Performancing Metrics

WordPress Hacking Increasing?

Recently, there have been more reports than normal of people having their blogs hacked. Some Splashpress Media blogs were effected, but only in so much that spam code was added to the entries, no personal data was accessed. Now I see that Vandelay Website Design’s blog has also been hacked. Is this all due to not-updating, or could there be other security concerns?

WordPress users, especially corporate and blog network users have to become more vigilant about making sure their WordPress blogs are up to date, their database and files are backed up, and that their file permissions are set correctly.

If anyone has any other security tips for WordPress users, please comment below. A security resource should be put together that goes above and beyond what I have already listed here.

Categories: WordPress News

This post was written by . You can visit the for a short bio, more posts, and other information about the author.

Comment with Your Facebook Account

Comments

  1. Anna Vester says: 11/14/2007

    Yep, I have noticed that about Vandelay as well. There is something weird going on. Bittbox is also having problems as of several day ago.

    “The hack seems to be adding spammy links to my RSS feeds and (every once in a while) you might see a blank white screen with the phrase “Already hacked by Magic SEO Toolz.””

    Here is link to a possible fix that was posted on the Devlounge website –
    http://www.devlounge.net/articles/protect-your-wordpress-wp-config-so-you-dont-get-hacked

    Hope this helps.

    Reply

  2. Alex Leonard says: 11/15/2007

    Regarding the correct setting of file permissions, I’ve often wondered exactly what the dangers are and what files shouldn’t ever have their permissions altered.

    Various aspects of Word Press or Plugins require certain folders to have their file permissions changed to be writable (666?), but I never feel certain as to how risky this is?

    Any suggestions?

    Reply

  3. Michael says: 11/16/2007

    @Alex Leonard: Having file permissions set at 666 or 777 means that, in theory, the world can write to the files with those permissions.

    I learned this the hard way, when hackers uploaded various scripts for the purpose of sending spam emails. My web host suspended my account after they got away with a few hundred emails or so.

    Unless absolutely necessary, NEVER leave file permissions at 666 or 777. The normal permission set, depending on the type of file, should be 644 (for static files, like HTML pages and images) or 755 (for things like Perl scripts).

    These tips don’t just apply to WordPress. Keep them in mind when maintaining any Web application.

    Reply

  4. Alex Leonard says: 11/20/2007

    Thanks for that info Michael.

    So does this mean that risks are there with WordPress needing, for example, the uploads folder to be set at 666.

    Presumably there is no way around this.

    Reply

  5. William Teach says: 11/25/2007

    My own site and a few others I know got hacked, having the htaccess file changed to have a 301 redirect, and some weird stuff after the body tag. The htacess was easy to fix, but, for the rest, actually had to upgrade to 2.3.1 to fix the issue. Not sure if got in through the admin panel or what.

    Reply

  6. free download says: 12/2/2007

    Thank you.
    i setup wordpress 2 day later hacking :S

    Reply

  7. Kieran says: 9/29/2008

    Is there any way to bulk change the permissions? There are a lot of files for WordPress and having to change permissions on each one is rather daunting! Not to mention the time.

    Reply