53 replies
I use wordpress on a lot of sites and it is nice in a lot of ways. However, wordpress is highly vulnerable to hacker attacks. Unless some measures are taken, Wordpress sucks when it comes to security. Here are some links on how to secure wordpress blogs:

WordPress › Secure WordPress WordPress Plugins
11 Ways To Secure Your WordPress Blog - Make Tech Easier
Hardening WordPress WordPress Codex
9 easy ways to secure your WordPress blog – Simple Help
#sucks #wordpress #wordpress sucks
  • Profile picture of the author Vogin
    I seriously doubt that hackers doesn't have better things to do than hacking a weight loss affiliate blog...
    Signature

    ppcsluzby.cz/en - PPC agency


    {{ DiscussionBoard.errors[2561341].message }}
  • Profile picture of the author Leslie B
    If that weight loss affiliate blog is making money, you might be at risk. I mean, changing your affiliate link to theirs is just a small task once they are inside your blog.

    Making sure that you install WordPress correct from the start will get you ahead in the security issues regular WordPress installations have.

    Leslie
    Signature
    Taking it one day at a time!
    {{ DiscussionBoard.errors[2561397].message }}
  • Profile picture of the author taylorwinfield4
    I am always paranoid about this type of thing happening to my blogs, however I'm not sure if realistically people do try and hack WordPress blogs. Has anyone had any experience of theirs being hacked/tried to be hacked?
    {{ DiscussionBoard.errors[2561407].message }}
    • Profile picture of the author thunderbird
      Originally Posted by taylorwinfield4 View Post

      I am always paranoid about this type of thing happening to my blogs, however I'm not sure if realistically people do try and hack WordPress blogs. Has anyone had any experience of theirs being hacked/tried to be hacked?
      Yes. That is why I started this thread. Wordpress 3.0.1. has its unique holes too -- beware.

      (I might just post a comment at www.ma.tt too)
      Signature

      Project HERE.

      {{ DiscussionBoard.errors[2561431].message }}
      • Profile picture of the author ChrisCree
        Originally Posted by thunderbird View Post

        Wordpress 3.1 has its unique holes too -- beware.
        The current release version is only 3.0.1. WordPress 3.1 hasn't been released yet.

        Seriously though, if you do know of any real security problems with the software, please email security [at] wordpress [dot] org with detailed info. I know several of the WP core developers and assure you they will address any real problems right away.

        Or you can submit a ticket to the WordPress trac. But email is best for security issues.
        {{ DiscussionBoard.errors[2561450].message }}
        • Profile picture of the author thunderbird
          Originally Posted by ChrisCree View Post

          The current release version is only 3.0.1. WordPress 3.1 hasn't been released yet.
          Corrected. Thanks.

          Seriously though, if you do know of any real security problems with the software, please email security [at] wordpress [dot] org with detailed info. I know several of the WP core developers and assure you they will address any real problems right away.

          Or you can submit a ticket to the WordPress trac. But email is best for security issues.
          Done. I like wordpress, but it is not secure out of the box.
          Signature

          Project HERE.

          {{ DiscussionBoard.errors[2561458].message }}
          • Profile picture of the author ChrisCree
            Originally Posted by thunderbird View Post

            Done. I like wordpress, but it is not secure out of the box.
            That's one of the (many) things I like about WordPress. The community is generally very helpful and their developers tend to be responsive, especially when security issues are discovered.
            {{ DiscussionBoard.errors[2561476].message }}
    • Profile picture of the author skoh
      This is so funny and predictable, a SO called hacker, now a days could download a tool (script kiddie) and do this out of his parents basement, literally on auto-pilot. I was going to get my Certified Ethical Hacker certification, to understand these attacks better. Instead I got cisco certified and still haven't found a job, I turned to IM. LLol
      Signature

      {{ DiscussionBoard.errors[2561495].message }}
      • Profile picture of the author MISsupport
        Of course, not updating a WP is a security hole by itself. I was hacked by a SQL injection a few years ago on a secondary blog. The site was not up to date, I admit it thus my own fault. I also had a MySQL database corrupted on my main blog a month later.

