-
Website
http://www.scobleizer.com/ -
Original page
http://scobleizer.com/2009/09/05/i-dont-feel-safe-with-wordpress-hackers-broke-in-and-took-things/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
http://wordpress.org/development/2009/09/keep-w...
The more people who stay up to date the better place the web is.
Truly embarrassing.
My blog was hacked recently, too, but I'm not on a managed hosting platform. It was my fault. I also do nightly backups, and pulled down a manual backup right after I discovered the hack. Fortunately, I had enough security features in place that they weren't able to do any real damage. I'm on 2.8.4 now.
Rackspace needs to figure its stuff out.
-Erica
-Erica
The ONLY solution is to keep an eye on upgrades and apply them as soon as they come out, at least if they're security upgrades. If it's just a new version adding features you don't necessarily need, then you don't need to worry about it as much, but security upgrades are vital. Any upgrade announcement will usually say which it is.
Also, it's usually only major upgrades that are likely to break plugins, themes, etc. - going from version 1.x to 2.x, for example, or maybe occasionally something like 2.5. Smaller upgrades like going from 2.8.3 to 2.8.4 or something like that are very unlikely to cause trouble.
I know it's usually a good idea with desktop software applications to wait a while after an upgrade is released for the bugs to be worked out, and with major upgrades to web applications the same is often true. But the big difference between desktop and web applications is that security is MUCH more of a concern on the web. By their very nature, web applications are sitting out there on the internet, much more accessible to people who want to break them than anything on your own computer at home is. So security upgrades are considerably more urgent.
The basic point is: while this sort of thing is definitely a headache, it's not anything in the nature of Wordpress as such. Rather, it's in the nature of the web.
Backing your data is always a good step of achieving an acceptable peace of mind level with web endeavors.
You need to be aware of a problem: There is a HUGE misconception as to what managed hosting is.
People (like you, as evidenced by the comment I'm replying to) believe that managed hosting means inflexibility. Wordpress.com is an example of a limited, managed platform. But managed hosting in general is an entirely different animal.
In the web hosting industry, "fully managed" simply means the hosting provider takes care of updates (and typically backups, as well.) You'll want to understand exactly what's covered under their management agreement so you don't get burned. Some only manage hardware. Some only manage hardware+OS. Some manage everything (those are expensive.)
In summary: Managed hosting is NOT just Wordpress.com. Managed hosting is having the hosting provider do these tasks for you. The hosting company installs Wordpress.org on your own server, backs it up, and maintains/upgrades it. That's what Rackspace does best! That's how they can charge so much money. And as a very visible employee of Rackspace, you HAVE to understand the difference between what their managed platform offers, what their unmanaged platform offers, and what Wordpress.com offers.
Their cloud hosting platform has both a managed and an unmanaged variety. You need to understand the difference between those, too.
Sit down with their sales guys. They explain it every day--I know I did as a former managed hosting company CEO.
I am disappointed they didn't explain this to you; after all, it's a core component of their business. But maybe they assumed you already knew; I probably would have, too.
-Erica
http://wordpress.org/extend/plugins/wp-db-backup/
I have configured it to AUTOMATICALLY send me a weekly email witht the SQL structure of the database tables. My gmail filter simply archives the email and the attachment. If ever poop hits the fan, I simply restore from my inbox... Now if Gmail looses all my stuff then I'm in the poop but here's to hoping I wont get double whammed :)
Sure we are all techies at the end of the day, and i dont blame you for scratching that itch :-)
Someone said it a few tweets down, but there's a really easy plugin down below that will automatically back up your blog to a server or email address, and you can schedule it to backup things once a week.
It's called WP-DB-Backup (http://wordpress.org/extend/plugins/wp-db-backup/). I'm running it on Jeremiah Owyang's blog, and it allows me to have a weekly backup of what's going on in case his site goes down. You guys are putting out so much great content that you really don't' have any other option but to make sure it goes somewhere safe.
I'll even help you set it up if you would rather it.
There are other measures you can take to make sure your site doesn't get hacked / make it harder to hack.
1). Set your permissions to disallow public writing (it makes your themes uneditable in the editor, but if you have FTP access go in and enable one at a time until you're done, then re-disable it).
2) Move your WordPress directory somewhere else. There are tutorials (like this one: http://codex.wordpress.org/Giving_WordPress_Its...) that show you how to set WordPress up to live in a subfolder, which you can name whatever you want, but have it live in the root directory (keep the root folders clean too)
3) Create a username that's not the default admin username, and delete the admin user. That's the first place they check because it's the default.
