Just this week, popular free classifieds site, sulit.com.ph, was hacked and was maliciously redirected to Sedo. As the security breach happened over the weekend, it took quite a while for the site admin to address the issue. For a heavily-trafficked site like Sulit, I think considerable financial losses were incurred as a result of the breach.
After learning about the incident, I googled about how secure Wordpress blogs are against malicious attacks considering that I just made the leap from blogger.
As it turns out, unsecured Wordpress blogs are also common and easy targets for the maliciously-inclined. Apparently, security holes or vulnerabilities abound in obsolete or poorly written plugins which is exploited by those who have too much time in their hands. One common exploit that hackers use is browsing through a target blog’s plugin directory and checking for outdated or vulnerable plugins. They then attack the site using the vulnerable plugin.
Check if your blog’s plugin directory is viewable to others by typing the following on your browser:
www.yourblogurlhere.com/wp-content/plugins/
If your plugin directory shows up, you need to secure it. Leaving it open is like letting thieves peek through your house through a glass window. It gives them a better and easier opportunity to find a way in.
A simple way to secure your blog installation directories is to add this piece of code to your host’s .htaccess file:
Options All -Indexes
What this code does is it disables directory browsing and redirects anyone trying to browse your installation directory to your standard 404 error pages.
Although this measure will not completely protect your self-hosted blog from attackers, it is still an added layer of protection. So, be sure to secure your blog with this simple line of code before it’s too late.
Related posts:
This entry was posted on Saturday, November 8th, 2008 and is filed under Blogging. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.
#1 by Brendel at November 8th, 2008
I didn’t know SULIT was hacked. Thanks for the information.
#2 by RJ at November 9th, 2008
Just to make the record straight, Sulit.com.ph was not hacked. It was the domain registry that had a security breach that affected our domain.
More information here: http://67.228.219.34/forum/viewtopic.php?t=41415
Thanks for informing your readers regarding website security. I just want to request a correction as I stated above.
#3 by Lyle at November 9th, 2008
Hi RJ, thanks for clarifying that up but I think it’s a matter of perspective. You see, the affected site was yours (SULIT) and not the domain registry (dot PH) although the security breach happened on their end.
I think it is still accurate to say that SULIT was hacked considering SULIT was the INTENDED target and ultimately the VICTIM of the attack. Otherwise, other .PH sites or dot PH itself would have been redirected too. But the hacking incident remains isolated to SULIT.
The article was not intended to question or cast the security practices of SULIT in a bad light. The mention of the SULIT incident was to emphasize the importance of site security (Domains included). Moreover, the word HACKED on the article is linked directly to your forum thread where a complete explanation is posted.
#4 by iceman9 at November 10th, 2008
wow! its great youve moved already.. cheers.. lyle.. great template too!!
#5 by Lyle at November 10th, 2008
Thanks faust! I’ve been trying to visit your blog for weeks now. Is davaobloggers.com still down?
#6 by Miah at November 11th, 2008
down pa rin ang davaobloggers.com huhuhu… anyways, I’ve read about this on macuha’s site and made a post too, tintry ko din but ang gnawa ko mano2 ung paglagay ng blank index.html sa wpcontent ko hahaha… igno man gud ko ani mga butanga oi…
#7 by Lyle at November 11th, 2008
Miah, you can find your host’s .htaccess file in the directory where your wordpress blog is installed by logging in via an FTP client. Another way is to login to your cPanel. There’s an icon for .htaccess there.
#8 by Miah at November 11th, 2008
sa FTP gud nako giupload ang kato blank index.html… nangita man ko .htaccess can’t find it mao kato nalang ako gbuhat.. wer banda? hahaha… pcenxa na….
#9 by RJ at November 11th, 2008
Hi Lyle,
You are correct, it is a matter of perspective and not all readers have the same perspective as yours and I believe that the more missing details, the more chances of the differing perspective from different readers.
It is not your intention as you’ve said and I believe you. But the way you right it says otherwise given a different perspective. Also don’t expect every reader to click every link that they see. If they do, all bloggers and website owners will be multi-millionaires by now.
I am not here to force any updates and you might misunderstood this post. I am just answering your response to my initial post above.
Anyway, it will be great if your blog title “Thinking Out Loud” is clickable pointing to your homepage. I tried clicking it hoping to find your homepage to check other articles.
#10 by Lyle at November 11th, 2008
Hi RJ,
Thanks for your comment. I agree with you that different readers will each have a different understanding of the incident. I also appreciate your taking time to explain the incident to my readers who, I’m sure, are users of Sulit.
Anyway, about the homepage, there’s a HOME link at the top of my blog that you can click. Yes, it would have been nice for the blog title to be clickable (my older blog was designed that way) but it’s one limitation that I will have to live with.
I hope to see more of your comments here. You see, I believe that even though we may disagree about certains things, it does not mean we can’t be friends.
It’s an honor to have you here. I admire the success that you achieved with Sulit.
#11 by iceman9 at November 11th, 2008
@ lyle
the davaobloggers.com seems to be parked? ill have to remind red, hes on honeymoon newly wed kasi eh.. heheh
#12 by Dulcenegosyante at November 16th, 2008
You may want also to include these tips in securing your WP blog.