        Another time, it was the MySQL server that was the problem thus all my blogs were having problems. In all cases, I lost money and .... time. I was lucky because those first 2 were used more often than my others sites thus found it out a few days after.

        Since I'm doing IM with 100s of sites, I did not want to have to update them(plugins too) one by one and lost more time doing that. I also did no like the above problems. I wanted to do a set and forget type of niche blogs/sites thus created my own software to generate SEO optimized niche blogs(theme based) that could be used for blogs(no comments by default thus almost no spam but they use the contact form) and no backend(another type of security hole to take care).

        Now, for the space of 1 WP blog, I can have 35-50 niches sites instead. Yes, those are static generated niche sites that I have to upload(fast anyway since small). For me, it pays the bills and lessen the load on my reseller account.

        To be fair, using my software or any WP plugins, if a company for example like eBay(EPN) do change things on us, we still have to update our sites. That's part of our business.

        No solution is 100% perfect and it's up to us to find the one that most fit our own needs. Me, I created one for my IM needs. Btw, I still have a few WP blogs but considering converting them later on. But I will have to add some features in my software like handling comments first. :p For now, I'm mostly adding IM related stuff I needed for the next update.
        {{ DiscussionBoard.errors[2561604].message }}
        • Profile picture of the author ChrisCree
          Originally Posted by MISsupport View Post

          Since I'm doing IM with 100s of sites, I did not want to have to update them(plugins too) one by one and lost more time doing that.
          Heya Steve! It's good that you have the tech skills to program your own platform.

          For those don't want to do that but still want to simplify things the WordPress mulit-site option may be a good way to go. You can have hundreds of different websites all running from one WordPress install. With domain mapping they will appear in the search engines as completely separate websites.

          Then you just have to keep one WordPress installation and set of plugins up to date. It makes maintaining several websites much easier.

          There is one caution, though. Multi-site is a little more complicated to set up initially and has some special server requirements that may not be available on all shared hosting accounts.

          But if your IM strategy involves setting up lots of websites it could be worth the extra effort on the front end to save you time and effort as your business grows.
          {{ DiscussionBoard.errors[2563805].message }}
          • Profile picture of the author MISsupport
            Originally Posted by ChrisCree View Post

            Heya Steve! It's good that you have the tech skills to program your own platform..
            I don't call it a platform but an alternative to using a platform like WP for us IMers doing the 100s sites model.

            My software(see sig) is Windows based thus instead of entering your posts on the hosting server like we do with WP, you enter your post/page details, select a template or modified one and upload the generated site(changed files) to your host.

            At first, I used it to replace WP on my secondary blogs that I had turned off the comments in WP and only posted a few times a year. It's later that I saw the real potential for IMers doing the 100s models like me.

            A 5-6 pages niche blog will take 100-200KB depending of the graphics. Using WP, I took 4000KB and I had no content. Plus, I still needed to add a few basic plugins and create a Contact, Privacy, About pages to be Google friendly. Those are there by default in MSB/themes. MSB also generate a XML map and RSS feed by default.

            The guy who did my included templates for MSB is a SEO specialist. But I still needed to know basic HTML/CSS(took basic courses to help me) to be able to modify those MSB themes for my own need(niches). I also took the feedback from my users to make it more IM friendly and versatile by adding [tags].

            Sure, I would like for web designers to start doing SEO themes for MSB that have no footprint. That would be great for my MSB users(IM) and a new vertical market selling MSB themes for niches(mostly with beautiful graphics/banners :p ).

            But I agree that if a person has only a few WP blogs, then it's easy to maintain or use WP MU like you mentioned. But at the end of the day, they still need to know very basic SEO/HTML/CSS/FTP to do this IM business.
            {{ DiscussionBoard.errors[2563928].message }}
            • Profile picture of the author ChrisCree
              Originally Posted by MISsupport View Post

              A 5-6 pages niche blog will take 100-200KB depending of the graphics. Using WP, I took 4000KB and I had no content.
              I hear you about being able to create a basic website with a smaller disk space footprint than with WordPress. You would see huge economies of scale with the multi-site version though because it is just one set of core WP files, plugins and themes that can be used by all the sites on the install. It also just uses one MySQL database too.

