All it takes is a few foreign policy gaffes and the Russians are attacking Bitter’s hosting site, and from there mounted attacks on the Blog Bash site, and our PA Gun Rights site. Pretty clearly they have been emboldened by Obama’s overtures, and are attacking on all fronts.
Took an hour or so to track down how they got in, and remove all the offending code. I can’t stress enough the importance of hardening your WordPress installation in order to frustrate hackers. Many hosting providers’s default WordPress installations are awful from a security standpoint.
Best advice is to make as little as possible writable, and if possible, make all files owned by root. There are only a few places WordPress really needs write access to. Don’t make your themes writable by default. If you need to change them, remove write access once you’re done. When I say write access, I really mean it ought to be owned by someone other than the web server account, with the web server account having no write access. Get rid of any plugins you’re not using, they are trouble. Keep everything, WordPress, PHP, Apache, and all your plugins up to date. If you do all those things, you should keep the Russkie hoards at bay.
For what it’s worth, the plugin that got them access was up-to-date and even suggested by my hosting company.
Thanks for the update/info. My podcast’s website is WordPress. I’ll make sure to check it, just in case, and I hope there wasn’t any real damage done. Especially to the Blog Bash site! I’m really looking forward to that!
No, there wasn’t any real damage. It just moved the headers down on the page and made some browsers slow down. I’ll give it until next week and then I’ll feel better about promoting it again if they don’t come back.
Site is moved and locked.
But but but… Linux is SECURE!!!!
All OS’s have holes. All applications have chinks in the armor. Every platform has a surface that can be attacked. Some are easier than others due to their ease of use. Some are harder to use, but more secure.
If you don’t pay attention, though, it’s all insecure.