The blog of the day over at PPP has a post up about how our blogs can be hacked. I guess with the last WP upgrade there was a security issue and many hackers took advantage of it. Do you think I should be concerned enough to contact my host and figure out how to see if my sites have been hacked? If so, how do I find out and fix it?
Karen dropped off this question a couple of days ago and given the impending release of WordPress 2.6, I thought now would be a good time to answer it. Everyone who set up a blog or website needs to understand how their site can be hacked or defaced, what are the risks they face and what, at the end of the day, are just hyped up incidents who you can safely ignore.
First of all, let’s look at this from the villain’s point of view. Why would someone want to hack your website. Well, there are a number of reasons. In the past it was done simply to show up. There was a certain pride in being able to break into, say the UN’s website and leave your name all over it. High profile sites were the main target back then and the little guy didn’t really need to worry too much about these threats. Nowadays, unfortunately, there is money to be made by breaking into someone’s website. I’m not talking about high-profile cases where for example, a medicare advantage website suffers a DDOS attack and held at ransom by the people launching it. Instead, smaller outfits now try to get into people’s website to embed links to sites that will pay them for the privilege. And it’s usually adult website who are ready to pay a premium for traffic, so those are the link to watch out for. However, if someone broke into your website and changed your AdSense code so that THEY get credited with your income, then there’s still something worth doing for them there.
So, with that in mind, here are some tips to protect your blog from getting hacked:
- Make sure your administration password is secure: This is the key to your website. In the same way that you wouldn’t give the key to your house to a stranger, don’t throw this around. Instead, make sure it’s secure and DON’T GIVE IT TO ANYONE. If you need to give access to your website, create a new account, then delete it when they are done. The more people who know your administration password, the more chance there is that someone can intercept it and use it against you.
- Make sure you’re always running the latest version of your software: As you may be aware by now, new versions of your WordPress blog and WordPress plugins come out all the time. Whenever an exploit is found for a particular version, manufacturers can release a fix quite quickly. However, if you’re running an older version of their software, you are leaving yourself open to people using that exploit to get through your defenses. Always make sure you are running the latest version of any software.
- Always keep backups: Make sure you have a recovery plan for your blog. If the unthinkable happens, you can always throw it all away and recover from a backup. And try to keep multiple backups too, if the last one you took was compromised, it’s always good to be able to go to an older one. Backups can mean the difference between looking a few days of posts and losing everything you ever posted to your blog.
I hope these suggestions can help you feel more confident in what you’re doing. The nice thing is that you’re not alone out there, there are thousands of WordPress users out there and if there’s a problem with the software you’re running it will get fixed pretty sharpish.