I have a couple of sites running under WordPress and phpBB3. When it comes to usability, these products have come a long way. The best part is they are completely free and since they are based on php language, all web hosting service providers support them. But the really ugly part is the vulnerabilities, exploits and hacks out there on these products. You need to constantly watch for any new updates and then apply the patch or latest version immediately. This sounds simple for a single site, but when you have more than a couple of sites it is a nightmare.

There are so many script kiddies out there that it is a matter of time before an exploit or hack is found even on the latest version of WordPress or phpBB. These exploits are usually based on SQL injection, remote file upload or cross site scripting. I briefly cover what each of this means.

SQL Injection attack - This happens when the attacker passes a block of SQL as a user input. This is of course the simplest form. In almost all cases the reason for this exploit is lack of validations on query parameters. This type of attack is the most common and they can be seen in thousands of WordPress plugins out there. The problem with this attack is simple. Once the hacker gets DB under his command, he can create administrative users, drop or add tables or do whatever he want on the application.

Cross site scripting attack - This attack involves methods which injects scripts inside the wordpress blog or phpBB3 site. The injected script may open popup or other browser windows with objectionable content or phishing sites. Assume that a request parameter is displayed on a web page. If someone passes a block of JavaScript as request parameter, it may get displayed and it may get executed as well. Now if someone can execute script on your site’s behalf, it means disaster.

File upload exploit - In this method attacker somehow manages to upload a php file to your hosting folders. Now that gives him complete power to do anything he wants. Typically this is used for spamming. The php file will have a list of email addresses and it will send spamming mail to each of these addresses using the sendmail feature of your server. Recently my web hosting account had a list.php in publi_html folder which was used for spamming and phishing attack.

Couple of my sites have been hacked in the last 2 years. Identifying what got hacked and removing it and then restoring your site to its original form is tedious and time consuming. I really hate script kiddies!

One day I got a warning mail from the hosting provider saying that my account will be closed if I don’t stop spamming. It was a complete shock that someone else had managed to upload a file on my server and then use it on my behalf for illegal purpose! I changed all my passwords and then upgraded WordPress and phpBB3 to latest versions. But still I am very uneasy at the thought that even latest versions can have exploits.

Then another day I got  a mail from Technorati saying that my blog is hacked. I checked my web page and there was nothing wrong. When I looked at the HTML source I noticed billions of spam mails under hidden div tags! Someone had hacked into the theme files of WordPress and had cleverly inserted these links. It appears there are automated tools out there which scans for vulnerable WordPress blogs and then hacks them. So for the hacker there is no manual work!

How to minimize hacking/exploit attempts to your website/blog?

There is no 100% sure way to prevent vulnerability attacks. If you don’t use WordPress or phpBB3 you are in a very safe position! But then you miss some great tools. Here are some of my recommendations to minimize vulnerability attacks.

• Use strong passwords for everything. Strong means it should have capital letters, numbers and special characters and should have a minimum length of 8 characters.
• Ensure that all the software you use (WordPress/phpBB3 etc.) are up to date. You need to subscribe to mailing lists to know whenever a new version is out and then apply the patch ASAP.
• Minimize use of plugins or mods. If you have to use a plugin, just use the most reliable and most widely used plugin only. The same applies for phpBB3 mods. Most of these mods and plugins are created by newbie programmers and there is a high probability that they contain SQL injection attack vulnerability.
• Monitor your web folders for any unexpected new files or any file modifications. If you have shell access, you can write a simple shell script to list all files changed in the last week.
• Backup your databases and your web site content regularly. This way you can delete everything and then quickly reinstall stuff if an attack is suspected.
• Use you own custom content management system! - WordPress or phpBB3 is open source and hence people can look for vulnerabilities. If your requirements are simple, you can even look at writing you own stuff. Using custom implementation can stop a lot of automated attacks.
• Access your web site using browser and then look at the HTML source. If you see spamming links or phishing links hidden in your page, you are hacked. Soon Google will apply search penalty and your site may disappear from its search index.  So delete everything, restore from backup and then upgrade everything to latest version. Then change all passwords!