First official blog post – A WARNING to Fellow Bloggers

All your blogs belong to me…resistance is futile!

Haha ok no really, this isn’t actually a hostile post at all. In fact I am extremely excited about joining the WoW Blogging Community that I have been following and interacting with for a while now.
Today I would actually like to talk about some of the security issues that come with running a blog, that many bloggers don’t actually know about.

Themes. Themes, Themes, Themes, Themes, Themes… Most Blogs (including mine) are based off custom or pre-made Blogging Themes, usually specifically designed for WordPress. Its SO much easier and efficient than designing your own blog website form scratch – even if you are a pro web-scripter.

The problem now lies, in WHERE you get the themes from. There are plenty of places that you can illegally download some of the top Professional Paid-For Blogging Themes for FREE, if you know where to look or how to use Google. There are also plenty of websites offering free themes that you can use without many restrictions.

Regardless of which route you choose to go, unless you actually BUY the theme from a very well known company (and even then sometimes), you have the risk of them taking advantage of your website, your content, your traffic and your readers for their own personal gain.

A Sneaky Rogue Picpocketing All Your Adsense and Referrals!

A Sneaky Rogue Picpocketing All Your Adsense and Referrals!

An easy example

Some themes contain backdoors in them, which allow access to your website’s files and file hosting. This means that those who put it there, can then gain access to all your information, your readers email addresses (sure you might guarantee them privacy, but the hackers won’t) and stored usenames/passwords.

They can also go into your blog and edit your CPA, Adsense or other advertisement links so that it uses their Ref link instead, or even simply just links to their own website without you even noticing the difference. They are now stealing your hard earned cash that you really deserve.

Often it can work similarly to Illegal Cookie Stuffing (which can also contain viruses)

Another Example

Is something less damaging or alarming, but still not quite right. They will insert a piece of code into your template pages that gives them backlinks from your site (including to possibly some unsavory websites such as Sex Shops or even websites that host Illegal Content!). Often if you spot this piece of code in the Theme they will also include a comment something like “By law you are not allowed to remove the above code”.

FTP Programs

Normally when you use FTP Programs (such as FileZilla for example – what I use) to upload and replace the content on your websites via FTP, the programs store your account details in its memory, so that you can quickly login and access your files. Generally their File Encryption isn’t very strong and can easily be hacked and decrypted.

The hacker then has free reign over your website’s files to do the above mentioned deeds. I would recommend that you choose to never remember the passwords or at least clear your history in them once in a while.

BruteForce Protection

BruteForce attacks on your website’s login (especially something simple like WordPress’s WP-Admin Login screen) are rather common and eventually effective.

However the funny thing is, it is SOOO easy to protect yourself from a ButeForce attack on your WordPress account by installing simple Plugins that limit the amount of login attempts that can be made and automatically bans the IP address when that does happen. For check this post for more information on WordPress Login Protection from BruteForce Attacks Plugins

Conclusion:

If you are worried about your Blog’s security, or was alarmed to know that such things could occur and you didn’t even realize it, I highly recommend that you go do some good old Google Search Research and brush your knowledge on the subject back to a fit shape.

If you are concerned I would recommend that you check out this link on How to find a backdoor in a hacked WordPress

It covers stuff like:

  • Added Code – such as “eval($_POST[‘attacker_key’]);
  • How to Hide Code – Gives you recommendations of where to hide your own code, and where to look for hidden malicious code
  • Database Obfuscation

Read through some of the helpful comments on that article too.

Something else you should get (just for added precuation and general Computer/Internet Security is the Mozzila Firefox plugin (or other browser equivalent) called VTzilla.

VTzilla is a Mozilla Firefox browser plugin that simplifies the process of scanning Internet resources with VirusTotal. It allows you to download files directly with VirusTotal’s web application prior to storing them in your PC. Moreover, it will not only scan files, but also URLs.

The scanning options are embedded in Firefox’s context menu and download dialog, making the analysis process as easy as clicking a single button.

Seriously though guys, please pass this information along to fellow bloggers and even readers alike. Raise the awareness and help protect the blogging community 🙂

I hope you guys enjoyed my first official blog post!


Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: