WordPress Worm Attack – Best practices to keep your blog safe

A worm is making its way around WordPress blogging software, it sweeps across millions of blogs and hits whatever it finds vulnerable. Vulnerable are versions of WordPress prior to the WordPress 2.8.4, which is the most recent version.

If you are following the best practices to keep your WordPress blog safe, you are safe. If you are not following the best practices, you are at a high risk!

Scobleizer hit; lessons to be learned

One of the high-profile bloggers that is affected by the worm is Robert Scoble. The consequence of the attack is that Scoble has lost a part of his blog archives, and Google has removed his blog from their index, which means that Robert is losing thousands of visitors that were sent from Google daily.

Robert now says that he doesn’t feel safe with WordPress, but if you look more closely into the case, you can see what went wrong:

• Scoble didn’t have backup of his blog archives.
• Scoble didn’t upgrade to the latest WordPress version.
• Scoble used the default “admin” username.

Backing up is so easy

Activate WordPress Database Backup plugin and set it to automatically backup your blog and send the backup file to your email address. Two minutes work to install it, activate it and set it so it sends you a new email with a new backup automatically every day, every week or whenever you decide.

Upgrading is just as simple

Upgrading your self-hosted WordPress blog is just as simple as backing up your blog archives. When there is a new upgrade available, WordPress will give you a notice on top of your dashboard. It will say “WordPress 2.8.4 is available! Please update now”. Click on it and your upgrade is a simple one-click away.

If you are afraid to upgrade because of some old WordPress theme you are using or some old plugin that you think is not compatible with the new WordPress, then please switch over to something more modern and something that you know has a serious developer and community behind it. Thesis Theme for example released a WordPress 2.8 compatible blog theme design on the day of the WordPress release.

Creating a new admin username

It is harder for a hacker to break into your blog when both the username and the password have to be cracked. That is why you should create a new user and delete the WordPress default “admin”.

You create a user by going into “Users” then “Add New”. When creating the new user, make sure to give it the role as an “Administrator”.

Simply logout from your default “admin” account and log in with the new user details. In “Users” you can now delete the default admin username. It even gives you an option to transfer the posts you wrote as “admin” to your new username.

How do I know if my blog got hacked?

According to Lorelle, there are two ways that you can know if your WordPress has been attacked:

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognise.

Best practices to keep your blog safe

Simple 10 minutes of work and you can feel much safer knowing that your blog is less likely to be affected by any security risk. The “trouble” of making your blog safe is worth it, it is much less than the real trouble of fixing a hacked WordPress blog. It can take weeks and months before you get back to the level you were at before the security breach.