A worm is making its way around WordPress blogging software, it sweeps across millions of blogs and hits whatever it finds vulnerable. Vulnerable are versions of WordPress prior to the WordPress 2.8.4, which is the most recent version.
If you are following the best practices to keep your WordPress blog safe, you are safe. If you are not following the best practices, you are at a high risk!
Scobleizer hit; lessons to be learned
One of the high-profile bloggers that is affected by the worm is Robert Scoble. The consequence of the attack is that Scoble has lost a part of his blog archives, and Google has removed his blog from their index, which means that Robert is losing thousands of visitors that were sent from Google daily.
Robert now says that he doesn’t feel safe with WordPress, but if you look more closely into the case, you can see what went wrong:
- Scoble didn’t have backup of his blog archives.
- Scoble didn’t upgrade to the latest WordPress version.
- Scoble used the default “admin” username.
Backing up is so easy
Activate WordPress Database Backup plugin and set it to automatically backup your blog and send the backup file to your email address. Two minutes work to install it, activate it and set it so it sends you a new email with a new backup automatically every day, every week or whenever you decide.
Upgrading is just as simple
Upgrading your self-hosted WordPress blog is just as simple as backing up your blog archives. When there is a new upgrade available, WordPress will give you a notice on top of your dashboard. It will say “WordPress 2.8.4 is available! Please update now”. Click on it and your upgrade is a simple one-click away.
If you are afraid to upgrade because of some old WordPress theme you are using or some old plugin that you think is not compatible with the new WordPress, then please switch over to something more modern and something that you know has a serious developer and community behind it. Thesis Theme for example released a WordPress 2.8 compatible design on the day of the WordPress release.
Creating a new admin username
It is harder for a hacker to break into your blog when both the username and the password have to be cracked. That is why you should create a new user and delete the WordPress default “admin”.
You create a user by going into “Users” then “Add New”. When creating the new user, make sure to give it the role as an “Administrator”.
Simply logout from your default “admin” account and log in with the new user details. In “Users” you can now delete the default admin username. It even gives you an option to transfer the posts you wrote as “admin” to your new username.
How do I know if my blog got hacked?
According to Lorelle, there are two ways that you can know if your WordPress has been attacked:
There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognise.
Best practices to keep your blog safe
Simple 10 minutes of work and you can feel much safer knowing that your blog is less likely to be affected by any security risk. The “trouble” of making your blog safe is worth it, it is much less than the real trouble of fixing a hacked WordPress blog. It can take weeks and months before you get back to the level you were at before the security breach.
Join thousands of bloggers and get all my blogging tips for FREE! Subscribe to HowToMakeMyBlog via RSS or via e-mail.
If you liked this article, you may also like:
Why I run my blog on Thesis Wordpress Theme
Thesis theme gives my blog a professional, clean, easy-to-read layout and SEO friendly design. Thesis makes it simple to make your own blog unique. See more details and get your own Thesis today.
{ 36 comments }
Wow is sure didn’t take hacker long to find an exploit in the previous version of Wordpress. I learned early on that you have to ALWAYS backup your stuff. It’s really sucks when you lose some of your hard work forever. Hopefully this will be a good reminder so everyone backs up and keeps Wordpress updated and secure. Another good security trick is to ip restrict the wp-admin folder to only your ip address. This adds an additional layer of protection to your Wordpress installation.
Yeah, that is the one Matt Cutts mentioned in his WordPress presentation, seems like a very sound idea!
I guess we’re now due for 2.8.5 since I just finished updating all of my WP installations and plugins 8=) I have to keep on top of this better in the future.
The ip restriction that you mention above can be a problem for some people as we don’t always come from the same IP address (I have 3 different places where I regularly connect with my laptop, not to mention connecting when travelling). The password option (described in the article you linked) may be a better one.
If you don’t update your blog or blogs to the latest version then it is your own fault. Greg Ellison
Thanks Marco. Good advice. I really worried about that Admin user thing, but as I hadn’t heard it was a problem I just ignored my suspicions. I’ve changed it now.
Robert did mention having to change his “admin” username in his post, so I am not sure what exactly happened on his blog. But it is such an easy change to make, so why not.
With my older blog I just hit the DB and updated the user name that way, instead of changing accounts.
Cool. That is a bit more technical way that many people would not be very familiar with, so I just wrote the simplest method for an average blogger.
Would this work with 2.8.4? Also, the user_id would still be set to 1 and that might be a way in for a hacker.
Thanks Marko!
You have inspired me to make all of my upgrades. First I did a Thesis upgrade from 1.5 to 1.5.1, and then I did Word Press from 2.7 to current version of 2.8
I also installed the Database back up plug in before the upgrading. It did take me more than ten minutes…only about 2 hours…but totally worth it!
