Blogs are more vulnerable to hacking than other websites!

This afternoon, DollarShower was down for close to three hours owing to some corruption in the WordPress installation directory. Initially, I thought it was a hack but there was no sign of any DB corruption or possible deletion of directories. I had not done any kind of changes to WordPress or my theme for the last twenty four hours and this happened when I was at work where I cannot really do FTP to my hosting service! While the reason behind corruption is still a mystery, I managed to do a copy back of most of my WordPress directory thereby reinstating the status.

I had done some research about the script errors and the most of the WordPress support threads (pathetic!) suggested that the blog was hacked! I guess, that is the solution they give when nothing is known. However, I figured out that blogs, unlike some of the traditional websites, are more vulnerable to hacking. I have my reasons to think so:

Why blogs are easy preys to hackers?

Firstly, majority of the self-hosted blogs are served via cheap shared hosting services. As a matter of fact, they host 500 ot 600 domains on one server some of which cannot be even monitored for suspicious activities. Some of these hosting services may not even have proper security infrastructure. I read in many places about the vulnerability of certain shared hosting services (I do not want to name it here)

Secondly, most blog engines store the content in databases and there are many SQL injection threats that cannot be easily blocked. Most of these blog platforms are just evolving and hence there is no single fix to the injection hacks. I must say that the great WordPress is still vulnerable!

My next reason – many blogs are authored and web-mastered by not-so-technical people and hence they usually go with default settings. This is one of the problems that needs to be addressed by individuals.

Another thing that happened with my hosting service – HostMonster – a month ago was the corruption in their PHP installation. This lead to all blogs on a particular server to be down for 4-5 hours! Well, probably that’s the result of trade off between price and quality, I guess. For a cheaper price, you will have to cope up with support people who are not technically equipped! I plan to move to Host Gator soon.

What saved me the day?

Because of my recent upgrade to WordPress 2.7.1 – which I was not sure will go through – I had taken the complete back up of pre-upgrade and post-upgrade status of my directories. I actually did a folder copy of the WordPress directory on the server itself, which can be renamed at any point of time to take it live. This in fact helped me.

One of my regular habits has been the whole directory backup and the automated database back up.

How to hacker-protect your WordPress blog?

These are a few things that come to my mind:

  • Always keep your WordPress version upgraded, if they have security fixes, that is
  • Enable automated backup using the WordPress Database Backup Plugin
  • Keep changing your server/FTP passwords, even though you might want to keep all your passwords unchanged and same for the purpose of easily remembering them
  • Beware of malicious plugins, themes and widgets – do we ever suspect a plugin or widget developer?
  • I have heard about login lockdown plugins and plugins that do not hand over some of those WordPress information (like version, plugins installed etc) to the hackers, but I do not understand their values. Hackers are smarter people!

Have you ever been hacked?

Have your blogs ever been hacked? If so, what measures you took since then to protect your blog better? Do you have some plugin ideas in this direction?


  1. I have written a post on Make your WordPress blog secure [Prevent hacking attacks], i mentioned few plugins there have a look :)

    Chetan Gole┬┤s last blog post… Download Microsoft Bing ringtones – Free ! (Official Microsoft)

  2. Melvin :

    This is so true ajith. Most people give the excuse that they’re blog isn’t popular yet so theres no need for so much protection. I find it really retarded because hackers don’t pick what popular and what’s not. They just hack as much as they can…

    Btw, I’ve written a really nice post about subfolders nd stuffs located here (if i may spam please. ­čśÇ )

    Melvin┬┤s last blog post… MMO Blog Monetizer Launch

  3. I use Automated DB Backup..But i schedule it to get backup once in a week. Daily seems to be good option right?

    Thanks for the information Ajith.

    TechZoomIn┬┤s last blog post… 260 Miscellaneous Web Design Icons Download..!

  4. George :

    Eventhough the down time was less, it was a surprise for me.Because I was reading a post and after ten minutes I seen Ajit’s tweep about the error.

    This is the lesson learnt post from the episode, good post.

