A worm is making its way around WordPress software, it sweeps across millions of sites and hits whatever it finds vulnerable. Vulnerable are versions of WordPress prior to the WordPress 2.8.4, which is the most recent version.
If you are following the security rules to keep your WordPress secure, you are safe. If you are not following the best practices, you are at a high risk!
Scobleizer hit; lessons to be learned
One of the high-profile writers that is affected by the worm is Robert Scoble. The consequence of the attack is that Scoble has lost a part of his archives, and Google has removed his site from their index, which means that Robert is losing thousands of visitors that were sent from Google daily.
Robert now says that he doesn’t feel safe with WordPress, but if you look more closely into the case, you can see what went wrong:
- Scoble didn’t have backup of his archives.
- Scoble didn’t upgrade to the latest WordPress version.
- Scoble used the default “admin” username.
Backing up is so easy
Activate WordPress Database Backup plugin and set it to automatically backup your site and send the backup file to your email address. Two minutes work to install it, activate it and set it so it sends you a new email with a new backup automatically every day, every week or whenever you decide.
Upgrading is just as simple
Upgrading your self-hosted WordPress is just as simple as backing up your archives. When there is a new upgrade available, WordPress will give you a notice on top of your dashboard. It will say “WordPress 2.8.4 is available! Please update now”. Click on it and your upgrade is a simple one-click away.
If you are afraid to upgrade because of some old WordPress theme you are using or some old plugin that you think is not compatible with the new WordPress, then please switch over to something more modern and something that you know has a serious developer and community behind it. Thesis Theme for example released a WordPress 2.8 compatible theme design on the day of the WordPress release.
Creating a new admin username
It is harder for a hacker to break into your site when both the username and the password have to be cracked. That is why you should create a new user and delete the WordPress default “admin”. You create a user by going into “Users” then “Add New”. When creating the new user, make sure to give it the role as an “Administrator”.
Simply logout from your default “admin” account and log in with the new user details. In “Users” you can now delete the default admin username. It even gives you an option to transfer the posts you wrote as “admin” to your new username.
How do I know if my blog got hacked?
According to Lorelle, there are two ways that you can know if your WordPress has been attacked:
There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognise.
Best practices to keep your site safe
Simple 10 minutes of work and you can feel much safer knowing that your site is less likely to be affected by any security risk. The “trouble” of making your site safe is worth it, it is much less than the real trouble of fixing a hacked WordPress. It can take weeks and months before you get back to the level you were at before the security breach.