Batten down the hatches on your WordPress blog

“Install a WordPress blog on your own site and you’re asking for trouble” someone once said to me. I went ahead anyway and switched my blog from Blogger to WordPress. I knew that I would need to keep the WordPress software updated: hackers are quick to spot and share vulnerabilities in php and MySQL, which are used by WordPress.

The first time I didn’t do this was because a major upgrade was due in a couple of weeks so why go through the hassle of installing minor bug and vulnerability fixes? The answer came as I was demonstrating my blog’s features to a very public workshop. Sniggers from some of the participants indicated that something was awry.

“Do you really recommend those viagra sites listed in your blogroll?”

“Oh s**t!” I thought. It was a good example, though, of the dangers of not keeping your software up to date. It was not a major disaster and quickly sorted. I removed the offending links and upgraded as soon as I made it back to the office. I also swore that I would never let that happen again, but easier said than done.

I have been pretty busy lately and doing a lot of travelling. That sometimes makes it difficult to download and install the WordPress updates. Version 2.7.1 had been announced but I was up in Glasgow for a couple of days. A couple of days was enough for the hackers to do their work. As soon as an update is announced, WordPress very kindly tells you and the rest of the world which vulnerabilities the update deals withs. If  the hackers did not know about them before they do now and target blogs usiing the previous version. And they targetted mine!

As a visitor to my blog, you would not have noticed anything unusual because the toe rags managed to add a couple of extra files that added invisible links to the template for my category pages. The first I knew about it was as I was sitting in Glasgow airport waiting to board my flight back home. I checked my email and there was an email from Google saying:

“While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines….. Specifically, we detected hidden text on your site. For example…”

Then they dropped the bombshell:

“In order to preserve the quality of our search engine, pages from rba.co.uk are scheduled to be removed temporarily from our search results for at least 30 days. We would prefer to keep your pages in Google’s index. If you wish to be reconsidered, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. When such changes have been made, please visit https://www.google.com/webmasters/tools/reconsideration?hl=en to learn more and submit your site for reconsideration.”

It had only taken the hackers 2 days to identify my blog as using the older, vulnerable version of WordPress with the result that I was consigned to the Google sin-bin for at least a month.

Once I was back I tracked down and removed the offending files and code – the hackers  had modified the template for my blog category pages – and updated WordPress. I then changed  my user name and password and did something I should have done months ago: added the new security keys. There are now four of them and they make your site harder to hack and access harder to crack.

Having done all that I toddled off to Google, abjectly apologised and, as they requested on the appeals page, explained what had happened and what I had done to prevent it happening again. Then I sat back, viewed the 30% drop in traffic to my site, and sobbed into my G&T as I contemplated at least another 25 days of the Internet equivalent of being sent to Coventry.

Good news this morning, though. I am back in Google’s index! The security on my blog is now tighter than the proverbial duck’s posterior but I shall make sure that I shall

a) update “as soon as” and whatever it takes

b) install all additional security features that WordPress recommend
and
c) regularly check my web site and blog for files that weren’t there yesterday.

I might not be so lucky next time.

5 thoughts on “Batten down the hatches on your WordPress blog”

  1. I came late to WordPress, having had a Pivot installation hacked three times and a nucleusCMS site once. Thus the security codes were already part of the WordPress setup when I installed it. In fact, there were just two lines last year and now there are four.

    Like you, I learnt the hard way with my other blog installations that you really have to keep security as tight as possible and update as soon as you know there’s a new version of the software.

    But WordPress has added a facility to update automatically now, if you tell it your ftp details, providing you log in first to your dashboard and give the command. That makes life easier.

    I also subscribe to the RSS feed which announces new versions.

  2. Hi Sue,

    I agree that the new automatic update is a godsend. But I didn’t want to try it for the first time whilst on the road in case something went pear shaped. I’ve now tested it back at base and am fairly confident that I can use it in future when I am stuck in a hotel on the other side of the globe. Far better than getting hacked and seriously chastised by Google.

    Karen

Comments are closed.