A
lot of wordpress blogs are hacked, One thing I could really figure out
is, most of the people didn’t know what they could control to ensure
their blog is not victimized.
Things to understand:
Most
of the times when a lot of wordpress blogs are hacked, it is due to a
known vulnerability that might have been discovered recently and a few
kids taking advantage of being amongst first one to know it. Rest of the
times, an entire web hosting server is hacked where almost all the
websites on the servers are defaced (hacked). This could be classified
into “fault of the hosting company” or “their un-awareness“. In the
second scenario, there is not much you can do as if you restore your
website with a backup, it is going to be hacked again as the entire
server is rooted (gained access to). Best thing to do is “choose your
host wisely” :) .
How to save your blog from hackers?
1. Add captchas at all input forms:
One
of the most common way to exploit any wordpress blog is by using XSS
(cross site scripting) technique. In this technique, the attacker
exploits the input forms like comments, searches, logins with a
malicious codes to gain access to restricted information i.e. your
passwords, your cookies etc.
At the same time, another
hacking technique known as “Brute forcing”, which basically means
attacker trying all possible dictionary words as your passwords with a
tool to check if any of those work. Adding a captcha ensures that
tool’s functionality will break and hence he will not be able to run all
the words to match with your password.
2. Get a unique IP address (if affordable):
Trust
me, you or I am not Bill Gates! So there is no one who is looking to
hack your blog specifically. If your blog is hacked, it is a part of a
massive hacking attack. Most of the massive hacking attacks occur on an
IP range of any web hosting server. Having a unique IP that stands up,
brightens your chances of not being a part of hundreds of other websites
getting hacked. Besides, a unique IP always adds up to SEO efforts.
3. Upgrade, but why?
This
point is written everywhere to ensure you upgrade your wordpress to
latest version. But do you know why? Whenever any release is published,
theres a “change log” attached to it. This change log talks about the
issues that were found in last release and how they have been patched.
By reading this file, even a newbie hacker can easily understand the
flaws in last version and how can he exploit it. So if you haven’t
upgraded your version, you better start look for alternatives!
4. Add SSL to wp-admin dir:
Do
you know what exactly SSL does? Well, most of the times you are hacked
because your computer is infected by viruses which constantly monitors
everything you type on your keyboard (even your username and passwords)
and are sent to the hacker. If you are using a webpage which is SSL
enabled, not application can monitor this encrypted traffic. Neither
viruses nor anti-viruses. Using SSL, you ensure that your website will
not get hacked even though your computer is infected. So enabling SSL to
your wp-admin directory is a great idea.
Note -
Enable SSL on wp-admin will work ONLY if you have a unique IP address.
5. Do not use “something@123″ , 12345 , admin, all guessable password:
This
is the MOST common mistake that I have noticed in past year. Since it
is globally accepted to use symbols and numbers into your password,
almost every one would make change their “password” to “password@123″.
Almost every brute forcing tools nowadays uses a technology where they
add “@123″ after every dictionary word. So when “they” say use symbols
and numbers, use your head and make it complexed!
No comments:
Post a Comment