|
WordPress Security - So You Think Your Blog Is Safe?
By John Hoff
Author of the WordPress Defender eBook
Procrastination is the killer of all that is good, if you ask me. Let’s take WordPress security.
I don’t think there’s a person out there that after learning just how much of a problem WordPress hacking is that it’s a good idea to enhance the security of their blogs. However, something I’ve noticed over the years is that when it comes to WordPress security and securing their blogs against hackers, bloggers seem to be stuck in this *reactive* state.
They don’t do anything until something has been done to them… until something bad has been done to them.
I live in Las Vegas. Las Vegas seems to be on the “bad” list for just about everything, crime included. It’s sad that I don’t feel real safe at night, but at least I have a house alarm which makes me feel a little more comfortable. Yes it is a reactive security feature I’ve set up, but it’s a proactive step. Many people don’t install house alarms until guess what? …they get robbed.
Why is that?
Because they get scared. It seems being scared is a big motivator. I scared one person when I emailed them to let them know I found a huge security hole in their website. Turned out it was a WordPress blog and take a look at what I found:
If you click on the image above you’ll see that those are all database backups someone did for their blog. I found this (as well as many others) online and ready for download. If I were a bad, bad person, I could have done a lot of damage here, but instead I emailed the website owner their security problem. Hopefully they fixed the problem and take WordPress security a little more seriously.
Let Me Show You Why You Need to be Careful
Since scare tactics seem to be what drives some people to take action (or at the very least start thinking about the problem), let me shoot a few scare tactics your way.
Let’s pretend I’m Joe the Butt Hole Hacker. I have nothing better and more productive to do with my life than hack into people’s sites and blogs and make their lives miserable. I don’t care about all the hard work and time you’ve put into your blog, I just want to break it.
Here’s some things I might consider doing.
1. Hang out at a local coffee shop or some other public area where there is free Wi-Fi.
After spending a few days and hitting a few spots around town, I finally find a cafe which offers free, unsecured Wi-Fi and to my pleasure, there are a ton of people sitting around each day connecting their laptops to the “free” Internet service. I sit down and use my handy dandy Wi-Fi cracker tool and log myself into people’s computers… remember, they’re all on a shared network.
From there it’s easy, all I need to do is upload a virus or key logger program so I can track your keyboard movements. “Hey look at that, that girl over there is logging into her WP blog. Here, let me see what she’s typing in her username and password for something.”
Lesson: Don’t trust free Internet connections. At least make sure the place uses a secured Wi-Fi connection if you’re going to use it.
2. Create fake online profiles
Since I (our fictitious hacker Joe) has nothing better to do with my time, I’ll go ahead and set up some fake social media profiles. Here, let me go to your blog and check out who your friends are and who you trust.
Got ‘em.
Now let me head over to one of your friend’s sites and take a couple screen shots of their blog, personal photos, and note a few names.
Got it!
Now it’s time to sign up for a new Facebook account and use this person’s name and identity to pose as your friend. Once I get it all set up, I’ll be emailing you posing as your friend and asking you to be friends with me on Facebook (or Twitter, or whichever social site).
Cool, now we’re friends. “Hey buddy, I’ve started doing blog upgrades. Tell you what, if you’ll do a review of my Facebook page and give me a little feedback, I’ll upgrade your blog for you – no charge. I’ll just need your username and password.”
Or perhaps it’s your computer I want. Instead, maybe I’ll just befriend you on Facebook and send a link your way telling you, “You gotta see this video! Click this link here.”
Oops, did I forget to tell you that link is not really a video? It’s a virus I created just for you!
Lesson: Don’t trust anyone online at all times. Yes you might make friends and over time you might even trust them, unfortunately, someone can use that trust against you. Your WordPress security depends on you.
Case in point: the other day my wife was watching Dr. Phil in the other room and when I heard him say something, I got up, walked out of my office and asked her to rewind it (oh how I love TiVo).
Dr. Phil said that someone was posing as him online and asking people to do something, like download a file or something… sorry, I forget now what that was. He said it was a fake site and he has never asked someone to download anything of the sort.
3. Password Guessing
As I (our fictitious Joe the Butt Hole Hacker) knows, people have way too many usernames and passwords to remember. You’ve got Twitter, Facebook, your online banking, LinkedIn, two blog logins, FTP, web hosting, etc. accounts which all come with logins and passwords you need to remember.
If you’re one of the proactive ones, I might find it a little harder to crack your password. But if you’re one of the reactive ones, I might just get you.
According to an article in the NY Times, one of the most popular passwords going around these days is 123456.
Lesson: Do I really need to say it?
I understand that since the birth of the Internet as we know it, things have gotten a lot harder to control and secure. People in 2010 assimilate 10 times the amount of information each day than people did in 1980 (that’s not a scientific study I did, just logic). I understand it’s hard to have a different username and password for all your online profiles, unless you use a program like (links open in a new tab) Roboform (PC and affiliate link) or 1Password (Mac), which I HIGHLY suggest.
But realize that online and WordPress security is something you really need to start thinking about. Don’t just be the reactive type, take steps to start protecting yourself today. Don’t let Joe the Butt Hole Hacker make your life miserable and turn all that you’ve worked so hard in creating come crashing down in a matter of seconds.
The point of this article is to hopefully get those of you who don’t think much about online and WordPress security to start thinking.
So, did I put a little scare into you? Or is this just information you accept and figure if it happens, it happens?
Want To Learn How To Secure Your Blog Against Intruders?
Check out my book, WordPress Defender. It'll teach you everything I know about WordPress security.
© 2011 John Hoff, All Rights Reserved
Get the WordPress Defender eBook | Contact Us