The only bullet proof way to protect against a Wordpress hack attack

Earlier today Upstart Blogger was hacked. Even though my Wordpress security measures are reasonably up to date someone managed to perform an SQL injection by tampering with my index.php file.

These hacks are particularly nasty since they are normally invisible to anyone other than the search engines. The rogue php file injects meta tags and hidden links into a number of pages, often creating new pages as it goes.

Blogs with a high page rank are obvious targets since they allow the hackers a quick way to steal page rank for their ridiculous schemes. With a page rank of seven it was, I suppose, only a question of time before some took a shot at my database.

I first noticed something was wrong when I checked my Mint stats this morning to find that I had attracted 15,652 unique visitors in the first six hours of the day.

Impressive stats but, upon inspecting the referral logs, it was clear something was wrong. Amazingly, and frankly farcically, the most popular search was 3D sex spectacles. Unbelievable but true. Who on earth searches for this kind of thing?

I continued to poke around my Mint installation and soon realized that the traffic was racing in from a number of very dodgy Google result pages. I had definitely been hacked. My blog had spawned numerous unnamed pages that were laced with salubrious and ridiculous keywords.

All existing pages and posts were untouched.

I quickly sent two emails, one to AN Hosting support and another to my good friend and Wordpress ninja, Adam from wordpressmodder.org.

Both of them responded in the time it took me to go downstairs, make a cup of tea, and return to my desk.

Thankfully, my host spotted what was going on before I did and had fixed it by the time I had realized what had happened.

The index.php file was removed and replaced with a backup, as was the database.

I telephoned support, just to confirm that everything was back up and safe, and was told that the problem had been picked up when they noticed something unusual about my Wordpress MySQL database and decided to take a look.

I am still getting flooded with traffic, but was told that Google would still send me truckloads of visitors because of the way it caches pages.

Hopefully, once Google figures out that those pages no longer exist, the feeding frenzy of junk traffic will evaporate.

Today taught me a very important lesson about Wordpress security and database security in general. You can never be 100% safe. The very nature of Wordpress, the very nature of the internet, means that all data is a target. And the more valuable that data, and in this case the data was valuable because of my page rank and traffic, the more likely it is to be a target.

I change my passwords regularly. I never write them down. My Mac is as secure as it is reasonably possible to get it, as is my wireless connection.

The only bullet proof way to protect against a Wordpress hack is to insure against it. Make daily backups of your Wordpress database and all of your hosted files. And, perhaps most importantly, make sure you have a team behind you that you can trust.

Hackers are like mosquitos on a safari. It doesn’t matter how many of them you swat or how much repellant you put on, you will probably still get bitten at some stage. And when you do get bitten you’ll be glad you took your malaria tablets.

What matters is how quickly the hack can be spotted, the damaged files purged and backups restored. A good host is like a malaria tablet. You hope you never have to put them to the test but when you do, you need to be using one you can trust.