Wordpress Hacks Hacking - With Power Comes Responsibility
From some of my posts people might think I am anti-Wordpress… not so… I love Wordpress. I really love Akismet.. I think Matt and the boys are building quite a empire. I just like to razz these future multi zillionaires a little bit 
Ok this post mainly was to respond to people saying that Wordpress is so insecure. Here is the thing. Wordpress is open source… which means there is going to be some security issues pretty much out of the gate. Especially something as infant as Wordpress. Not to mention they have a pretty amazing release schedule and making leaps and bounds with major releases… and again being its open source its going to have some security issues. Now mix that with the fact it has HUGE market share makes it a HUGE target.
Sure there will be many security wiz’s sitting back reading this post saying like it wouldnt be that hard blah blah and pointing out the flaws… and ya… I tell you what why don’t you volunteer and help them? I know it seems like I out a lot of bugs publicly but for everyone that I out (and 90% of the time they are more cool then harmful) I have submitted 100x more bug reports and fixes.
I think the Wordpress developers have done an outstanding job bring a incredibly powerful blogging platform to the masses that can do very very advanced things and does them VERY easily for the end user.
But here is the thing… You have to be responsible for what you install. AND you must keep up with updates. Its always a system of give and take and if you want the cool toys then you need to also make sure going to be diligent with updates and patches as they happen.
This blogged got hacked 1 time and it was purely because I had not updates when I knew I should have. It was down a couple hours… I restored and upgraded and all was well.
The best way to ensure you will not get hacked would be to install mod_security and use some of the config files floating around.
- 96 Comments. What say you?
- RSS
- Delicious
- StumbleUpon
- Furl
- Digg
I love complaining about free stuff as well, but seriously they have rocked the kazbah with what they have come up with. And if they want to give them selves some link love in my dashboard Im okay with that.
[Reply]
I couldnt agree more Jeremy. Many of the hacking incidents I have heard about turn out to be more errors on the part of the site owner.
[Reply]
Jeremy, you’re definitely right about this one. I am worried sometimes that because of all the security issues I will lose everything. I do have a couple blogs left on Blogger because of this. That being said, I do feel fairly safe using wordpress, but I haven’t had anybody try to hack me yet. Just scrapers. And you just gave me something to help deal with it!
[Reply]
especially since the script is free.
[Reply]
Great advice Shoe! As with all open source software/apps, you should update asap to avoid security issues - and don’t whine if things go a little bit wrong now and then - you didn’t pay for the thing in the first place..
[Reply]
Shoe, if you use the InstantUpgrade plugin, upgrades take one click and 5 seconds
[Reply]
If you backup frequently and keep track of the updates (including plugins), you minimize the risk as much as possible. WordPress is amazing in terms of its functionality and flexibility, and with that comes a bit of risk as you mention. Personally though, I think the risk is well worth the reward.
[Reply]
Just make sure you backup early and often. That way, even if you are hacked, the damage will be minimized.
[Reply]
Thats where, backups and making sure the mod’s are working properly come into play.
A secret, wordpress demo that you’ve set up doesn’t harm in testing out modifications
[Reply]
Thanks for the advice. The spammers are bad enough I dont need hackers either!
[Reply]
wordpress is free and awesome.
Almost anything can be hacked / crash, its the users responsibility to backup
[Reply]
One common thought is “I back up tomorrow”, never think like that do it on a regular basis. The best is if you can do a cron job on a server that backs everything up. Then you don´t have to think about it. But a agree with above posters, wordpress is great.
[Reply]
Power=responsibility The responsibility is the power.
[Reply]
I like using the db backup plugin. I followed gray wolfs advice and setup a gmail account for my databases. Wordpress emails a db backup to the gmail account everyday. It helps me sleep a little better.
[Reply]
Well, I backed up then figured I would post… Good advice…
[Reply]
Open source applications, like wordpress and phpBB, are great for the internet in general. They have security issues like any software does, sure, but like Jeremy says thats because many don’t keep up to date.
What I like to see is an army (millions) of open source code users giving companies like Google and Facebook a run. So much of a run that Google and Facebook actually launch platforms and/or pay to “coral” a lot of the new “apps” being created via open source.
It is VERY possible still to this day for some basement genius to come up with a new idea using open source that could knock major “internet companies” out of business. Design a usefull app or popular site and people throw money at you, for now.
I’ve said this before - Patents filed by search engine companies could ruin open source apps like wordpress permanently. If google comes up with and patents an idea that becomes part of a website… and it becomes so popular that you hate visiting sites that don’t have this app, the tides will turn. Wordpress will shrivel, we’re not there yet.