              I'm not saying you should switch by any means. You've obviously put a ton of work into creating something that does the job you need to get done. And that's awesome!

              Perhaps if you'd gotten started with the old WordPress MU (now merged into the core code base as muti-site) you wouldn't have had to go through all that work to create your own system. But that's neither here nor there at this point.

              Originally Posted by MISsupport View Post

              But I agree that if a person has only a few WP blogs, then it's easy to maintain or use WP MU like you mentioned.
              Really, the more WP sites someone is doing, the better the Multi-site option is. There are WordPress multi-site installs with hundreds of thousands of sites on them. WordPress.com, the biggest multi-site install, has over 11 million sites at last count.

              So hundreds of sites is a piece of cake.

              Oh, here's an interesting tid-bit. Matt Mullenweg said at WordCamp Savannah last month that about 1/3 of all WordPress sites running on WordPress.org (i.e. excluding WordPress.com) are running on multi-site installations.

              Originally Posted by MISsupport View Post

              My software(see sig) is Windows based
              That counts me out then 'cause we're a Mac only shop. :p

              But seriously, I'm not here to say WP is better than your product or anything like that.

              But there are some folks here on this forum that might not know the Multi-site option exists and could make maintaining their numerous WP sites much easier.
              {{ DiscussionBoard.errors[2564036].message }}
              • Profile picture of the author MISsupport
                Originally Posted by ChrisCree View Post

                That counts me out then 'cause we're a Mac only shop. :p
                It goes to the virus related comment above. You create a product where there is a potential of most clients and since IM is small, it's was my choice. But, you can dual-boot now days with a MAC.

                Originally Posted by ChrisCree View Post

                But there are some folks here on this forum that might not know the Multi-site option exists and could make maintaining their numerous WP sites much easier.
                But if your database gets corrupted, it's not only one site affected but your entire network.

                Also, when the MySQL server was down, my IM friends lost money because all their WP sites were down. Those that also had MSB sites in their network too, then those were okay. I know, it's not everyday but when it happens and you have money on the line or should I say "online", it can cost you a lot.

                Is my solution good for all IMers? No even if I would like that :p. But, you have to gage the risk/return of doing things that you feel comfortable. Heck, I started my first site with Frontpage way back and my first blog with WP. They are still working because I did not have time to update it.

                My main blog is still using WP, so don't hate it, because MSB don't handle the comments like in WP. The comment is emailed to me from the post so I can filter it thus cut spam comments. Yes, I can convert WP to MSB but not the comment part at this time because I need to find a way to handle them more easily for me and blogger. You could not autoblog with a MSB so it has it's fault too(static site).

                Like you said, I invested more on this project with more to come in the next update.

                Btw, you could create a thread about WP multi site with the good ... and the bad for IMers since you are using it. It could help others that are at the turning point of having a lot of sites(updates, hack, plugins...) to deal with. Your point of view from an IM angle could be interesting for them.
                {{ DiscussionBoard.errors[2564168].message }}
                • Profile picture of the author ChrisCree
                  Originally Posted by MISsupport View Post

                  You create a product where there is a potential of most clients and since IM is small, it's was my choice
                  I totally get that. Would probably do the same thing if I were to build a desktop app. Unless it was targeting creative types, I guess. They tend to be more heavily Mac oriented.

                  Originally Posted by MISsupport View Post

                  Btw, you could create a thread about WP multi site with the good ... and the bad for IMers since you are using it. It could help others that are at the turning point of having a lot of sites(updates, hack, plugins...) to deal with. Your point of view from an IM angle could be interesting for them.

                  That's a very good idea. I'll do that. Thanks! Gotta get my newsletter out first though. And then there's the holiday cook out this afternoon. Mmmm...

