and set notifications to email you every 30 min to ensure you get info on attack against your blog at most 30 minutes after it happened and also KNOW exactly which files were modified.
Why wait to be hacked? Making move after an attack is bad, we should apply security first and make move in preventing this attack. It is prior to be guided enough to apply this security so that it will not happen to you. Thanks for your tips.
I heard most of the recent hacks were on Godaddy hosted blogs…that ain’t good for them, huh.
I’ve subscribed to WPSecurityLock – thanks for that.
.-= Dennis Edell´s last blog ..Warning: 8 Posts Coming Back to Back =-.
Dennis, actually a lot more hosts are impacted, I know of Network Solutions, Media Temple and there are few others. GD is just the MOST impacted but then again – I always recommend my customers and subscribers to stay away from their hosting! GD is not IM friendly hosting.
Nope they aren’t; never have been. Being the #1 domain registrar on the net, they should stick with their strengths.
.-= Dennis Edell´s last blog ..Web Income Experiments DotCom Wins Hands-Down! =-.
WordPress security and how people handle it is analogous to hard drive backup and how people handle that. Everyone talks about it, everyone knows that they should do it, few actually do it, and them all gripe when something happens. The story is the same,”I shoulda done those things to make it easier for me if something bad happened.” I do the “backup things” that you should on your computer and I still had a lot of time invested recently invested in getting my computer back up after a failure – but that was because I wanted to eliminate some of the annoying things that had gotten installed previously. Now, I need to focus on my WordPress security and handle it.
I agree James, I personally pay for Mozy backup to protect all my PC’s
best investment one can make.
I have been looking into this topic hoping for an easy fix. Thank for the information. It would be really nice if there was just a simple plugin to get that would tighten things up. I have several web design clients that use the platform for their CMS.
Glad to know that I was not doing anything wrong. I had all the security I think I needed on my blog and I have been hacked twice in the past 2 weeks. I could not figure out how they are getting in. Now I am just going to be mad a GD.
Mike, I think you should read this post that will explain your issues as well as many other GD users:
http://smackdown.blogsblogsblogs.com/2010/05/13/hosting-with-godaddy-might-want-to-rethink-that-decision/
Alex
Thanks for the reply I will check it out now
Actually Andy Beard chimed in at the end of the thread guys.
He seems to think it is not WordPress but a GoDaddy hosting configuration that is at fault.
In fact one of his friends actually saw the script installing itself and feels it has little to do with WordPress.
http://www.google.com/profiles/chrislang
I hope you all can help people get past these problems, after 3 tries I am moving on and going back to my own business.
I really thought I could fight this off and produce solutions for others but at this point I can do no more.
Using limited number of plugins with proper hosting configuration in the server is highly necessary for any web application. WordPress by default is very secure. the problem starts when we use many plugins without checking whether they are in development or not.
Keeping that in mind will surely keeps the blog healthy
Nice plugins suggestions though. Thanks
Robin
.-= Robin´s last blog ..Kaspersky 2010 Licenses (3 User) Give Away – Contest June 2010 =-.