Simple stuff, takes minutes to do, but a stitch in time saves nine, I guess. Good luck in the recovery process, and if you need some advice let me know.
Thanks for sharing that plugin. I have a ton of clients who use Wordpress, and one had her site hacked as well. The host did restore the backup, but I know of other folks who have more of a DIY setup like Robert had.
How many releases were there between 2.7 and 2.8.4? How many of them were specifically security releases! And you were notified of all of them in your WordPress Dashboard.
I'm sorry Robert but the post title sounds like your blaming WordPress because you spilt the milk.
If you can't or aren't willing to update your WordPress install when security releases are released then maybe you shouldn't be using it.
So, my answer is NO, I have not been hit with any vulnerabilities, and I do feel safe using WP. And, I definitely do not blame it on WP.
But, christ on toast, NO BACKUPS?!?!
How long have you been in this industry, anyway?
Wasn't a major hard disk company a big sponsor of your work for a while?
it's 2009.
you live on the internet.
you know the internet is vulnerable.
you choose to use WordPress - a FREE, powerful and incredible platform.
you get hacked, but you still don't care enough to take the most basic security precautions.
it takes 24 seconds to create a new administrator account and delete "admin" from the backend.
there's an automatic database backup plugin that takes, ooow, about 35 seconds to install and active.
seriously, you shouldn't feel safe using WordPress because you seem not to care about your WordPress security. but blame yourself Scoble, and enough with the sob story. while you're at it, please change the title of this article to something more appropriate, like "I got hacked largely because I was VERY lazy, and yes, I do know better". (because I'm sure you)
irrespective people, yes you could undertake every known WordPress security measure and still get hacked. but WordPress is FREE. seriously, you don't pay money for it, so you don't cry if it's not 100% perfect every second of the day.
It is important to make sure that you can actually recover your permalink structure once you have kicked the hacker out, if you don't get it exact, then you may well loose serps/traffic :-(
I posted here about recovering permalinks if you don't know what they were (I know, I know... We should all know or backup this info, but let's face it - not everyone does!) Permalinks: http://www.kingpin-seo.co.uk/press-releases/how...
How can you report on the IT industry, previously loose your early blog writings and STILL loose data because you didn't do a backup?
What about all your pictures of the family? Got that backed up?
I triple backup stuff at home and still hope I don't ever loose anything.
Come on and admit it, being on the bleeding edge isn't all it is racked up to be.
Really Sorry to hear about the hacker attack. Its awful. They have no freaking idea, how much hard work is wasted when they mess up the content from blogs.
Anyway, I wanted to let you know that anyone can access the login page for your blog, via the wp-login Url. I would urge you to use HTACCESS or an excellent plugin like WP Stealth Login to make your login page private and accessible only to you.
Secondly, right now if anyone can get to your login page, they can try brute force or dictionary login attack to try and break your Password. Please use WP Login Lockdown to avoid such attacks and keep hackers at bay.
I really like you work, and would hate to see more hard work wasted. Please do consider reading about these plugins and applying them, if you find them useful for better security (I am sure you would). Good Luck.
I am glad that you took the time to check the plugin and the version of Wordpress its compatible with. I haven't checked that since I installed it, few months back.
However, from firsthand experience, I can vouch for this plugin as its working like a charm on my blog (WP version 2.8.4), so feel free to install it without any fear of breaking things.
Hope this helps!
I do hope that in the days to come, you will definitely backup your blog regularly using a plugin which sends the backed up DB file to any specified email address.
Wordpress is the safest CMS until and unless we follow the general security guidelines. Hope you would be more careful the next time.
And, I hope I haven't sounded like your mom ;)
Hopefully the next major release will close all these holes for good. It's frustrating as I love WP but it's getting a little tiresome.
I just had a hacker get in to a Wordpress blog yesterday, and i wasn't the only one. But they were exploiting holes in older Wordpress versions, which i had. And this is the only time i've been hacked in 3 years (and some of my blogs actually get above average traffic).
In your situation, perhaps you didn't remove all the bad code the first time around. Upgrading won't erase existing code, and that's maybe how they broke in.
Best advise is to (1) keep backups and (2) make sure you have the latest version.