[Reply]
coral = corral - someone needs to write a comment spellchecker asap!
[Reply]
Indeed. That is true! Most probably, the owners of the site have not been updating and then complaining why their wordpress blogs have been hacked. Quick FYI. Update asap!
[Reply]
I think that one can’t apply to Spiderman.
[Reply]
YOu can stop spammers with the Akismet plug-in. I hope you’re using it.
[Reply]
Wordpress got hack, is that a normal thing to happen will you are famous with something,
[Reply]
I have a post about wordpress and blogger on my blog, for anyone who use both of this which one do you all think is better because many people say that wordpress is better than blogger.
[Reply]
Backup is the most important thing because you sure don’t want your post to be fly away just like that.
[Reply]
Update regularly is good for anyone who wants their blog to be safe.
[Reply]
In wordpress aren’t there a features that allow you to delete spam comments.
[Reply]
If you use activate the Akismet plug-in most of the spam is deleted automatically for you and then you can just mass delete any that gets through.
[Reply]
Indeed, people adding value to the Web through free information and tools should always be appreciated, especially when we are talking about something as great as WP.
[Reply]
I would also suggest making sure that you don’t save your data in just one place since, let’s face it, you never know what can go wrong with your computer and having something like this happen exactly when you need to restore data is not exactly a pretty picture
[Reply]
I always have a blog I only use for testing purposes on a separate server since trying things out there first definitely never hurts.
[Reply]
Akismet is great but it will not be able to handle everything, you will need to keep an eye on things as well
[Reply]
It is important to make performing backups a weekly habit at the very least since you don’t want to be taken by surprise when something goes wrong, problems are unfortunately something you cannot plan
[Reply]
As far as I am concerned, WP beats blogger hands-down, I may not be entirely objective but I wouldn’t even think of touching it at this point.
Alan Johnson
[Reply]
I love Wordpress, although I did get hacked a few weeks ago… but, it was my fault, I suppose. Luckily for me, Google Cache had my latest posts… my backup was not complete. Yikes.
[Reply]
Wordpress is hand’s down better then blogger in my opinion
[Reply]
Thats a good point. Many people forget to backup and thats why its harder to recover when they get hacked
[Reply]
I’m glad you do. Personally i think everyone should
[Reply]
That is why you need to have a backup. I recently just post 2 topics on my blog and back it up since that jeremy has post about backing up your post for safer protection.
[Reply]
I agree…I’ve used both wordpress and blogger, and I like blogger a lot better for a variety of reasons. A big thing for me is professionalism. Wordpress just seems to have a more professional feel and design to it. Blogger seems to be what teenagers would use, although I do know of some very professional looking blogger blogs in existence…
[Reply]
It’s useful information, but can I Install it in older wordpress version such as wordpress 2.0.5 Thanks
[Reply]
Funny this post is up as about a dozen of my WP blogs just got hacked by the wordpress.net.in virus which crippled my adsense earnings… dropped them by 60% almost instantly. I stumbled upon the problem as I decided to look at my source code and found a bunch of pron spam links. This is all my fault as I’ve been too lazy to keep my wordpress up to date. But, it’s a bitch when you have 50 blogs or so.
I think the main thing WP needs to do is make it super easy to keep our wp blogs up to date…. without having to go in and redo all of the templates after each update.
To ANYONE OUT THER USING WP…. please check your blogs now to see if you are infected. If you ignore my warning you could lose $$$
See this link:
http://blog.kakkoi.net/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-jagger-goro-class-mailphp/
[Reply]
It irritates me when people complain and moan and groan about Wordpress. It is good. It is free. Need I say more?
[Reply]
Jeremy, you’re powerful in blog and marketing circles, so in the spirit of this post can you fix the of this blog purdy plz? I’m always scanning code to see mods that people make but keep quiet about (i’m addicted to peeking and learning honestly) and the head is making me scroll down 380 lines of code before the page even starts.
- drop all javascript into an external file
-drop all .css into your .css file (or create a new one and link to it)
Just those two steps would save you over 350 lines of code per page and “me love your blog long time”. (search engines will too, actual content prominence rocks)
[Reply]
.ps - if brians threaded comments gives you a headache since it has php and css mixed together give me a shout, i’ll send you a link to one of my sites that has that fixed. It’s my masterpiece!
[Reply]
Another tip - Passwords - when you subscribe to anything open source DO NOT USE THE SAME PASSWORD! as with your site login etc..etc.
