Mea culpa; Security Issue; Hax0rz 5uckz!

Apologies to recent readers; it appears that my WordPress install had been hacked earlier, due to a security bug in WordPress itself that I had not patched quickly enough.

Unfortunately, due to events in early winter, I was rather distracted for a couple of months. WordPress released some updates, which I neglected to apply. My best guess is that a hacker used a WP vulnerability to break into my WP control panel, whereupon they then added some spammy/googlebait links to my footer.php file. Sigh.

As best I can determine, after talking to my ISP and eyeballing various html directories, nothing else appears to have been touched. I’m fairly certain that only a WP vulnerability allowed access to the admin functions, which allow editing certain WP files directly from the admin web interface. It does not appear that my shell account or any other ISP features were accessed.

In any case, you’re now reading a completely fresh WP install, and I’ve either wiped & replaced or inspected all other HTML content on my website. I’ve also changed all passwords relating to this account, duh.

Security tips appreciated -at least ones more advanced than “have a good password”. I’ve also updated the WP blog settings to make the default address use https, which although it will load down the poor server a bit more, hopefully will keep my admin logins nice and secure from now on out.

Question: Given that I have a dedicated SSL cert for my domain name, why do I need the WP-Admin plugin? Can’t I just do everything over https directly? (I suppose this does require me to remember to use https, but I can do that).

Leave a Reply

Your email address will not be published. Required fields are marked *