Sneaky Tricks Hackers Use to Target WordPress

Security is on everyone mind these days, but be careful where you’re getting your information from. Be sure your getting expert advice before you proceed or you could find yourself in trouble.

3 Sneaky Tricks Hackers Use to Target WordPress Sites

The open source nature of WordPress has one downside, and if you’re not careful it could ruin your online business. I know this because it happened to me. Just a few months ago, I had a hacker hijack a WordPress site that was consistently earning me several hundred dollars a month.

The hacker:

  • Blocked all logins from my IP address
  • Deleted 217 pages of content, including over 50 pages of premium membership content.
  • Posted 182 spam articles on my site, all which were visible from the home page and which tanked my search engine rankings.
  • Changed the admin account to their email so that I could not update my password OR get back into the site

English: The logo of the blogging software Wor...

Brute force authentication attacks are pretty simple to avoid – at the server level. If your host doesn’t already provide some form of brute force protection, talk to them about it or get a new host.

If an attacker has the ability to gain control of your site thru a vulnerability on another site on the same server, your permissions are setup *very* wrong. Get a new host.

MD5 and SHA are *hash* methods, not encryption methods. There’s an enormous difference between the purpose, function and operation of these techniques. Notably, hashes are not reversible. WordPress “salts” these hashes to make it more secure. On this point, it would be better for users to ensure they’ve properly created their keys and salts in wp-config.
@3 – You can’t completely control username exposure on multisite, and even on regular wordpress some themes render the username within the output.

@5 – Domain privacy offers NO protection whatsoever. It takes all of a few minutes to file a request with the registrar for the actual data and in many cases they’re obliged to provide it. And most registrars (notably godaddy) that provide domain privacy do so at the cost of not effectively relaying domain contact attempts. This is important because it means that an attacker can send (and they do) fraudulent DMCA takedown notices to the registered “private” domain email address, CC
the registrar and webhost, and since you don’t receive or respond to the message in a timely fashion, your host and/or registrar will disable the site. This is just as bad as getting hacked.

Even if domain privacy did protect your contact information, your site could not operate if your name servers were not exposed, which is how visitors are able to find out the IP address, which is what your point here is really about. There’s no way (outside of perhaps setting up your domain behind a proxy) to prevent direct access to your content.

@6 – If you aren’t familiar with managing wordpress, you probably shouldn’t be responsible for an entire server, and all the other services and applications you would need to maintain for it, either. It would be better to look into a “managed” provider.

@8 – While updating plugins and themes is important, blindly installing updates is not good either. Several times in the past have updated plugins or themes included exploits or security regressions (si-captcha, addthis, w3tc and wptouch for example). If you’re a security-minded coder, review the code before you install updates. If you’re not, you should probably find someone that can help keep an eye out for you.

@9 – The implication here is that just because a theme or plugin is “paid” that it’ll be of higher quality. Sadly, that’s not the case. WPMU.org had an article on this very topic only last year.

While you’ve included some good advice here, too, I’m afraid you’re mixing too much myth and misunderstanding in to be ultimately good for the typical user.

 

 

Enhanced by Zemanta

Ron Paul’s position on marriage

Esther Horner Roorda has a good defense for the marriage issue:

“While it’s true that RP doesn’t support a constitutional amendment defining marriage, Ron Paul does defend traditional marriage (he defends the Defense of Marriage Act for example) in the same way that he defends a pro-life stance. But as with the abortion issue, it is his approach that is different, not his resolve.

National Organization for Marriage
Image via Wikipedia

His approach is to recognize that the more we empower the federal government to weigh in on this issue, the more likely it is that they will impose a definition of marriage on everybody that we Christians cannot accept. Marriage is defined by God.

The federalists underestimated the nature of power. Patrick Henry and others were correct when they opposed them; and when they predicted this vast federal intrusion on all sorts of issues. Localized power is always a more transformative power, since it has the greater capacity to change the mind of the people.

Local churches and institutions can carry greater influence on local governments. Dr. Paul’s point is similar to his point about life: this is not about allowing states to act as they please, but rather allowing states to reclaim their rights to outlaw abortion and same-sex marriage. Granted that not all states would do so, but a vast majority would in my estimation. A Paul presidency would embolden states like South Carolina to act morally and biblically correct. Never forget that that the mind must be changed, before the law can be changed.

Also, it’s worth noting that seven years ago Ron Paul introduced a Marriage Protection Act that would have greatly reduced the courts power over the marriage issue and possibly spared many states from judicial activism on this issue. But because some people want a constitutional amendment, or nothing, we got nothing. Constitutional amendments are VERY hard to pass and with the current sexually permissive attitudes in the US it is unlikely a constitutional marriage amendment would ever become law.

I personally think it’s better to fight on the fronts where we actually have a chance of winning, which would be at the state level. Personally, I think the National Organization for Marriage organization has slandered Ron Paul. I will charitably hope it was done out of ignorance or misunderstanding rather than malice.”

David A Read adds:

“Government is always a two edged sword. If we give it the power to legislate what is right, it will then have the power to also legislate what is wrong. I fear that a majority of “evangelical Christians” entirely miss this point. They wish to usher in God’s righteousness through the legislature, though they should really be aware that such has NEVER happened in all of history, and is certainly not going to start happening now. A weak central government is the best condition for good to be advanced in the world.”

Enhanced by Zemanta

Hiding in Plain Site

Fading American Dream

Image via Wikipedia

Don’t you just love it when Liberals try to create the change they want to see, anonymously, instead of being upfront about who they are and what they hope to achieve? Why the cloak and dagger routine?

I received a piece of spam email, which normally I would ignore and simply delete but the sender was from, “Center for a New American Dream.” Sounds like something Obama would support doesn’t it? Maybe it’s a play on Martin Luther King, Jr’s, “I have a dream,” speech? The email began,

If you are like us, you may find yourself strung out at times. Long work hours, money pressures, not enough time for loved ones, lost connection to the outdoors – is this the American Dream? Maybe it’s time for a “new dream,” one with a better work/life balance and more value on nature and sustainable living.

I think most of us have already made drastic changes in our lifestyle, we are now living the “new lifestyle” the Democrats and Republicans want us to get used to, while they continue to spend our tax dollars like a drunken sailor on leave.

Instead of using one of the prepared links in the email, I  typed the url into my browser, then I looked up newdream.org in Whois. When that search failed to bring up a named individual, you know the one paying for the website, I searched Google for the telephone number listed, which brought me to Nicole Berckes. Using another browser window, I searched on Nicole’s name and guess what I discovered? Nicole M. Berckes actually works for Senator Bill Nelson a Florida Democrat.

Of course, the address listed on the website, isn’t in Florida. The address “455 Second Street SE, Suite 101, Charlottesville, VA 22902,” actually belongs to “BitsBuilder is a tiny software consultancy headquartered in Charlottesville, VA.,” according to their website.

What is Senator Nelson trying to hide? How did they get my email address? Why the cloak and dagger routine?

 

Enhanced by Zemanta