Although open source uses secure MD hash measures the one thing people forget is that when you register online, to a forum or wordpress or anything else, the site often sends you a welcome email. A lot of the time the email has the login and pass in it for your future reference. Did you know that any returned emails go straight to the admin for troubleshooting, who can then see the password you typed in? If you made a typo, the admin will get the password and if he knows you or tracks you down may try to get into your stuff.
[Reply]
It’s not just about WordPress, every single software whether open source or proprietary has flaws and bugs. And the great thing about WP is that they release an update as soon as they discover a major bug.
[Reply]
That means good.
[Reply]
The automatic update plugin makes doing this so much easier
[Reply]
Hm.. Yeah it is frustrating if our blog / website/ email being hacked..
I agree do not using same password..
Especially your online banking ,paypal, moneybookers,etc,..
[Reply]
thanks for the tip Shoe. I am often scared to update incase something does go wrong. But, you’ve just scared me into updating, so now I’m going to have to do it.
[Reply]
I’ve wondered about the same thing re:spam comments. At first I just assumed that I had to go in once/week and delete the 5 - 10 spam comments that I would get. Will this akismet plug-in help that or will I still have to go in and delete it out manually every week?
[Reply]
Wordpress is by far the BEST software I have ever used. So easy to install, so easy to maintain and so easy to customize; all for free! So far as hacking is concerned even the software that costs hundreds or even thousands of dollars gets hacked.
[Reply]
i agree - these guys have to be appreciated ! they are doing a really good job out there! usually errors by newbies are the culprits
[Reply]
I love wordpress too
I am working on getting mod_security installed now.
[Reply]
No matter what you do, there will always be whiners and complainers. It’s the nature of some people to just be incompetent. So although I agree with you, it seems like this post is falling on deaf ears with the people it was intended for. On a lighter note, I have little to complain about with Wordpress and hope they continue to light the way for other dev teams.
[Reply]
Even if there are occasional errors on their part, it would simply not be fair to complain since they are offering everything for free, unlike others, who charge money for products which are flawed as well.
[Reply]
These days, hosting can be as cheap as it gets, add a throaway domain to the equation and there you have it…the possibility of avoiding potential problems by paying a little pocket change (after all, it sure beats wasting time trying to fix things)
[Reply]
It would be understandable to complain if you’ve paid a fortune for something, but to choose such an approach when they are offering it for free simply doesn’t make sense.
[Reply]
Indeed, just because something costs a lot of money doesn’t mean that it is 100% safe. It does however give you the right to complain
[Reply]
I couldn’t agree more. Personally, Wordpress has been working just great for me and, by using the wp-cache plugin, I have managed to handle the Digg frontpage without encountering any issues (my hosting provider also deserves credit for this), even though a lot of people call WP “problematic” as far as the Digg effect is concerned.
[Reply]
I hear ya. Making backups are almost as important as updating. I remember losing so much on failed HD’s
[Reply]
what is this instant upgrade you speak of?
[Reply]
You are so right. I had to stop everything and upgrade and install some new widgets.
Keep up the good work.
[Reply]
Can comments be automatically approved? If yes, can anyone explain please?
[Reply]
Yes, all you need to do is visit the “options” section of your WP admin area and uncheck all fields such as “users must be registered and logged in to comment”.
[Reply]
Sorry I probably should have included the URL. You can find InstantUpgrade here: http://www.zirona.com/software/wordpress-instant-upgrade
Your wordpress install directory needs to be writable by whatever user your webserver is running as, most likely Apache.
[Reply]
I was thinking about this, but that almost seems like more work for something so small like wordpress. How much can you really screw up while testing new things?
[Reply]
Once you approve a comment none of their comments have to be approved again.
[Reply]
Got it under WP admin > Options > Discussions and unchecked the first and third option under Before a comment appears:. Thanx
[Reply]
Wordpress has been working amazing for me and, by using the wp-cache plugin. It has helped my site so much…
[Reply]
Wordpress really give ooportunity to everyone to simple make their own blog, thats why most people use now wordpress, its the leader in blog scripts, even if have a problems i really prefer wordpress then other similar alternatives. Big advantage of Wordpress is tons of plugins u can instlal, like in firefox, people love it same as surfers.
[Reply]
Akismet holds spam comments for I think it’s 15 days and then deletes them automatically. Akismet caught spam doesn’t show up in regular comments, there’s a separate section for it.
[Reply]
I detest blogger because you don’t really own your blog. It can be deleted at a moments notice if the Goggle mothership decides they don’t like you. WordPress on your own domain is the way to go.
[Reply]
Having released free, cheap and slightly more expensive software, the amount of complaints I get seems inversely related to the cost of the product. In other words, the cheaper my product is, the more people complain!
