3 Lessons Learned from my Hacked WordPress blog

Back story

The 12th November hacking incident wasn’t the first for WebGrrrl.net.

The first hacking incident happened around 2010 right after I banned the IP of a disgruntled commentor for my post on the lotto e-mail scam. A simple IP denial via cPanel was enough to stop it.
   
The second hack attack on my WordPress-powered site was by the group known as the Kurdish Hackers late last year (2011). I assumed they did so for the fun of it, by a hacker’s definition. They even kindly archived a screenshot of my defaced blog for the whole cyberworld to see. Luckily, I had a clean backup of the whole website, and so restoring WebGrrrl.net to its original glory only took me half an hour.

zone-h screenshot of webgrrrl.net hacking

This recent hack was somewhat more malicious, in my opinion. Brute-force login attempts, followed by malware script and SQL injections resulting in website defacement and WordPress admin login changes, and calling the wp-cron.php every 10 SECONDS which can potentially build up to become a DDoS attack due to server resource overload.

According to my raw server logs, these attempts are STILL ongoing even as I write this post. More painful is the fact that, at the time of the hacking, I haven’t made a clean backup of my site for over six months.

Fortunately, they hacked the right Grrrl.

I told you I was a masochist.

Alright, that’s (probably) not quite right.

A hack attack on a website you love dearly / make a lot of money from can be dishearteningly paralyzing. However, at the risk of sounding not-right in the head, I find joy in realizing that, as much as I know about WordPress and web server security, there are more things out there that I DON’T know about. This gives me hope that I can still learn more things, and new things, about the kinds of knowledge I’m passionate about. And, more importantly, I have the chance to become BETTER problem-solver than I was before.

3 Lessons Learned About Securing My WordPress Website

1. Use the Better WP Security plugin

This goes against almost all the security advice you might have read on WordPress security. For all I know, a WordPress plugin may have been the culprit to all the hacking.

Believe me, though, this is one plugin that’s worth using. I spent the past several days hardening my freshly re-installed website, what Better WP Security takes just 15 minutes to do. By the time I installed it (thanks to my web hoster’s recommendation), I’ve done 70 percent of what would have been set by the plugin.
   
The Logs section of the plugin is my favourite.
   
Better WordPress Security screenshot of data being collected in log record

Better WordPress Security screenshot of bad login attempts Better WordPress Security screenshot of lockouts

2. Never blog using an administrator login

I don’t mean not using the default “admin” username. Just don’t blog with a user account having your blog’s Administrator privilege, period.
   
The hacker managed to brute-force log into my Dashboard simply because my login ID was easy to guess. By default, WordPress creates a link to the author of a blog post by using the username, like so:-
http://webgrrrl.net/author/lorna

Most, if not all, of the WordPress themes found out there display this info. A hacker simply views the HTML source before the brute-force password attacks begin. There is a fifty percent chance that the login has an Administrator privilege, or it hasn’t. Simple as that.

3. Always take my own advice

What frustrates me the most about this incident is that I KNOW what I suppose to have done to harden my website or be prepared when disaster strikes.

But I DID NOTHING. Or, not much, to be exact.

I was complacent. No auto-backup. No periodic file scans. No hard-to-guess logins.

Would I blame it on my busy life? Whatever. That’s just an excuse.

I always come up with some wise ideas about everything. It’s time I act on them.

Comments are closed.