This afternoon, Adroisys was down for close to three hours owing to some corruption in the WordPress installation directory. Initially, I thought it was a hack but there was no sign of any DB corruption or possible deletion of directories. I had not done any kind of changes to WordPress or my theme for the last twenty four hours and this happened when I was at work where I cannot really do FTP to my hosting service! While the reason behind corruption is still a mystery, I managed to do a copy back of most of my WordPress directory thereby reinstating the status.
I had done some research about the script errors and the most of the WordPress support threads (pathetic!) suggested that the blog was hacked! I guess that is the solution they give when nothing is known. However, I figured out that blogs, unlike some of the traditional websites, are more vulnerable to hacking. I have my reasons to think so:
Why are blogs easy prey to hackers?
Firstly, the majority of the self-hosted blogs are served via cheap shared hosting services. As a matter of fact, they host 500 to 600 domains on one server some of which cannot be even monitored for suspicious activities. Some of these hosting services may not even have proper security infrastructure. I read in many places about the vulnerability of certain shared hosting services (I do not want to name it here)
Secondly, most blog engines store the content in databases and there are many SQL injection threats that cannot be easily blocked. Most of these blog platforms are just evolving and hence there is no single fix to the injection hacks. I must say that the great WordPress is still vulnerable!
My next reason – many blogs are authored and web-mastered by not-so-technical people and hence they usually go with default settings. This is one of the problems that needs to be addressed by individuals.
Another thing that happened with my hosting service – HostMonster – a month ago was the corruption in their PHP installation. This lead to all blogs on a particular server to be down for 4-5 hours! Well, probably that’s the result of trade off between price and quality, I guess. For a cheaper price, you will have to cope up with support people who are not technically equipped!
What saved me the day?
Because of my recent upgrade to WordPress 2.7.1 – which I was not sure will go through – I had taken the complete back up of pre-upgrade and post-upgrade status of my directories. I actually did a folder copy of the WordPress directory on the server itself, which can be renamed at any point of time to take it live. This in fact helped me.
One of my regular habits has been the whole directory backup and the automated database back up.
How to hacker-protect your WordPress blog?
These are a few things that come to my mind:
- Always keep your WordPress version upgraded, if they have security fixes, that is
- Enable automated backup using the WordPress Database Backup Plugin
- Keep changing your server/FTP passwords, even though you might want to keep all your passwords unchanged and same for the purpose of easily remembering them
- Beware of malicious plugins, themes and widgets – do we ever suspect a plugin or widget developer?
- I have heard about login lockdown plugins and plugins that do not hand over some of that WordPress information (like version, plugins installed etc) to the hackers, but I do not understand their values. Hackers are smarter people!