[Reply]
For those who don’t have it, get the Wordpress Automatic Update plugin mentioned above. It doesn’t work will all Hosts…
http://techie-buzz.com/wordpress-plugins/wordpress-automatic-upgrade-plugin.html
[Reply]
Thanks for mentioning mod_security. I LOVE mod_sec, I also use it with some custom rules from gotroot.. very nice indeed. Combined with snort/snortsam and fail2ban you could really have a active and robust intrusion prevention system in place.
hanji
[Reply]
“Wordpress is open source… which means there is going to be some security issues pretty much out of the gate” by Jeremy - Poor statement. Open source does not mean easy to brake-down or insecure. Many security apps out there are open source because having the code also means the possibility to create unique systems. Movable Type is now Open Source. Always update if you’re not an expert. If your system get into trouble - 95% the trouble maker is YOU.
[Reply]
Hey Shoe, Would you ever consider releasing what Wordpress plugins you have installed?
~Jonathan Volk
http://www.jonathanvolk.com
[Reply]
I wouldn’t be able to blog if I had to pay for things like this! Thank you to everyone who has ever given away something of value!
[Reply]
I definitely agree that the wp-cache plugin is great since it has helped me survive the digg effect without any kinds of issues (having a great hosts is, of course, also extremely important in such cases).
[Reply]
I wonder how secure Blogger is? Maybe since most sites there are smaller, it doesn’t happen as much.
[Reply]
Spammers are always finding ways around Akismet, but it does get the majority of it.
[Reply]
Plugins are quite a dilemma for OS blog software indeed. All web software actually.
You can either decide to integrate as many features as possible into the core in order to control as much security as possible (b2evolution approach) or you can have as many people as possible develop third party plugins in order to have a larger feature offer (wordpress approach). But you can hardly have both… as soon as you install your first 3rd party plugin, you no longer have a coherent security framework in place.
I believe there must be a solution where software projects would validate some strict input handling (input handling is the biggest issue with PHP apps) in plugins before lsiting them in their plugin repository. But I have yet to see anyone pull that off…
-F.
[Reply]
Reading this, I have taken measures to update my own security. Thanks Jeremy.
[Reply]
mod_security is still too risk, sure it will stop all the script kiddies running mass exploit sniffers whenever they learn of a new exploit in a widely used web application. But it’s still too easy to crash or byspass mod_security with BOFS or null byte attacks, a well done string can take down the mod leaving the system to harm.
But I stublmed over a good open source project that has done something more, much better than mod_security imo. I think you’d like it from a security point of view shoemoney.
It’s called Suhosin. And is produced by the Hardened php project. hardened-php.net
[Reply]
I use the backup db that emails the database to me (or a gmail account).
[Reply]
On your post, you said that Wordpress vulnerable because it’s open source… I use WP, and I love it… but perhaps WP is vulnerable because it’s Wordpress, not because its open source? One could easily make the argument that open source technology is much more secure than any crap that Microsoft puts out…
So, I love your blog man… but I really have to call you on this one…
PS - BJ Penn or Joe Stevenson? My last comment went against your picks… and I was victorious in saying that GSP would walk away the winner… lol! Cheers!
[Reply]
well the good thing with opensource is that is easier to spot and fix compared to closed source applications.
We all know the time difference in bug and vuln fixes between windows and linux…
[Reply]
I just downloaded mod_security. Looks like a very useful piece of software. Wordpress is great, their software is simply powerful and is so popular among webmasters however they lose out to the general public bloggers imo.
[Reply]
Just updated my blog with this - Cheers Shoe
[Reply]
I’m going to take a look at mod_security now that you mention it. Most hacks occur simply because the owner hasn’t updated the version or needed to make some tweeks to the site overall.
[Reply]
[...] Read more of this article at ShoeMoney.com [...]
[...] Read the rest of this great post here [...]
[...] Shoemoney.com is one of my favorite blogs about Internet technology and blogging tools, even Jeremey Schoemaker the owner of the blog admits few times that he doesn’t have that perfect grammar or spelling in his posts…but who cares I love reading what he writes like lots of other readers too… [...]
Can Entrecard be bought?…
Hey guys. I’m no Business professional or anything and this post is just going to be based on my personal opinion.
Whilst it is still early days for Entrecard, I have thought about the possibility that they could be acquired. Entrecard is the lat…
[...] the debate about Wordpress rages on, one thing can be sure: Wordpress is the most used, modded, and flexible content management system [...]
[...] just upgraded my Wordpress software just to be safe. Just recently one of the famous blogs, Shoemaker have been hacked. He have learned his lesson and I don’t want to experience that too. [...]