                  So it might be a day or so before I get to it.
                  {{ DiscussionBoard.errors[2564209].message }}
                • Profile picture of the author Istvan Horvath
                  Originally Posted by MISsupport View Post

                  Btw, you could create a thread about WP multi site with the good ... and the bad for IMers
                  <self-promotion> It is there in my free wso...</self-promotion>
                  Signature

                  {{ DiscussionBoard.errors[2564371].message }}
                  • Profile picture of the author ChrisCree
                    Originally Posted by Istvan Horvath View Post

                    <self-promotion> It is there in my free wso...</self-promotion>
                    Just read through your free report on the new features in WordPress 3.0 this morning. You covered the important ones for everyone. It's obvious to me you know your WordPress.

                    Anyone interested in tapping into the greater power that WordPress now has to offer should check out Istvan's free report!
                    {{ DiscussionBoard.errors[2567831].message }}
  • Profile picture of the author ChrisCree
    Originally Posted by thunderbird View Post

    However, wordpress is highly vulnerable to hacker attacks. Unless some measures are taken, Wordpress sucks when it comes to security.
    I've been working with WordPress for about 5 years, full time for over half that time and I'm here to tell you WordPress is not inherently vulnerable to hackers.

    I have recovered many hacked WordPress sites (it is part of my company's service offering) and, with the exception of one time that I can remember, the cause of the sites' being exposed to hackers has invariably been a failure to keep the software up to date. Older versions of WordPress are vulnerable, sure. Plugging known security holes is one of the many things the WordPress folks do with each new release.

    The only case of a hacked WP site I can recall that my company has seen first hand was due to a ridiculously easy-to-guess password. And that was on the client's hosting account, not on their WordPress install.

    Seriously, when you find someone with a hacked site ask them, "Do you keep your install up to date?" If you press them (and they're honest) they'll almost invariably admit that they didn't keep up with it.

    That said, I have seen a case where someone came to me because they noticed their site was hacked soon after an upgrade. But it turned out that they had let several versions go by until they finally upgraded soon before the problem surfaced.

    In that case the hacker exploited a known vulnerability of an older version to create a user account on the site with Admin rights. Then they waited until after the upgrade to mess with things.
    {{ DiscussionBoard.errors[2561435].message }}
    • Profile picture of the author Byrt M
      Chris thanks for your insight - always a great read pal!
      Byrt
      {{ DiscussionBoard.errors[2601151].message }}
  • Profile picture of the author skoh
    Wordpress is one of the best Content Management solutions if not the best, it's easy to use too. Everything at some point on the internet is vulnerable to an attack. Turning up my first site i forgot to use DNS privacy and not a day later someone was trying to hack my paypal account. follow richards steps, stay away from default settings, that's what they target.
    Signature

    {{ DiscussionBoard.errors[2561438].message }}
    • Profile picture of the author katied772
      Originally Posted by skoh View Post

      Wordpress is one of the best Content Management solutions if not the best, it's easy to use too. Everything at some point on the internet is vulnerable to an attack. Turning up my first site i forgot to use DNS privacy and not a day later someone was trying to hack my paypal account. follow richards steps, stay away from default settings, that's what they target.
      I know this is going to show my newbiness but where and how do you take care of dns privacy? Thanks. Kate
      Signature


      {{ DiscussionBoard.errors[2563986].message }}
      • Profile picture of the author Gary King
        Originally Posted by katied772 View Post

        I know this is going to show my newbiness but where and how do you take care of dns privacy? Thanks. Kate
        At your domain registrar. (Wherever you register your domain name)

        Some call it private registration, some call it privacy, etc. It's an add-on fee to the domain registration.

        Hope that helps.

        Gary
        Signature

        ===========================
        OFFLINERS! Warning: Unless You Know These Pricing Secrets, You are Leaving THOUSANDS on the Table. Get Your Free Report Now.
        {{ DiscussionBoard.errors[2564000].message }}
  • Profile picture of the author gearmonkey
    I'm seeing a lot of "help my wordpress was hacked" threads today. this is kind of alarming if you're a WP user!

