Blog Tipz

Bloggers who have their sites powered by self-hosted WordPress.org are “under attack.” At this point, it isn’t affecting WordPress.com users, as those accounts are hosted by Automattic.

This vulnerability was discovered yesterday, and the number of sites that have been attacked is continuing to grow. The security of your site should be taken extremely seriously as not only could you lose access to your entire site, but malicious code could be placed in your site, affecting the server you are hosted at, the computers that visit your site, and personal information of your visitors could be compromised.

Although WordPress is one of the most popular blog platforms, it doesn’t mean that it is the most secure. Attackers generally go after a platform where there is a wide adoption rate, but where previous versions may still be able to be hacked into. In this case, if you aren’t using the latest version, 2.8.4, it is advised that you UPGRADE NOW.

How to Secure Your Site

Although I covered how to secure your site in the past, it is more important now, as some people are wondering whether they are prepared.

1. Update Your Site – Upgrade the entire WordPress version. It is especially important if you are running WordPress 2.1 through 2.8.3, as these versions have known security vulnerabilities and are prime targets for attack. Back-up your site if you are worried about the process breaking your theme or back-end. Finally, update all your plugins. Some may not be available after you do the update, but there are usually alternatives available.

2. Don’t Think WordPress is Secure – Like all computer platforms, it doesn’t take long before new security threats are discovered and it may be too late before an update is released. Ensure that your server is “locked down” and that you have enabled all proper security procedures.

3. Create More Secure Passwords – The new version of WordPress has more security features when it comes to creating new passwords, but you can also use this generator if you’re comfortable remembering a much longer password with random characters.

Know If Your Site Has Been Attacked

There are two ways that you will know if your site has been hacked into, as Lorelle writes:

There are strange additions to the pretty permalinks, such as: example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

Looking at the Future

Although this may seem like more of a nuisance than anything else to WordPress users, this should not be looked at as a reason to switch from WordPress or to stay with another platform. All services will encounter problems and vulnerabilities like this – you just have to stay updated and remember that security is important.

You can find the latest version of WordPress here for download.