One of the more obscure things Venture Skills does is Forensic reinclusion or reconsideration requests. This is when a site has been removed from Google and other search engine indices and we are asked to help determine why and fix the problems. The usual reasons are:
- Bad SEO work – hidden text etc
- Other Penalty related – a growing issue
- Hacked site
Now in 2007 the rough breakdown was 80% bad SEO work with the remaining 20% being some sort of security compromise. In 2008 these figures have changed dramatically with Bad SEO work accounting for less then 30% while other penalty (normally paid link) accounting for another 15% with the rest being hacked sites.
Disclaimer – This post is not designed to frighten merely to inform, I am not saying plugin x or y is insecure but potentially could be. Remember security is something you have to deal with you cannot put your head in the sand!
Another Disclaimer – A Hacker is not someone who breaks into systems, however for the sake of simplicity I will use the term as such. Shoot me later
Who is coming to see us?
Most of our clients have several things in common, they are normally running WordPress and the first indication they have been hacked is either a sudden loss in rankings or the stop badware notice appearing for their name.
Now WordPress is not inherently unsecure but with popularity comes greater risks, as there are more sites using WordPress it provides a greater opportunity and scope for any potential attack, WordPress simplicity and scalability through plugins make it very popular with all sorts of people. So it should be no surprise we are seeing the majority of sites through our doors which are hacked are WordPress.
Google does give warnings and notices normally of problems via Google Webmaster tools, but to be fair how many people log in to their account every day? Well you are the exception to the rule, most people do not!
How do these attacks happen?
WordPress like any modern CMS is complicated code which is bound to have bugs and holes which can be exploited. Normally these exploitation is quite minor very rarely is a hole big enough to allow a hacker to access your admin or system normally they aim to add links or files to the server (with files the goal is normally to remotely execute them) Normally Google throwing you out of the index is because of links being inserted into your pages.
The official line from Automatic (the people who write WordPress) is these hacks occur because people to fail to upgrade and their maybe some truth, most WordPress upgrades include security and bug fixes. Of course there are many reasons not to upgrade from training and compatibility issues.
What can we do to stop a visit to Tim?
So what I want to do is really open peoples eyes and stop them visiting me, by not having had their sites compromised, we are never going to stop it entirely but we can take steps to prevent it. But first I would like to tell you two stories:
One day an IT technician upgraded their software to the latest version he did it late Friday night the whole upgrade took 5 minute and went smoothly the technician went to the pub. On Monday morning he logged into the support ticket system and found literally hundreds of tickets. He was confused what went wrong the upgrade went fine? Except for the fact no one was told of the upgrade, no training was given for the new interface and several plugins no longer worked. The next Friday he is standing looking at the job board outside the Job Centre.
No IT technician would ever upgrade software without testing it first, checking it was compatible and organising training for users if they did they wouldn’t be surprised to be out of work. Most companies understand that you can’t simply upgrade software and so provide two streams of updates, updates which effect users and security patches which allow technicians to secure their software without effecting their users. Big open source projects that are geared towards Businesses like Drupal also follow this pattern, providing updates, but also making sure bug and security patches are available for previous releases.
Automatic could and should take this on board, WordPress is not suitable for business until it recognises that businesses cannot just upgrade software. Users on the other hand cannot blindly upgrade after all just look what happened to Shaun and many others who upgraded to WordPress 2.5 recently to find themselves in real issues because of an incompatible plugin. WordPress 2.5 was a major change for WordPress but it also included important security updates so now WordPress users are put between a rock and a hard place deal with the changes and upgrade or pray they don’t fall victim to the holes that had been patched.
My second tale is one designed to remind you that not everything that glitters is gold
Disclaimer – I am sure wp-scanner is highly secure and this is not meant to dissuade people from using it but it is the obvious plugin to highlight!
One of my previous places of employment had a very secure network but one day came under a very intense denial of service, the security technician was scratching his head, the target of the attack shouldn’t have been easy to find externally and the network had more obvious targets. Eventually the problem was tracked down, one member of the IT staff had downloaded a piece of software to help find a route through firewalls for P2P software the software called an external scanner and the combined information was being sent (unknown to the member of staff) to a third party and was used to attempt to breach the network.