    So I went and changed my password to something very strong. Hope this helps!
    Signature

    My Guitar Website | My SEO Blog - Advertising spots available.

    {{ DiscussionBoard.errors[2561451].message }}
  • Profile picture of the author DogScout
    HTML sites are 10 times easier to hack. Once you are in the root, you have free rein. With WP, you then need to hack to admin account. If a WP site is hacked, the hacker targeted your site. much easier to target HTML sites. At least they used to be.

    (Unless the attack is a password attack)
    {{ DiscussionBoard.errors[2561470].message }}
    • Profile picture of the author DogScout
      Originally Posted by Richard Odell View Post

      But HTML sites can be simply uploaded again. Files against rebuilding a database...

      One click from an FTP program.
      true enough. I believe there are WP back-up plug-ins that will also re-build a hacked site with one click... depending on the damage done, however most of the guys like the image above only change out the index.php file. It is almost a 'I can do this' thing than anything else. They almost always get into the server (if you have shared hosting, check the 700-900 other sites on the server and see if any of them were compromised to tell... they usually get into several on a server intrusion.
      The other thing is they tend to target financial institutions and medium sized merchants. They like the publicity. Lol. At least Havoc and a Turkish guy I have had contact with do. (And they are the most prolific hackers I have seen).
      {{ DiscussionBoard.errors[2561506].message }}
    • Profile picture of the author ChrisCree
      Originally Posted by Richard Odell View Post

      But HTML sites can be simply uploaded again. Files against rebuilding a database...

      One click from an FTP program.
      So you're saying an HTML site is more likely to get hacked, but simpler to recover when it does? Not exactly a slam on WordPress there.

      Besides, if you don't want people looking through the folders on your server just add

      Code:
      Options -Indexes
      to your .htaccess file. That's just good practice anyway.
      {{ DiscussionBoard.errors[2561518].message }}
      • Profile picture of the author Martin Luxton
        It also helps security if you ignore the proliferation of threads with titles like

        "My favourite 3,725,742 Wordpress plugins"

        Seriously, would you add dozens of plugins from unknown coders to your Paypal account? So why add them to your cash cow?


        Martin
        {{ DiscussionBoard.errors[2561545].message }}
    • Profile picture of the author Scritty
      Originally Posted by DogScout View Post

      HTML sites are 10 times easier to hack. Once you are in the root, you have free rein. With WP, you then need to hack to admin account. If a WP site is hacked, the hacker targeted your site. much easier to target HTML sites. At least they used to be.

      (Unless the attack is a password attack)
      Yeah I had to laugh "Would I trust Wordpress" then the HTML comment.

      I could break 99% of any pure HTML site inside 10 minutes.
      There is no inherent "strength" in pure HTML over WP. The only disadvantage WP has is that it is a common platform and more widespread (the same reason there are more Virii for Windows than most Linux installations)

      Fact is WP is configured to autobackup,spamstop, has security built in (common - but built in)

      Nearly every pure HTML site I have come across has jack diddly - or at best a laughably simple password codex.
      Hell, I have tools that can break most passwords and just overwrite entire websites via filezilla or similar. If I do (and I'm no coding genius) then you can bet others have.

      Also if you wanted to wreck someones business - it's easier than ever without touching a single hacking tool.


      Sorry this next bit is a little long, but it confirms some of the longest held online business paranoia. Check the URL's in the next bit yourself. YOu've probably come across them before (and not noticed that they are now long gone)
      Ok...let's begin.

      Google is so paranoid about BH methods that using injudicious BH methods on someone elses web properties is the easiest (and most undetectable) slow death you can whack on someone.

      Check out mydietsite dot com or warcraft millionaire.




      Both massive, both targetted and destroyed by a third party. The diet site was ranked;
      • 4 in google for "diet"
      • 6 for "weight loss"
      • First page for "lose weight" and a load of other really good phrases. (worldwide)
      It made over $50,000 a year. It now makes less than $2 adsense a week (guy has taken the site down, just adsense page now).

