Recent Hack Attempt on my Blog
September 8th, 2009 | Author: Dan Harrison
Yup, at the weekend, the DanHarrison.co.uk site was compromised by an Algerian ‘hacking’ team. However, despite good security practices, the site still got hacked. I followed the most basic rules, such as keeping all plugins and the main Wordpress install up-to-date, as well as strong passwords. And I still got hacked.
Just to be clear, these are the basic security principles I always abide by:
- Wordpress installation is always up to date.
- All plugins are updated pretty much as soon as they are updated.
- All database, ftp and account passwords are long and random (digits, characters, symbols, etc).
- No password is used for any other site I own
- File permissions are set at the most strict – depending on what’s required.
- I keep regular file and database backups. All automated to backup every single day.
However, despite all of that, I was still hacked. I am working my way through JT Pratt’s security guide as a basis for making the site more secure. Essentially I’m locking down everything I can. However, with having many websites, I want to automate it as much as possible to save me time. Just before you ask, someone I know with 0 plugins still got hacked.
There’s a high chance of getting hacked at some point because you’re running a dynamic website. However, doing everything you can to make it too much effort for a hacker is a very good idea. And if nothing else, make sure you regularly backup your website!
Updates
Here are some more useful security articles I’ve since discovered:
- Wordpress Security Tips (more plugin ideas and advice)
Posted in 
Tags: 
Thanks for the linkback! Hackers are getting smarter, and the versions of Wordpress they’re attacking are getting more recent. It’s important that every blogger learns about Wordpress security. Don’t make yourself a victim, you can prevent this from happenning to your site as well!
Hi Dan,
Good to hear the hack attempt didnt cause you too much bother – good job you know what you are doing and had regular backups. I would be a bit concerned at not knowing what the back door was that let them in, I had this with a Joomla site once – it was all up to date with no add ons yet still got hacked. Possibly hacked from another site on the shared server, not much can be done about that and just one of the risks of shared hosting.
John,
Not knowing the reason for the hack is *incredibly* frustrating. However, my only comfort is my frequent backups. Sadly, one of the risks of having a website. Damn script kiddies.
Dan
Wordpress you see… it’s got a big footprint across the web (easy to sniff) and dev-heads don’t build it with security in mind.
Mike,
Well, the developers of Wordpress due a very good job. I believe its the plugins that are the weakness, as the code of plugins is rarely security vetted.
Dan
Ah, but as you point out, some sites don’t have plug-ins.
Others have been writing about this recently: http://www.wolf-howl.com/seo/wordpress-seo-security/
Very true. Is that your blog Mike? That article is really good. Am going to add it to the main article.
Dan
No sir.
Hi Dan,
One of the best security protection is moving you blog one-level below the root and calling it to the root, though i couldn’t get time for myself yet for doing it but for many its works like charm,also you can use htaccess methods to increase security also the best thing can be is with wp-content you can rename the same and change the same in wordpress settings, these basic measures can help you protect yourself atleast from most of the brute force level 2 attacks.
Regards
Sridhar
I have come accross several hacks that seem to be automaated, the hacker tries to lump a bit of hidden code into your footer.php below the last tag so its non visable and often hard to find.
But hidden links are a google no no so it screws your site up good and proper!
Having been hacked in the past I am very security aware now