On Friday, I thought I was finally going to publish my (now seriously overdue) Part 2 post to my BP Oil Spill solution. Instead, upon logging on to the site to reference my post, I met a nasty surprise: my site was hacked.
The site was hacked roughly about a week ago. I immediately took the site down and decided to spend Sunday repairing it. What’s the verdict? Simply put, it’s an issue that would fly over most of your heads, so if you do not have a WordPress Blog nor have an interest in how it’s possible to hack a site, feel free to leave and know that I will go back to posting my usual thoughts this week. I took the necessary measurements so this incident won’t be a repeat episode.
If you are interested in what happened, meet me after the jump.
Let me start off saying this: There are two versions of WordPress: Self-Hosting and WordPress.com. I use Self-Hosting version. This problem affects only the self-hosting version, so if you got a WordPress.com blog, you’re a-okay. Now, while WordPress is one of the best Content Management Systems (CMS)/Blogs, it’s not without its faults. From a fresh installation, it’s not a well secure CMS. Security can easily be breached, and the “hacker” doesn’t even need to guess your password. They can simply go into your database and change it.
(FYI: I call this “hacking” loosely. Mainstream media popularized the term “hackers” with criminal activity such as security breaching. The proper term is code-cracking or “crackers”. Alas, I am not here to give you a history in terminology)
The security breach was a very simple and preventable one: I didn’t secure the wp-config.php file, a file that configures your WordPress installation. Now, WordPress gives you a basic level of security, but you have to take it one step further to really protect yourself. So, if you want to prevent this from happening, there are a few things you can do.
1) Do It Yourself
Here’s a quick tutorial on how to make an Almost perfect .htaccess file. It will not only protect your wp-config.php file, but will disable image hotlinking (which is good if you host the images yourself), enable PHP compression (saving bandwidth), redirect old pages to new and much more. While there’s other methods, I prefer the simplest one to duplicate.*
2) Hire someone else to do it for you.
If you cannot do the tech stuff yourself, then it’s best to alert your webmaster, or you can hire me to do it for you. (I will give you a reasonable price for it. Just don’t expect free.)
To get more details about this security problem, I suggest you look up this blog post.
So, that’s it. If you got anything to add to this, please let me know, especially since I got some techie people watching this blog!
(Added 7/24/10) *Disclaimer: After setting up this security measure and setting it up for others (As well as feedback), I realized that not all hosting plans are as flexible as mine. Some people reported having issues. I also had issues setting up the measurements, forcing me to reduce it to just protecting the wp-config file. So, I’m adding a disclaimer that it’s best to look at several methods and test them out. I would highly suggesting reading this link over the first one I posted.