      Destroyed by a competitor spamming the main URL link all over the place. Hell - no-one even wants buy the domain name any more! I mean look at that domain name - and no-one wants it.

      That's how to take down a competitor. To this day he has no idea who spammed his URL (His name is Colin Young btw -not me, nothing to do with me)

      WarcraftMillionaire dot com ranked;
      • 1 for Warcraft Gold and...
      • 3 for WoW Gold worldwide.
      It made chuffing gazzilions (estimated sales of one product on clickbank is 25,000 in 2008 at $40 EACH)

      That'd be 1 million dollars to me and you.

      Can't find the site for love nor money now. But links to it are EVERYWHERE.

      They exploded in the wierdest places late in 2009 early 2010. Apparently the owner did not do it. Nasty comments on news blogs and inappropriate authority sites. Really nasty spamming stuff like..
      • 10+ links per comment
      • Generic forum postings (probably through Xrumer) with filthy language and link spamming.
      Bye Bye site.

      A million dollars in 2008, sweet fanny adams now (and Warcraft is in the middle of a major popularity surge with the expansion due in 6-10 weeks and the movie in production)

      Did it matter if it was WP or not? Nope

      Don't kid yourself that your "safer" because your not WP. That complacency could be what wrecks you.

      And hackers don't need to hack anything any more - just play on Googles BH paranoia

      Scritty
      {{ DiscussionBoard.errors[2561585].message }}
    • Profile picture of the author Sandra Martinez
      Originally Posted by Richard Odell View Post

      But HTML sites can be simply uploaded again. Files against rebuilding a database...

      One click from an FTP program.
      yes... try adding one button to the top menu in a 2K pages html website.
      {{ DiscussionBoard.errors[2601562].message }}
      • Profile picture of the author Sandra Martinez
        Originally Posted by Richard Odell View Post

        If you think ahead that's what a php include can do :rolleyes:

        PHP Code:
        <?php include("menu.php"); ?>
        Got another cat I can skin?
        I could... but not really what I´m about...

        I have seen people stuck badly in old html sites... maybe I just have been around for too long...
        {{ DiscussionBoard.errors[2602486].message }}
  • Profile picture of the author Chris Ingham
    Great info.

    I tend to let my installations get a bit old, and I need to stop that.

    I cannot afford to lose any more money! lol

    Chris
    {{ DiscussionBoard.errors[2561471].message }}
  • Profile picture of the author I.M.Retired
    Wordpress doesn't suck. Hackers suck!

    Wordpress has vulnerabilities that need to be addressed. It looks like you are doing that, which is good.

    Every bit of information as to how to keep your wordpress sites safe from hackers is always appreciated.
    {{ DiscussionBoard.errors[2561472].message }}
  • Profile picture of the author AnniePot
    At any one time I usually have between 12 and 15 active, income sites, 90% of them are WordPress. Over the years I've encountered 2 major hackings - both instances were on straight html sites, never WordPress.

    I keep my WordPress sites and their plug-ins up to date and install various security protecting plug-ins. Every month or so, one of my plug-ins informs me of a hack attack that's been successfully blocked.

    I love WordPress :-)
    {{ DiscussionBoard.errors[2561552].message }}
  • Profile picture of the author Alfred Shelver
    Maybe just maybe WP is so much bigger than all other blogging or CMS platforms that there are more people in numbers being hacked but its a smaller percentage?
    {{ DiscussionBoard.errors[2561565].message }}
  • Profile picture of the author MilesT
    Securing WP sites is pretty simple really.

    Use crazy-ass passwords like - Eru84!$2--Hhg45#** on your WP site and FTP.
    Use LastPass so a keylogger can't read your keys as you type in your password.
    Change your password like once a month or so.

    Whew. so much work.

    If you do those things your WP sites should be safe. Unless you have a lot of people pissed off at you.
    Signature
    http://www.RedHeadline.com
    Internet Marketing's Top Daily News (Updated today)
    {{ DiscussionBoard.errors[2561571].message }}
    • Profile picture of the author addice
      Originally Posted by MilesT View Post

      Securing WP sites is pretty simple really.

