I must have seriously f*cked up in a past life. I mean we’re talking about drop kicking a new born puppy off a 40ft cliff and into a dark forest full of blood thirsty T-Rex’s and dense stinging nettles.
You know when you have those ‘why me?’ moments, well this is one of mine. This post might be a bit of a rant, but I promise i’ll also try to include some useful info on securing your blog so stick with me if you can.
So why am I angry? Last year I wrote a post entitled The Troubles of a Travel Blogger in 2011, it detailed how half the battle with blogging seemed to be mastering the technology involved. Well enter 2012 and its not got much easier to be honest. Already this year i’ve had my paypal account hacked to the tune of £400 which sucks donkey ass, and now to add to my online misery my beloved blog has been HACKED. Thats why i’m angry. Someone has taken it upon themselves to hack my site and plant some of their own shi*ty code which has then obviously set off all types of sirens, guard dogs and lazer beams at my hosting company, google, stumbleupon etc.
The people at my hosting company were first to alert me to the problem with a nice simple email stating something to the effect of
WebHost: Your site had dodgy looking link mr, sort it out or we’ll close you account, you have 24 hrs to get back to us.
Maybe it wasnt quite as badly worded as that, but thats what it basically said. Obviously at this point the sweat started to form on my brow and I stopped doing what I am paid to do from 9-5 and turned all my attention to my blog. It didnt take long to find the bastard files that were causing the problem and I promptly deleted them before proudly emailing my web host back and telling them i’d resolved the problem.
Webhost: No you havent douche bag
So I went back into my file manager and there they were again, the sodding file were back and giving me the finger as they sat there smugly, f*cking up my life in the process. Ok maybe a slight over dramatization there, but its not ideal is it!? I deleted them again, they re-appear again 5 minutes later, I deleted them again, they re-appeared, delete, re-appear, delete re-appear … you get the point. It wasnt until I changed my FTP password that the files went away and stayed away.
Webhost: Well done, dont let it happen again, sort your sh*t out.
So I was safe … for a while. This past week I tried to submit a couple of my pages to stumbleupon, as you do, hoping to get a couple of extra hits. I hadnt used stumbleupon in a while but am familiar with the site and actually quite like a stumble on my iphone when i’m waiting for a train. Upon trying to submit my pages I got …
StUpon: This site has been blacklisted
Blacklisted, WTF man!? I contacted Stumbleupon who kindly sent me in the right direction whilst offering no particular reason themselves.
We have recently begun filtering submissions to our site through a service called Surbl. Please visit http://www.surbl.org/surbl-analysis and see if your site is on that list. It will also give you information about correcting that situation. We regret we cannot offer anymore information on this issue.
So off I went to Surbl.org where I had to fill in a form about my ‘Organistaion’. Now I like to think my site looks vaguely professional, but I am in no way an oragnisation, not even close. I’m a one man blog team. I had no answer to the ‘policy against advertising this web site using unsolicited messages’ question that Surbl.org requested. In short I felt like a douche and started to wonder if this whole blogging thing is worth it. I know the constant drive for hits, twitter followers, facebook likes etc weighs heavy on a lot of blogger, but I’d happily swap sleepless nights due to analytics over being hacked by some bumder and being taken off of google. This is the type of thing that makes me want to jack it all in. If someone can ruin 9 months of my work with 10 minutes worth of clever coding whats the point?
To their credit Surbl.org were quick to respond, if not a little crytic at first, and by 5pm on thurs 29/03/12 I got an email telling me that the ticket had been closed due to my action. PHEW! … then I got another email from them so I’m kind of in limbo at the moment. I’m 100% sure that i’ve deleted all the crap from my site, but obviously these security companies just want to be sure. I would be nice if they could have just the one person email me though rather than two who clearly arent communicating with each other. The drama continues.
Today (16/04/2012) I am finally fully functional again … and utterly exhausted from the entire episode. I had to chase my ticket with SUBRL.org which wasnt ideal, they should have informed me I would have thought, but at least it was good news! I then chase stumbleupon who also provided good news, and today I can see that all my google short links are once again working. YAY!
The whole process has been knackering. All the companies involved seem to think I’m some kind of super coder and safety expert, which I’m clearly not, and although helpful in places the fact I had to chase my tickets shows there is still room for improvement. I understand I’m small fry in comparison to most other sites, but it doesnt mean I’m not entitled to a response. Google in-patricular were pretty dissappointing, offering absolutely no response to my emails.
Ah well, whats done is done, I’m safe again … I only hope it lasts!
Anyway enough of my problems, I said i’d try to be helpful in this post and this is the point where that help begins. I’m no pro coder or security officer of the web, but through research and this experience, here are my tips for securing your wordpress travel blog.
1. Change my FTP password via my web host. Even though you may not use FTP yourself, a super clever naughty hacker can still access your site via FTP and upload unwanted shizzle. From research i’ve found that instead of using FTP your best bet is to use SFTP.
2. Delete any culprit files from my file list. In my case the offending folders were name something along the lines of 22jhjuho22p2. The files were simply imdex.html files.
Something like this …
3. Re-fresh wordpress. Go to your dashboard, hover over the word ‘dashboard’ and then click ‘updates’ from the drop down list. On the next screen, click on re-install wordpress. You should only do this having created a backup of your database however! –> see point 5 from the lost below.
What you can do to secure your wordpress blog:
1. Keep updating wordpress – use the most up to date version available to you. At the time of writing it is version 3.3.1
2. Make sure that within your web hosting settings you are using an up to date version of PHP. I host with awardspace and am currently operating on PHP 5.2.5.
3. Do not install 3rd party plugins. Use only those plugins you can find on the official wordpress.org website.
4. Install the plugin wordpress file monitor plus. This plugin should notify you by email if any one/bot tries to mess with your wordpress file.
5. Install the plugin WP-DBManager. This plugin will allow you to email yourself backup copies of you database. Your database is where all your posts are stored so its tres important you back up.
6. Install the plugin WordPress Firewall 2. This plugin monitor all file change requests and stop obvious hack attempts.
7. Set the correct permissions for files and folders. Wordpress recommends that all your folders should be set to 755 and files 644.
8. Change your default username from ‘admin’ to something a little harder to guess.