This article is part one of two covering blog hacking for Security Month, a month-long look in the importance of security. Part two covers what to do when hacked, while this will focus on covering how to prevent your blog from getting hacked.
This article was written by Catalin Cosoi.
Blogging is undoubtedly one of the most popular ways of expression on the Web. While some bloggers opt for a hosted account with major blogging platform developers, others go with a self-hosted plan that offers extra flexibility, but at the same time, needs extra attention to avoid incidents.
WordPress®, is one of the most popular blogging platforms with over 25 million publishers as of June 2010. Of these, 11.4 million utilise the hosted service and 13.8 million self-host their blog. Bloggers who select hosted blog sites are usually able to take advantage of security plugins offered as a service and professionally maintained by the provider. This means that the user doesn’t have to worry about patches or other kinds of server-side security fixes, since they are automatically pushed by providers.
It stands to reason therefore that the majority of security breaches happen on self-hosted blogs with the main causes being undiscovered vulnerabilities in the blog script and misconfiguration (or other flaws in the web server software).
Blog hacking may occur in various circumstances and some of them are even out of users’ control. For instance, poor server configuration or vulnerable software can lead to successful exploitation of the hosting account. Other attacks are the direct result of improper blog installations or of a vulnerable plugin. In order to minimise the probability of getting hacked, here are a few simple guidelines:
- Never use blog scripts from untrusted, unofficial download sources. Most of all never use nulled scripts, as it’s not only illegal, but also risky for your blog and web server.
- Keep your FTP account clean: do not mix and match the account keeping your blog with other scripts you casually test online. A small vulnerability in a third-party script can get your blog ‘owned’ – as the tech kids like to say. Always test other scripts on a locally installed webserver.
- Do not add unnecessary plugins or themes to your blog. Stick to what you really need and minimise the chance of having an exploitable plugin or theme. Also, ensure that any plugin you may want to upload comes from a trustworthy source. When in doubt, just ask the community.
- Generate and store SQL backups regularly. Use a plugin to automate the job and have the backups delivered to you via e-mail or via a secondary FTP account. Using the same account for storing backups is usually a bad idea, as an attacker may tamper with them or even have them deleted after a successful hack.
- Use strong passwords for FTP accounts and administrative users. Do not disclose them to anyone under any circumstance. You might also install a complete anti-malware solution to ensure that your system is Trojan-free. Some of the successful blog attacks were carried using legit usernames and passwords intercepted by keyloggers or cache-monitoring Trojans. (techgeek.com.au has good guide on passwords)
- Pay extra attention to the way you select your hosting provider. Paid hosting is usually much better than free offers, and, since you’re going to shed some money, ensure that you get automatic daily backups, access logging and a suitable web-server configuration for your blogging script of choice.
Catalin Cosoi is BitDefender’s antispam research labs.
Did you know, you can actually win one of ten copies of BitDefender Total Security 2010 for free. Yes, you heard that right. For FREE! You can enter the competition right here.
Image by:Jacob Bøtter/Flickr (CC)