      Use crazy-ass passwords like - Eru84!$2--Hhg45#** on your WP site and FTP.
      lol, this is quite difficult to remember, I think I will need to reset my password after I changed to that!

      But then again, having a good password is really important. And a better practice - change it every 3 months. If not, every month, if your blog is easily hacked.

      Use a password generator if you can't think of a password. Some are quite good.
      {{ DiscussionBoard.errors[2564124].message }}
  • Profile picture of the author alb3rt1
    I still love Wordpress it change my life in better
    I also will never hacker fortunately, but I think if an hacker want to hack a website it can in anyway. Story tell us that big site like Twitter and Facebook (some accounts) was hacked
    {{ DiscussionBoard.errors[2561590].message }}
  • Profile picture of the author thebitbotdotcom
    Lock your admin folder on your server when you are not using it.
    Signature
    Do Your Copywriting Skills Suck?

    Let Us Help You Develop Your Writing Skills!

    Submit Guest Posts With [ TheBitBot.Com ]
    {{ DiscussionBoard.errors[2563807].message }}
  • Profile picture of the author Ray_Barnes
    I think in todays world anything popular is subject to hackers .... Because wordpress has a great following it means security is constantly monitor and any problems dealt with and that to me makes all the difference in choosing a system
    {{ DiscussionBoard.errors[2563835].message }}
    • Profile picture of the author Steven Wagenheim
      Newsflash...there is not ONE CMS, or any platform for that matter, that is
      immune to hackers.

      So maybe the title of this thread should be changed to this...

      "EVERYTHING Sucks!"
      {{ DiscussionBoard.errors[2563843].message }}
      • Profile picture of the author Gary King
        Originally Posted by Steven Wagenheim View Post

        Newsflash...there is not ONE CMS, or any platform for that matter, that is
        immune to hackers.

        So maybe the title of this thread should be changed to this...

        "EVERYTHING Sucks!"

        I don't.


        WP gets hit because it's popular. Look, if you're going for inflicting the most damage, spreading the most file download trojans, etc., you go for the biggest market.

        As others have said, other platforms are vulnerable too. WP gets targeted because there are a LOT more installs of WP than there are of Joe Blow's CMS package.

        You write the hack once, automate it, blast it against millions of targets and you inflict a lot more damage against something that is widely deployed.

        (NOT to start a Windows vs Mac argument here) - Macs have viruses too. It's just that it makes more sense to target the wider deployment of Windows if your goal is to inflict pain. You get more bang for the buck.

        Let's put it in marketing terms.
        • You are about to send a solo mailing to one of two targeted lists.
        • These people are STARVING for your product.
        • They HAVE disposable income.
        • They are PROVEN buyers.
        • You have NO competition in your niche.

        You must choose between two lists:
        • List A has 9,146 subscribers, 74% of which are guaranteed to buy.
        • List B has 821 subscribers, 96% of which are guaranteed to buy.

        Do you send to List A or List B?

        You go with the list that is likely to benefit you the most. As a person targeting CMS installations will likely do better hitting WP than any other CMS because it's widely deployed.

        MOST hacks happen because of:
        • Weak (or no!) passwords
        • Failure to update versions, leaving exposed flaws that are fixed in later versions
        • Poor security on the web host's part

        Some general tips, just in case you haven't been preached to before:
        • Set good strong passwords on your CMS, FTP, and on your hosting account.
        • Keep your computer safe - use good, updated anti-virus software (some hacks infect your computer, then steal your WP login)
        • Change your passwords regularly.
        • Keep backups of your CMS/HTML off-line (like on your computer) - don't backup to the same server where your web site lives - what if IT dies? Your backup dies with it.
        Signature

        ===========================
        OFFLINERS! Warning: Unless You Know These Pricing Secrets, You are Leaving THOUSANDS on the Table. Get Your Free Report Now.
        {{ DiscussionBoard.errors[2563905].message }}
        • Profile picture of the author MISsupport
          Originally Posted by Gary King View Post