The only difference, as you know, is that they take care of the security side and of the updates, just like Wordpress.com does.
And anyway, both of them remain safe only if they fix bugs before they get noticed.
There is nothing 100% safe, only a disconnected machine hidden in an undisclosed location maybe.
That said, I think that you and all of your readers should post wherever they want, as long as they keep backups as you wisely suggested.
ps. did you already forgot what happened to mag.nolia?
One other thing, though. By spreading my behavior out over the Internet it's a lot harder to take me entirely down. People know they can still go to Twitter, or FriendFeed, or Facebook, or my phone (+1-425-205-1921), or email, or a variety of other places, to figure out what happened to me, even if this blog were deleted totally. So there is SOME safety in building multiple touchpoints where people can find you.
hum..I think a physical break in is a much more traumatic experience indeed, but I understand that we are actually talking about brand image (=money and personal time) here.
About Rackspace and other similar managed solutions: money can't buy happiness, but it surely can buy peace of mind. And maybe you could even get a specific hacker insurance, search Google for that.
In conclusion, a little note for the people choosing to host in the cloud, unless otherwise stated you are STILL responsible for the security side of your specific virtual machine and for updating the scripts you uploaded to it, never forget it.
Do you think we are going to see something like a "mass social mirror" anytime soon?
My ideas about what it could do:
1) just relay your posts across multiple social sites (eg. RT read my blog post here..)
and/or
2) store all your social activity in a single place, allowing you to easily export it
what would you think of it, could you help me raise any seed stage money for that? :)
bad... sorry. So, like anything, just back up, don't use the default admin
name, and make sure you update your software....
i guess the idea environment would be hosted and updated frequently by the host yet backed up to you and remotely as well.
1 - I run a SSL cert on the wp-admin pages. This encrypts my data so users can't just use Wireshark to go in and extract my password
2 - I lock down the wp-admin directory and require a password to get in. This works for me because we don't allow guest accounts, although if you have subscribers or other authors this may not work.
3 - I delete the original admin account.
4 - I create a new account with a really complex password.
5 - Check all of the permissions on the wp-admin and wp-content pages. Thing like themes and whatnot should not be writeable (which means the WP built in theme editor will be read only).
6 - My provider has a 'snapshot' option (I assume they are on a SAN of sorts). I keep a couple of snapshots of not only the database but also the codebase.
It sounds like this was a problem with WP code and as such many of the above steps wouldn't help, but just because they got in via a security vulnerability this time does not mean that can't brute force next time. Most of the items above are free or inexpensive (you can get an SSL cert for $60.00 and add define('FORCE_SSL_ADMIN', true); to your wp-config file).
If it runs code it can be hacked or cracked. WP is no more or less safe, in my opinion, than any other blog provider. The same thing could just as easily happen elsewhere, which sucks, but that is life. The only thing we can do is make it as hard as possible to let these people in!
Better yet - keep it but give it subscriber privs. So even if they do get in they'll get foiled into thinking it all worked, and then leave. (the automated bots that do all this..)
and I backup everything on my server more or less every few days - databases, theme, images, etc - to S3 with a script I wrote. http://paulstamatiou.com/how-to-bulletproof-ser...
I also have a plugin that changes the default location of wp-login.php to anything you want. it doesnt actually move the files but just does redirection trickery.
As for FORCE_SSL_ADMIN - I'm in the process of setting that up on my server soon.
IMO backups and FORCE_SSL_ADMIN are the two big things that most bloggers could do today but don't. You post is awesome, may I suggest turning it in to a WP plugin? I think that would be an amazing option for a ton of WP users.
Also, security vulnerabilities either in Drupal core or contributed modules do turn up fairly often, though they also tend to be fixed quickly. But staying on top of upgrades there is just as important.
One thing I do especially like about Drupal, though, compared to just about any other web application, is that all the contributed modules and themes are handled through a central CVS, which among other things allows you to subscribe to a single mailing list for any and all security upgrades, be they for the core or for third-party modules. It's about the best-organized open source project out there. Though Wordpress is probably a pretty close second, and is actually the quicker and easier of the two to upgrade.
Ultimately, if there's a way for php to write php to the server file system then there are ways to get into your server. 90% of servers simply aren't well set up for the kind of application that WordPress is. They allow php to modify php, and they don't split the user rights the way they should. As a consequence they make a hacker's job far easier.