  5. I think the bottom line here is the emphasis we all need to place on backups! That word will always come back to haunt you if you disregard it! Sorry to hear about your experience, but am glad that it is all Ok now, and that you’re able to share the experience with us. Hopefully we all learn from this!

  6. Thanks for the information, I back up my blog using Database Backup

    Never knew you could be hacked as well! Thanks for the information Ajith!


    Curious Little Person┬┤s last blog post… Monetize your Blog the Right Way

  7. Thanks Ajith.. It was a very nice article.. I’ll use this info to secure my blog”

    Samrat P┬┤s last blog post… Grab a Facebook Username For Your Facebook Profile Page or Application Profile

  8. I normally do a backup each hour and is emailed to a dedicated email address (gmail is good).

    I also use a plugin to encrypt password send during login… just in case sm smart guy is looking through his e-bino lol.

    3rdly I think I can trust my current host as they backup the whole directory regularly each day.

    Kurt Avish┬┤s last blog post… Blog Trottoir Featuring Yashi

  9. @Chetan, thanks for your post link. I shall give the wp-security-scan plugin a try.

    @Melvin, thanks for the spam :) You are right about folder permissions as mentioned in the post.

    @Lax, running daily backups is not a bad idea (depends a great deal on how often you post/change content, how many comments are received at what frequency etc)

    @George, that was a surprise for me as well. Even bigger surprise was the 5 hr downtime caused by Host Monster last month.

    @Jacques, backups definitely help though nobody wants to get to a point where you are forced to restore your backed up content – ie. a situation post hack or crash :)

    @Sandeep, I still really do not know if it was a hack, WP bug or some script error that occured after caching :)

    @Samrat, thanks buddy…

  10. Today morning I was shocked, my blog not getting, no problem for forum and main site, admin login also failed, then I read your post, then I uploaded WordPress 2.8 and deactivated all pluggin, Tweet This Plugin makes the problem, removed that folder, now ok :)

    Anish K.S┬┤s last blog post… NewsX takes you AT STUMPS at the T20 World Cup : Brings in complete T20 World Cup coverage with Farokh Engineer live from England

  11. Richael Neet :

    WordPress out of the box is very insecure. Release of version 2.8 speaks volumes as they have fixed close to 790 bugs… That is a huge number of loopholes, in my estimation.

    As you rightly mentioned, Ajith; the hosting company is also a determining factor as to how secure your blog may be. My recent experience is a testimony…I gave up hosting at Hostgator (because of the cost) and moved to a cheaper company. The next day after migration and propagation, my blog was hacked and the whole DB deleted. Luckily, I had the backup and restored it after switching hosts instantly.

    I have learned my lesson since.

  12. I have never had a WordPress blog hacked but I had an old one hacked into, which actually got me kicked off of my webhost. It was a blogging platform called Greymatter. Quite a few people used it because it was one of the first that could be self-hosted but it ended up having numerous security holes. I don’t think anyone used it anymore (I hope) and most webhosts ban it.

    Kim Woodbridge┬┤s last blog post… WordPress 2.8 Upgrade Issues and Recommendations

  13. @Anish, You are right about the plugins and widgets, you never know what kind of scripts they download at runtime.

    @Richael, any CMS system with default database admin entry scripts exposed in a standard form is vulnerable to SQL injection hacks. And the hosting companies those offer unlimitted hosting for three or four bucks need to be really analyzed well before singing up. I had some issues with Host Monster a couple of times but continuing till the next renewal.

    @Kim, thanks for sharing your experiences with grey matter. Although, WP is not all that secure yet, probably it’s the best among the lot I believe.

  14. Ramin :

    I just figured out that my blog got hacked now, and I found your site searching for a solution. It’s bad – for visitors, it shows a normal site, but only googlebot sees a different site, which is full of spammy viagra stuff. I am trying to fix this before it Google dumps my site because it thinks I am spam…

    Ramin┬┤s last blog post… Bei Durchfall Cola und Salzstange? Nein, stattdessenÔÇŽ

  15. @Ramin, sorry to hear that…did you fix the problem yet?

  16. Ramin :

    yes, fortunately :-) I had to backup my WP blog, delete the old installation and reinstall WP new, import entries + upload files again.

Speak Your Mind