          Keep backups of your CMS/HTML off-line (like on your computer) - don't backup to the same server where your web site lives - what if IT dies? Your backup dies with it.
          It happened to me and lost a few MySQL(no WP) because the hosting closed. At least, I had my small MSB sites(no MySQL needed) that I just had to upload the files to the new hosting. In a way, I was the backup :p but failed with my other sites that used MySQL.
          {{ DiscussionBoard.errors[2563949].message }}
  • Profile picture of the author sirtiman
    Suck when my wp been hijacked. I need more nice info how to avoid the hijack problems. Is there any trust site or program to clear the hijack problems?
    {{ DiscussionBoard.errors[2564042].message }}
  • Profile picture of the author PEIProfit_Katie
    I truly love Wordpress. With a few changes to logins, and ridiculous passwords, I have (knock on screen) never been hacked.
    Signature
    {{ DiscussionBoard.errors[2601156].message }}
  • Wow! I never knew there are so many security threats with wordpress! I have a lot of websites on the platform! Thanks!
    {{ DiscussionBoard.errors[2601241].message }}
  • Profile picture of the author snapcontent
    One tip I take notice of is never upgrade to a new version of Wordpress the instant it comes out. Give it a couple of weeks to 'settle down', and for them to get the bugs / weaknesses out of it.
    {{ DiscussionBoard.errors[2601615].message }}
  • Profile picture of the author dwatrous
    I've found WordPress to be a great platform and very secure. The biggest problem I see with most sites that get hacked is they have a crappy password and they never change it. If you're going to set your password to "dog" or your birthday or something easy and leave it the same forever, then it's your own fault that you get hacked.

    How to hack a password (I hope my clients read this) | Daniel Watrous
    {{ DiscussionBoard.errors[2602291].message }}
  • Profile picture of the author Tamer
    I've been using wordress for nearly 4 years now...

    Here is how you secure it from hackers:

    1- I Use strong HOSTING password.

    2-
    I Use strong WORPRESS password.

    3-
    I Update wordpress as soon as I see the upgrade notice.
    You'll never know the security risks in your current version, so trust the
    developing trem and upgrade (EVEN fi this means that some plugins won't work for some time)

    4-
    I change the .htaccess file in /wp-admin/
    to allow ONLY my IP address (or very small IP range) from accessing the admin directory.

    So, any attempt (unless from INSIDE my home ) to access the admin directory will get an "Access denied" message.

    5- Make an empty wp-content/plugins/index.html file.
    This helps you hide plug-ins you are running.

    6- Recently, I've even started to place .htaccess in
    wp-content/
    wp-includes/
    Code:
    Order Allow,Deny
    Deny from all
    <Files ~ ".(css|jp?g|png|gif|js)$">
     Allow from all
    </Files>
    Above code states, to deny access to directories and files except for images (jpg,gif,png), stylesheets (css) and javascripts (js), so that browser can fetch resources at the client side.

    Hope that helps..

    Tamer
    {{ DiscussionBoard.errors[2603664].message }}
  • Profile picture of the author mywebwork
    The title of this thread is not only misleading, it's unfair.

    WordPress is by no means unique in requiring steps to keep it secure, virtually anything that you place on a server connected to the public Internet is vulnerable to hackers. For 100% security the solution is simple - pull the Ethernet cable out of the server!

    As WordPress is Open Source software it's source code is available freely. And because of that it makes a hackers job a lot easier. And this is true for every Open Source platform - Joomla, Drupal, Magento etc.

    It's like publishing the blueprints to Ft Knox and then having to secure it - it's a lot more difficult than if the plans were kept secret!

    Bill
    {{ DiscussionBoard.errors[2604083].message }}
  • Profile picture of the author John Henderson
    WF member "RichJerksNet" has already put a WSO together that shows WP users how to better secure their WP installations...
    http://www.warriorforum.com/warrior-...ot-v3-0-a.html
    {{ DiscussionBoard.errors[2606036].message }}

Trending Topics