Ideally you block WP vulnerabilities by staying up to date, but there are always going to be zero-day vulnerabilities. If the next layer of your application can be made safe then any attacker is going to need to take a multi-part approach, and quickly the number of targets they can find will drop dramatically.
There are hosts and people who could help make your site a lot safer. I'd like to wave at ourselves, but that'll probably just make us more of a target ;-)
I've been strongly considering changing hosts for other reasons - maybe this should be the final straw. That said, perhaps my report about 2.8.4 may just be the first. :)
I've removed the script exploit (again) and added a new admin account and deleted the old one (again).
Getting VERY tiresome. I hope, in a way, that it is my host, as at least that's a workable solution.
Find a capable admin who understands how to ferret it out. If you move to another host, you may just take the problem with you. If you insist on doing it yourself, you'll need to do a full backup, delete EVERYTHING, reinstall Wordpress, reinstall your theme and the latest version of your plugins, then do a XML export/import of your posts database. It's worth it to pay someone to figure this out.
-Erica
Don't be a wimp, you're supposed to be a "tech" blogger. Remember?
There's no such thing as safe place. As any security admin will tell you, it's not IF; it's WHEN. You must have your mitigation plans in place, and be able to minimize your damages should something nasty as this happens.
WordPress is a nice platform. At least they have at least dozen of really professional eyes looking at potential flaws everyday. Posterous is closed source, and nothing worse than security by obscurity.
I'm happy that even with such a violation against you, you still keep at it. I can't imagine you not writing and sharing anymore. So I guess people will work hard to make sure this doesn't happen to you again and with that you may feel more secure. I'm sorry it happened to you. I guess we can hope that something good, like a more secure WP or more discussions and actual strategies for more security on the web in genera, will be the outcome. One thing I always admire you for is that you have the personality to always go beyond, "whaaa....this is what happened to me...big stupid jerks," and use your voice to positively start a discussion and find solutions. This time will be no different.
Every system is vulnerable, to hackers, to lamers, to crash. It's like "I have to do backups" for months, and crying at the fail of HD :) ... I'ts frustrating, but we have to learn the lesson :)
PS: oh, yes it's happened to me too :)
Make it so that even if you get the username wrong it always says "username/password are wrong" instead of "username is wrong".
Been hacked before, figured out that is how they did it. Hackers aren't wizards, they just have a lot of time.
Sadly nowhere is totally safe and often self hosted CMS/blog apps are the most vulnerable as the hackers just know most people don't upgrade regularly.
Your not the first person I've heard recently starting to use Posterous. Seems to be gaining in popularity quickly.
You never cease to amaze me. Isn't your blog content worth anything (to you) ?
I was just trying to help out those that don't, as we had a fair few requests on how to recover from this! - perhaps after this, more people will be backing up!!!
- Or maybe your comment wasn't mean't for me, rather the other guy :-)
Thanks for the information, I really found great stuff on your blog!
I am always amazed that people don't have the common sense to back stuff up? we where all in school and had to do papers, we all saw the person who lost their work. If we didn't see this we see stories like yours, and yet people still don't back up. What really gets me is people who have a problem once with no backups and then still don't backup and then end up with a worse problem before starting to back up.
I am sure my post will be deleted, since its pointing out the truth. Also as far as feeling secure, if you have backups who cares if people break in, restore and your back to normal. Look at pirate bay, those silly people spent millions to shut them down and they where back up in under 3 hours, WHY because they plan for things. You would have a new house or car without insurance? so why would you not backup.
You feel safe by switching to another blogging package. I mean, seriously, Wordpress has a security track record worse than phpBB. It's so bad that even Stefan Esser, the founder of the PHP Security Response Team, has commented on it. I, personally, switched after the 2007 hackings.
What's really funny, though, is this: when people were having their phpBB's hacked in 2005, they switched, immediately. But when people are hacked multiple times through Wordpress, they still don't switch - they're too wrapped up in Wordpress's cult of personality to even consider that. Mao Zedong has nothing on Matt Mullenweg.
I'm sorry that you feel this way since WordPress has been so good to you for so long and you should be the one leading the rally call to upgrade and joy for those who did are protected. It's clear from the FriendFeed discussion that you and many have learned a valuable lesson. While it's the easy way to blame WordPress, WordPress has responded faster than most to security issues, often before they are even publicly know.