WordPress is an amazingly powerful piece of software it has a nice API system allowing plugin designers to expand it. But this system can be easily abused, how hard would it be for me to add a simple function that when called created a user called backdoor? More importantly when plugins are calling home do you know what they are sending? Take wp-scanner imagine if it in fact makes 7 security tests not 6?
But Tim how do I secure my wordpress install!
On the whole keeping your WordPress install up to date is a good idea, however it is always good to have a test blog, always test upgrades and plugins on your test site first. Don’t rely on other people to do your testing!
Having a mirror of your current blog is very useful it not only allows you to test upgrades but also provides a safe backup should the worst occur.
Even if you have only one person writing on the blog, have two accounts 1 which is set with the user role of author which you use day to day for writing posts this will be account #2 normally. While an admin account is a full administrator account which is just used for administration purposes this is normally the #1 account. You can change the default username from admin, this can be done by using PHPMyAdmin or similar the table your looking for is wp_users where wp is the prefix you selected. Change the first user from admin to something else.
Enforce Password Strength
The new WordPress 2.5 does have a password strength to indicate password strength but its education that really is needed to explain why complex passwords are required and a complex password is more then 6 characters with both alpha numeric and symbols. Df%34g8b is a secure password iamgod is not!
Security by obscurity
Not something people should rely on but did you know most WordPress blogs announce not only they run wordpress but also the version? It’s a bit like having a sign on the front of your house saying the safe inside is a “sidebox 724 9 button version”
You can remove the version number by editing your theme template pre 2.5 or using Replace Version Plugin post 2.5
Secure your admin area
If you have SSL shared or dedicated make of use it by Securing your admin login area. Given that only a few users are accessing admin area look at locking it down to a small group of IPs with Admin Protect.
Do not do mysql or wordpress backups name them backup.sql and leave them in the root folder, you laugh this is quite the norm, backups should always be out of the public_html folder. Indeed backups are really only useful if they are not in the danger area so look to keep them in a secure third place away from your server.
Look at plugin code before executing it, and read the read me files particularly if it involves changing file permissions. Make sure your wp-admin, wp-content, and nearly all the wp-includes file permissions are set to write only to user not group. This will mean you will not be able to edit the theme via the admin area but this is not a huge lose, however you may wish to make wp-content/uploads writable if you often upload images for posts.
And if it’s to late!
If the worse case happens and something goes wrong you have two choices, call in the experts (sorry shameless plug) or DIY recovery. Presuming you want to got the DIY route here is a quick checklist:
- Take your site down, don’t delete files simply modify your htaccess to redirect to an error page.
- Take a copy of your entire system as it is, don’t delete or modify anything
- Repeat for mysql DB
- Use your backup with something like winmerge to locate the physical files that have been changed.
- Delete the files
- Change passwords on all parts of the site
- Use the backup to redeploy the site, take your posts from your original DB unless your backup is very new. It may seem harsh but losing comments is not as problematical as posts and indeed have to be treated as suspicious.
- Patch your system, if a patch or upgrade is available patch it before uploading and take any steps you failed to take to harden the system.
- Change all password again
- Leave it a day and if no issues have occurred, apply to google via webmaster tools for reconsideration, tell them it was a hack.
Ok this is a simplified list what you shouldn’t do is leave the files up on the server and just upgrade to the latest version in a blind panic. Until you have identified how the hack was occurred you have no way of knowing the implications. Just because you can see a pile of links in your code doesn’t mean that’s all it did.
Is WordPress suitable for SEOs and Internet marketers?
This blog uses WordPress and I really like WordPress but I do not recommend it to my commercial clients we simply do not think it is compatible with modern IT solutions and until the development team leave the Update or Die philosophy it will stay inappropriate and will lose out to mature systems such as Drupal. Drupal is not more any more secure indeed there are more security bulletins for it then WordPress but it has a patch and upgrade path which provides support for earlier versions in the form of security patches. I will leave you with one final question/anecdote:
If Microsoft announced they were not going to supply security patches to XP because Vista was better on the launch day of Vista how would people react? What about the idea that security patches would not be compatible with XP sp2 users the day after a new service pack was released?
Is WordPress a mission critical system in your organisation? How do you cope with upgrading?