3 Lessons Learned from my Hacked WordPress blog

The 12th November hacking incident wasn’t the first for WebGrrrl.net.

Back story of WebGrrrl.net’s hacking incidents

The first hacking incident happened around 2010 right after I banned the IP of a disgruntled commentor for my post on the lotto e-mail scam. A simple IP denial via cPanel was enough to stop it.

The second hack attack on my WordPress-powered site was by the group known as the Kurdish Hackers late last year (2011). I assumed they did so for the fun of it, by a hacker’s definition. They even kindly archived a screenshot of my defaced blog for the whole cyberworld to see. Luckily, I had a clean backup of the whole website, and so restoring WebGrrrl.net to its original glory only took me half an hour.

Hacking report of WebGrrrl.net by zone-h
zone-h screenshot of webgrrrl.net hacking

This recent hack was somewhat more malicious

This time, it’s brute-force login attempts, followed by malware script and SQL injections resulting in website defacement and WordPress admin login changes, and calling the wp-cron.php every 10 SECONDS which can potentially build up to become a DDoS attack due to server resource overload.

According to my raw server logs, these attempts are STILL ongoing even as I write this post. More painful is the fact that, at the time of the hacking, I haven’t made a clean backup of my site for over six months.

Fortunately, they hacked the right Grrrl.

I told you I was a masochist.

Alright, that’s (probably) not quite right.

A hack attack on a website you love dearly / make a lot of money from can be dishearteningly paralyzing. However, at the risk of sounding not-right in the head, I find joy in realizing that, as much as I know about WordPress and web server security, there are more things out there that I DON’T know about. This gives me hope that I can still learn more things, and new things, about the kinds of knowledge I’m passionate about. And, more importantly, I have the chance to become BETTER problem-solver than I was before.

Related post:  I'm so glad I subscribe to my own feed

3 Lessons Learned About Securing My WordPress Website

1. Use the Better WP Security plugin

This goes against almost all the security advice you might have read on WordPress security. For all I know, a WordPress plugin may have been the culprit to all the hacking.

Believe me, though, this is one plugin that’s worth using. I spent the past several days hardening my freshly re-installed website, what Better WP Security takes just 15 minutes to do. By the time I installed it (thanks to my web host’s recommendation), I’ve done 70 percent of what would have been set by the plugin.

The Logs section of the plugin is my favourite.

A summary of unauthorized login attempts on WebGrrrl.net
Better WordPress Security screenshot of types of data being logged
Bad logins usually = hacking attempts
Better WordPress Security screenshot of bad login attempts
Attempted website hacking being locked
Better WordPress Security screenshot of lockouts

2. Never blog using an administrator login

I don’t mean not using the default “admin” username. Just don’t blog with a user account having your blog’s Administrator privilege, period.

The hacker managed to brute-force log into my Dashboard simply because my login ID was easy to guess. By default, WordPress creates a link to the author of a blog post by using the username, like so:-

https://webgrrrl.net/author/lorna

Most, if not all, of the WordPress themes found out there display this info. A hacker simply views the HTML source before the brute-force password attacks begin. There is a fifty percent chance that the login has an Administrator privilege, or it hasn’t. Simple as that.

3. Always take my own advice

What frustrates me the most about this incident is that I KNOW what I suppose to have done to harden my website or be prepared when disaster strikes.

But I DID NOTHING. Or, not much, to be exact.

Related post:  I'm so glad I subscribe to my own feed

However, I was complacent. No auto-backup. No periodic file scans. And, no hard-to-guess logins.

Would I blame it on my busy life? Whatever. That’s just an excuse.

I always come up with some wise ideas about everything. It’s time I act on them.

Spread the love

Check out my other posts: « / »

Posted on 18 November, 2012 under Discovering WordPress and tagged with ,

6 comments

  1. romeobk says:

    thanks for the insight … backup is most important, learned it the hard way too .. 🙂

    1. Lorna says:

      “learned it the hard way too”
      Unfortunately ;]

  2. Alana says:

    Hi Lorna.. I’m the new visitor to your blog I agree your points backup is very important one. This information is very useful to everyone and thanks for sharing this post with us.

    1. Lorna says:

      Remember to set auto-backup on your site, too.

  3. shraqs says:

    I been through similar situations before. That bad experience taught me to be more careful and concerned about the level of blog security.

    BTW, this plugin is indeed a top quality.

  4. Susan says:

    I know how you feel. You know you need to do things and by the time you get around to it, it is too late. Glad you got your site back on track though.

Comments are closed.