One day this week, I was sitting at my desk and clicked on my blog home page. What I saw was the screenshot in this post, combined with a eerie instrumental tune. I had been hacked by so-called “Turkish Hackers”. I panicked and instantly called the one who maintains my blog (Thank you Tony!) He tells me the hackers replaced my index page with their own. To fix it, he downloaded the latest version from wordpress.org and uploaded the default index.php file to replace the hacked one. (I don’t understand how to do that, but that’s what he said he did.) My Twitter feed then went wild with people asking me what I did or what they could do to protect their blog.
One of our resident tech gurus (Thanks Jim) at Grace Community Church says this is done as a game. They gain points for how many hits they can get from your blog while it’s been hijacked. This is supposedly called “ethical hacking” (Whatever that means). Jim offers these suggestions to protect yourself from being hacked:
- Have back up of your bog or website Index file and the entire site if possible, this not only helps to restore if you are hacked but also in the event of data loss with your provider you can restore. (most hosting providers provide backups as part of the service but nothing is 100%)
- Keep your anti-virus software on your computer up to date
- Use a non-public email for login ID when an email is required
- Use a strong password
- Be seven or fourteen characters long, due to the way in which encryption works. For obvious reasons, fourteen characters are preferable.
- Contain both uppercase and lowercase letters.
- Contain numbers.
- Contain symbols
- Contain a symbol in the second, third, fourth, fifth or sixth position (due to the way in which encryption works).
- Not resemble any of your previous passwords.
- Not be your name, your friend’s or family member’s name, or your login.
- Not be a dictionary word or common name.
E. Be aware of your surroundings and people when on public wifi or hotel network and not log into secure sites such as your blog, bank or work server.
F. If you are going to be using your laptop on a public or non-secured wifi network or a hotel network and login to secure areas consider using and/or subscribing to a secure SSH Tunneling service or VPN if appropriate.
Again, I don’t know how to do all those things, but I rely on a lot of people who do. What suggestions do you have? Has this ever happened to you?
UPDATE: (Later in the week another friend of mine emailed to tell me he was in the same coffee shop in Nashville where we had been earlier that week; the day before my blog was hacked. Someone tried to get onto his computer while he was there. He thinks that’s where mine was accessed.)
Be careful.
I agree.
1) Get a password creation tool like password maker, lastpass, keepass or even yubikey. That will solve the secure password problem.
2)Make your security questions impossible to guess. Hackers take the path of least resistance. For example if you use "my favorite pet's name" as a security question then the hacker can use a very small common pet names dictonary or start a google search to see if you have any pets. That's a much easier plan than brute force.
3) Never ever log in over an unencrypted network. Don't refer to them as public recognize them for what they are: hostile. All unencrypted public networks should be considered hostile and treated as such. And yes SSL is vunerable to SSL strip or man in the middle attacks.
4) Update your software and keep it updated. WordPress is often vunerable because it's big enough to be seen by everyone. Turkish hackers aren't sitting in your local coffee shop waiting to pounce they are at home or in Turkish coffee shops using exploit tools. No exploit no problem.
Sure there's more to it than this but if you aren't already doing this then it's a good start.
Good stuff. Thanks
Not logging into a high value site from an unsecured location or vpn/ssh tunnel is your best bet.
Choosing a password that is strong and that you can remember is often difficult. This is compounded by the fact that sites have different rules about what characters can be in a password. For sites that allow longer passwords, I often come up with a short sentence related to the service and then substitute symbols for some of the letters. For example, "It's a clear day" becomes "1t's a@c13ar!day"
Remembering is my problem too!
A tattoo on the inside of your left wrist.
Ha!
Twitter: tijuanabecky
says:
It's hard to remember and not make them all similiar.
Ron,
Congratulations! You've arrived. I've been hacked by Turkish Muslim Cyber Jihadist a few times. It happens usually when I'm ministering somewhere and see great things done.
Coincidence?
I've never had a problem with WP sites. I'm using the suggestions you mention here.
Ha! Thanks. It didn't feel like I had arrived though!
Hmmmmm… It doesn't seem to be a coincidence… (at least to me…)
Scary!!! I would be devastated if I lost all my blog content!! There are websites out there that will backup your blog daily… Frank's been bugging me about signing up for one forever in case blogger crashes. I never really thought about hackers. Maybe it's time to go ahead and do that. Thanks!!
Yea, could be a good thing
Twitter: tijuanabecky
says:
What are the websites that can back up your blog daily? Are they free? Sounds like a good idea to me.
Hi Becky,
It depends…
If you are using WordPress there are some free services that you can choose from… Doing a Google search should help… If you are not using WordPress still the control panel provided by your hosting provider should have an option for this…
My hosting provider has given me cPanel and it has a backup option though I don't use it.
Thanks for answering.
Hi Pastor Ron,
You are not alone. Some time ago mine was hacked by who claimed to be Kurdish hackers… This is a screenshot of what they had posted on my home page…
http://www.flickr.com/photos/43346221@N06/4871436…
Fortunately I had a backup of my entire blog and the MySQL database. Since I am very familiar with WordPress and Computers getting up again and running was not a big deal.
However I don't call this kind of hacking is ethical… It's rather cowardly – because the attackers simply expose a vulnerability in a popular web application or a well known issue in the server to take over the system. Then they blow the trumpet "Hey… we hacked your blog…"
Sometimes people who do these things are not real hackers either… They are just script kiddies… (immature tech babies who use tools written by real hackers…) It's really embarrassing…
Any way thanks for sharing this and for making available the instructions so that others can take precautionary action…
I agree. There's nothing ethical about it.