Also, I just purchased your twitter e-book and it is very helpful.
Keep up the good work.
Thanks Adam. Because you were on an older version, you had to upgrade it manually. On 2.7+ upgrading is as simple as that video of mine shows above. But now at least you have a safer blog, and you have tons of new features that will make your blog better and your life within the WordPress interface much easier and more productive.
Nice tip. I installed the plugin you have recommended. Better late than never.
Cheers,
Santosh Puthran
If you’re running an older version of wordpress, i.e v2.6.3 is there anywhere that shows you how to upgrade to the latest 2.8.4?
You have to do this manually and I have no idea what to upload incase I over-ride something and lose info.
Try the Automatic Upgrade plugin. The functions of the plugin were incorporated into Wordpress at 2.7 but esentially it is the same method as the in-built automatic upgrade we have now.
When you look for that second Administrator, you’ll see it in the list of users (the title row), but you won’t be able to see it listed. The worm hides it from view. I had to access the users table through PHPMyAdmin and there it was.
It’s easy to blame people for not upgrading, but I run hundreds of blogs (yes, I employ writers), and upgrading all of them is a major chore that does not always get done on time. It’s why I’ve switched to a new application recently – enough of popular open source software – they attract hackers like flies to honey.
WordPress MU could be your choice then, it lets you do everything at once.
I’ve added a new user under ‘Administrator’ as you instructed. When I go into “Users” now, it lists two administrators- my old ‘admin’ login and my new ‘safer’ login name. I was about to hit delete on my admin login, but it lists that I have 2188 posts under the admin name. What will happen to those posts when I delete the admin username? I’m worried it will erase my posts!
When you try to delete it, it gives you an option to move all your posts to another username, so you should do that.
The prompt it gives me is “you are about to delete selected items, click ok to delete & cancel to cancel” I’m not getting the prompt to move the posts to the other username. Forgive my tentativeness, but I’m afraid I’m going to delete 2188 posts if I delete my old username! ??
Not like that. Create a new account, login with the new account, in Users hover over the old username and it will give you “delete” option. Click that and then choose “Attribute all posts and links to:” and select your new username.
Perfect- SO helpful. Thanks so much for taking the time to guide me in doing this
Thanks for the advice. This is exactly the sort of thing that newbie bloggers like me need to know about! ; ) Cheers!
Dena
Evolution
Excellent info. It’s amazing that someone with such a high profile blog as Scoble was not backing up effectively, let alone not keeping current with his WP version. Especially since using the database backup plugin is so effortless.
I’ll bet that he’ll be backing up his data more effectively in the future
I’ve seen it many, many times over the years where some people don’t fully grasp the value of data backup until catastrophe strikes. Bummer. Learning the hard way hurts.
I heard about this (or read) online in the last 2 days. I’ve never used Wordpress for any of my blogs. Not to say that it can’t happen to Joomla, Blogger, or Typepad
Sure enough… taking all necessary steps to counter attack all sorts of worm attack is to have a backup of ur latest blog. Also do make sure that you admin area is concealed as much as possible.
I heard for this few days but I didn’t know much about protecting, thanks for share great post.
Hey Marko,
What software is used to record your screencast? Excellent advice by the way, as always!
Cheers!
Thanks. It is Screenflow for Mac.
Unfortunately, my blog got hacked. But I was lucky enough to fix the problem fast. Great post!
Talk soon,
Jorge
Thanks for such a clear and informative post .
I have to go erase ADMIN:)
stumbled
Thanks for the advice Marko. Practical and easy to follow.
RB
But…
I have a blog, spanish content, more than +300k daily hits, +8.5 millions views monthly, and im using 2.7.1 version thats the last time i updated. im worry about updating to 2.8.4 because we have custom plugins and widgets that may no work after updating.
I think the update its only for a few people, if you have a blog below 1million of views daily, u shouldnt update.
We have our admin side very protected and login form aswell.
just my opinion
I tried to update from 2.8 to 2.84 the other day with one-button update. I waited a good long time but nothing happened. So I manually downloaded the update and proceeded that way, no real problem. But I guess I’m missing something re: how it could be updated automatically. Certain updated folders and items need to be protected against overwrite, correct? I’ve carefully followed the detailed ‘lengthy’ upgrade version each time, and I’d welcome a more automatic upgrade that works. How does the one-step upgrade do what it does, actually?
This is a great reminder to us all to not just backup but keep our versions up to date as well.
i am just in the middle of updating all my blog software
You did it…
You scared me into taking a look at my security.
I’m running 2.8.4, but I need to check out all your advice ASAP.
Thanks for the timely reminder.