Oh, and I don't see your web hosting service joining in on that conversation, but Matt is sure there. :D
This is a good example of why I believe hosted solutions are the way to go (as the fact that this didn't happen on wordpress.com testifies).
With a hosted solution, the team that runs the service can invest in keeping the platform secure, amortizing this effort across hundreds or thousands of sites. And they automate backups, monitoring, etc.
(Disclaimer: I lead a startup, www.webvanta.com, that is just launching a new hosted CMS...)
What to do to feel safe again? Get a clue.
Just thought I'd let you know! ;-)
This sounds not like a wordpress problem, do you ever changed the FTP login for that website?
You can get all of your lost blog post text out of Google Reader. I'm not sure how to link Disqus back, maybe it's as simple as re-adding the old posts with the same Url!
Yet another reason to use full RSS feeds (instead of summary).
See RSS isn't dead.. it's now a backup tool too!!
I keep posting about, "how timely backups helps" and now that i read posts like these, i suddenly remembered that my own blog is running on an outdated version and no backup had been made for months...
thankfully, nothing bad happened, updated wordpress, made backups, time to take rest now....
Whew! Good thing you don't use Windows!
Kudos on sharing your experiences and being 'big' enough to admit you screwed up the admin of your blog. Hopefully, others will learn and realise the need to back-up and update from your experiences.
I tried to do the upgrade myself but it failed and wouldn't work after learning that the WordPress vulnerability may have been how I was hacked. I had to pay Aaron Brazell to do the upgrade for me because I couldn't figure it out.
Of course I don't know how I was hacked. It could have been another way. They could have guessed my password for instance. I really love WordPress though and hope that my site stays secure going forward. It is sort of a paint though that upgrading doesn't work for me and it's not something that I can do myself. Upgrading ought to be easier.
In fact, as I don't even use WP, it's probably the single feature I miss most in Habari :-)
How could WP make upgrades any easier unless they booked an appointment and came round in person to upgrade your blog ?
Hopefully it's of some use to folk.
I find it interesting, and depressing that people are blaming Rackspace, they're blaming Wordpress, they're blaming Robert, but no one, *no one* seems to be willing to blame the only, ONLY people who deserve blame: the evolutionary failures that attacked Robert's blog. I'm sincerely hoping that either Robert or Rackspace reported this to the FBI, so that a criminal investigation is started, and with any luck, the little mongoloids responsible will end up with a felony charge on their record
Robert should have been backing up not because of security, but because things break, and it's just good to have a backup.
but the idea, even the vague concept that anyone other than the wastes of carbon that ran the attack are responsible, on any level, for this is absolutely insane, and more than slightly offensive.
Also, there are a lot of simple tasks being taken on by plugins that could be done with tools that are already built in to WordPress anyway. The ones that manipulate pretty permalinks and custom fields come to mind. Those tools are automatically updated with WordPress.
I had been having the same concerns about Drupal, but they have a security advisor newsletter and mechanism to keep you updated on core and third party modules. I also found an interesting article that might be useful to readers on this post. http://lorelle.wordpress.com/2008/04/28/wordpre...
According to that article it seems Wordpress is more insecure than Drupal over the last couple of years.
I'd love to see a similar update system for Wordpress but cannot find any.
Thanks.
Omar
http://www.postrank.com/feed/65b2b7c99c37d4c027...
We have a full content archive as well - just the descriptions, titles dats are on the postrank app itself.
Lemme know if you'd like us to extract some posts - or even the entire archive and you can select the missing ones?
Ready a willing if you think it would help.
Lots of other ways to back up but the above is the easiest. Interesting to see the structure in the exported file...
Do make sure that all of the loop holes are filled up and that your blog a great one.
Wordpress Rocks.
You run a hi-profile site, attractive to hack, with no security and then you get caught with your pants down and embarrassed. Twice.
Now the word goes around; dont do as Robert, be smart, do the basics and keep up to date, and lots of ignorant people understand why they have to take some responsibility to avoid problems.
By investing one hour in checking your install/server security and by upgrading as you know you should do.
btw: Why did you not upgrade from 2.7.1 and what did you do prior to the hacking to secure your blog ?
Also look at this article for further ways to securing your WP-Admin
http://www.wpbeginner.com/wp-tutorials/11-vital...
Do you know any blog site better than wordpress?
I think we could hash through the dynamics of this security problem (e.g. posterous, running your own server, etc) at some length, but I'm not sure if that discussion would be particularly useful...