Posts Tagged ‘Security’
Earlier this month, WordPress users across the world (as well as users on other platforms) fell victim to a massive brute-force attack on their sites.
The hack, or attempted hack, used a large botnet (a network of compromised computers doing the bidding of someone else) to repeatedly try and guess passwords on WordPress sites to gain administrative access to them. From there, the botnets would take over the sites and attempt to integrate them into a new bothnet, one made up of high-powered servers with better connections to the Web.
For most sites, the hacking attempt was pretty harmless. If you don’t use the original “admin” account and have a password that is easily guessed, you were most likely safe from the attack. Rather, the attack was an attempt to cast a broad net in hopes of finding the low-hanging fruit, sites that can be trivially broken into.
But while your site is probably fine as long as you took even the most basic precautions, there were still repercussions. The weight of thousands of attempts to login put a strain on many people’s servers, especially if the server had many different WordPress sites. This resulted in websites slowing to a crawl and even shutting down, including ones not directly affected.
But while the worst seems to have passed for now, there are still some lessons to be learned from it and it’s important to grasp them before the next wave hits.
Because if there’s one thing that’s for certain, there is another wave coming. Read More
It’s Halloween in the United States (and much of the rest of the world). As such, people are gathering together for parties, going trick or treating and telling scary stories.
In that spirit, last week on Performancing I discussed legal nightmares that can happen to you and your blog. Specifically, there were three scenarios that, while sounding like nothing more than legal theory, actually happened to one or more bloggers.
In that spirit, here are five more practical horror stories to keep you awake when it comes to your blog. Best part of all is that I don’t have to give specific examples because each and every one of these have happened not once or twice, but hundreds, if not thousands, of times.
So if you’re wondering about the gruesome ways your blog can be mangled, kidnapped or killed, here are just five of the more common (and more sudden) ways to consider. Read More
Most bloggers and webmasters who use WordPress understand that you need to keep their core files up to date and also update any plugins that they may have. Fortunately, WordPress makes the process of doing so very easy and painless, usually just a click away, and most users seem to do it without thinking about it.
To drive this point home, prominent WordPress core developer Mark Jaquith said in a recent talk at WordCamp Phoenix 2011 that “The themes of today are pretty much like plugins in terms of what they can do.”
In short, the functionality of themes and plugins overlap greatly as even “basic” themes include additional elements that manipulate WordPress by adding new options and settings.
However, while all of this new functionality is a great thing for bloggers, especially those who want to easily design a great site, it’s bad news for security. WordPress themes are a potential security risk, just as with any plugin, and they require maintenance and testing to make sure they are still safe.
Unfortunately, few people give their themes such weighty consideration, possibly leading to major problems down the road.
Automattic (the company behind WordPress.com) was unfortunately targeted by hackers recently and suffered a breach upon their servers.
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partnersâ€™ code. Beyond that, however, it appears information disclosed was limited. (Official WordPress Blog)
To their credit Automattic alerted the community regarding the breach, a habit I wish was emulated within other industries (who often inform users days if not weeks later).
Automattic is still investigating the hack although there doesn’t seem to be any evidence of any passwords compromised, however the company is recommending that users change their passwords.
It’s also a good idea for self hosted blogs using WordPress.com services (like VaultPress) to change their WP.com passwords as well.
Note: For those of you who are extra paranoid, you can also change your username as well by visiting your Global Dashboard, then clicking on “Personal Settings” in the sidebar, then scrolling down to the “Account Details” section and clicking on the “Change” link next to your user name.
Although this breach indirectly affects self hosted WordPress fans, it might be wise to verify your hosting companies security defenses, as well as install a few plugins (like Login Lockdown) upon your site.
Despite rumors proclaiming the contrary, WordPress is actually a very secure CMS platform utilized by millions of users around the world.
Unfortunately its immense popularity makes the software a prime target for hackers, similar to how Facebook and Twitter are prime targets since “everyone” is using them.
While there are more advanced measures that users should take when securing your WordPress site, here are the 3 most common habits I see practiced by some WordPress users that may set ones blog up to be hacked. Read More
Imagine sitting down to your computer one morning and opening up your blog. However, instead of finding your homepage your admin panel staring back at you, you instead see a bright red warning screen telling you that malware has been detected on the site and you are advised not to enter.
The realization quickly sinks in that, if you are seeing that error, so is everyone else trying to visit your site. You begin to hurry and try to figure out what happened but quickly realize that your site has been compromised and, if you’re even able to log in, you have a very big mess to clean up. Worst of all, when you’re done, you have to apply for reconsideration with Google and other security companies and then wait 12 hours or more for the warning to clear off.
It’s a painful process and, in the best of circumstances it can ruin an entire day and, in the worst, it can destroy an otherwise healthy site.
Still, it is an all-too-common occurrence on the Web. Bloggers learn too late that their sites are vulnerable and are left to clean up the mess an attacker leaves behind. That mess could be as simple as adding malware to the site, inserting spam links into the theme or defacing the site but in some extreme cases, it can go as far as to delete everything the blogger has done.
To help keep you, your visitors and your site safe(r) from hackers, you need to make sure your server is secure. Fortunately, it isn’t very complicated but failure to spend the time and energy today can be very costly tomorrow. Read More
Question: What is the most common door hackers use to enter your site?
Answer: The same one you use.
It is a little-known fact that much of what we think of as “hacking” and “cracking” is really just social engineering and guesswork. Though blogs can and often do get exploited because of some kind of security issue, your password is your first and best line of defense against attacks.
Yet, far too many bloggers are very relaxed about their passwords. It starts with picking poor ones, continues with reusing them on untrustworthy services and all-too-often ends with one’s site being defaced, deleted or, even worse, loaded up with malware that infects with visitors.
It’s a very dangerous blogging pitfall but, fortunately, one that can be very easily avoided.
Last weekend was filled with controversy and the reason for this was a worm hitting many self-hosted WordPress blogs. We warned and urged everyone to upgrade, although the most recent version of WordPress, 2.8.4, was released almost 3 weeks earlier. WordPress 2.8.4 was the second security update for the 2.8 branch in less than 2 weeks. This update was released only 2 days after the vulnerability was discovered, proving how hard the WordPress community has worked to improve and secure the platform.
Ever since WordPress 2.3, which was released almost exactly 2 years ago, every WordPress blogger receives an update notification whenever a new version available is. The majority of new releases are bug fixes and security updates.
Personally, whenever I see that yellow new release notification I can not hit update now fast enough. If it weren’t for the security aspect then it is for the ugliness of the notification.
Nevertheless, in these days some people are given a megaphone online and can not resist the need to be vocal, even though they were the only ones who were to blame. One of these people last weekend was Robert Scoble. His post I don’t feel safe with WordPress, Hackers broke in and took things quickly went viral Robert received support but also bashing. Gruber even went as far to say that Movable Type safer is. Read More