{"id":2980,"date":"2009-09-17T13:45:20","date_gmt":"2009-09-17T17:45:20","guid":{"rendered":"http:\/\/redmonk.com\/sogrady\/?p=2980"},"modified":"2009-09-17T13:45:20","modified_gmt":"2009-09-17T17:45:20","slug":"hacked-again","status":"publish","type":"post","link":"https:\/\/redmonk.com\/sogrady\/2009\/09\/17\/hacked-again\/","title":{"rendered":"Hackers Broke in and Messed Up the Place and It&#8217;s My Fault"},"content":{"rendered":"<p>So we got hacked. <a href=\"http:\/\/redmonk.com\/sogrady\/2008\/01\/25\/the-friday-grab-bag-cloverfield-marketing-hacked-and-more\/\">Again<\/a>. It was just as fun as it sounds. <\/p>\n<p>The attack vector was the same this time as last: WordPress. And you know whose fault that is? Mine. <\/p>\n<p>The background on this unfortunate event is fairly simple to relate. A week ago last Friday, I got an email from James, subject line: &#8220;wordpress doing something v weird indeed to my blog permalinks.&#8221; Weird it most certainly was: base64 strings were somehow being appended to each entry. 30 seconds on Google later, I&#8217;d turned up <a href=\"http:\/\/wordpress.org\/support\/topic\/307588\">this<\/a> and knew we had a problem. The next steps were obvious: 1) get rid of the unauthorized users (and confirm their absence with a <code>SELECT * from wp_users;<\/code> on the penetrated database), 2) reset the altered permalink structure, 3) check the posts for injected content (e.g. <code>SELECT * FROM wp_posts WHERE post_content LIKE '%base64%';<\/code>), and 4) call for help. As before, we engaged <a href=\"http:\/\/inversepath.com\">Inverse Path<\/a>, and they could not have been more responsive and efficient. <\/p>\n<p>Anyway, the good news was that we had only one database affected &#8211; James&#8217; WordPress instance &#8211; and that the damage was sufficiently limited that I didn&#8217;t have to go back to an older version of his database. The bad news was that I had to spend a good part of a beautiful Saturday figuring that out and changing every password on the box. <\/p>\n<h2>What Happened?<\/h2>\n<p>Those of you that recall that we <a href=\"http:\/\/redmonk.com\/sogrady\/2007\/03\/06\/itreport_wordpress_updating\/\">update our WordPress instances nightly<\/a> from Subversion might reasonably be wondering: how in the hell did this happen? Don&#8217;t you guys keep update regularly, and isn&#8217;t the point preventing things like this? Well, yes we do, and yes it is. But at some point in the past &#8211; for reasons I can&#8217;t really recall &#8211; we began updating to specific versions of WordPress. So while our nightly scripts do indeed <code>svn update<\/code> around 2 AM each morning, they&#8217;ll only keep us updated within the particular version we&#8217;ve specified. Fortunately for us, in most cases, that was the safe 2.8.4 version, but we&#8217;d somehow missed James&#8217; blog and he got left behind at 2.8.3. Which meant he was vulnerable when we were attacked. <\/p>\n<p>Is it WordPress&#8217; fault that I didn&#8217;t upgrade properly? I can&#8217;t possibly see how. <\/p>\n<h2>What Are We Going To Do?<\/h2>\n<p>At some point in the near future, I will probably shift our infrastructure over to trunk from tagged versions. As DeWitt <a href=\"http:\/\/twitter.com\/dewitt\/status\/3785586881\">says<\/a>, that won&#8217;t prevent zero day exploits, but it would narrow the vulnerability window significantly. In the meantime I&#8217;ve cobbled together a stupid simple bash script that I can customize to batch upgrade us to a new version as it&#8217;s announced:<\/p>\n<blockquote><p><code>#!\/bin\/bash<br \/>\n# script to svn switch<br \/>\ncd \/path\/to\/wpinstance1\/<br \/>\nsudo svn switch http:\/\/svn.automattic.com\/wordpress\/tags\/2.8.4 wpdir<br \/>\ncd \/path\/to\/wpinstance2\/<br \/>\nsudo svn switch http:\/\/svn.automattic.com\/wordpress\/tags\/2.8.4 wpdir<\/code><\/p><\/blockquote>\n<p>And so on. But ultimately it&#8217;s just going to be safer to do an <code>svn switch<\/code> to trunk and stick to our nightly <code>svn update<\/code> script. <\/p>\n<h2>What Should You Do?<\/h2>\n<p>If you don&#8217;t have the same drivers that we do &#8211; a need to flexibly customize, a desire to dogfood certain approaches, etc &#8211; I would recommend running with a hosted version. Make updating and backup someone else&#8217;s problem wherever you can. But where that won&#8217;t work, you must a.) update regularly and b.) you absolutely, no exceptions, must back up your data. The lack of the latter is why I frankly have little sympathy for <a href=\"http:\/\/scobleizer.com\/2009\/09\/05\/i-dont-feel-safe-with-wordpress-hackers-broke-in-and-took-things\/\">Scoble<\/a>. It&#8217;s one thing for an industry neophyte blogging non-professionally to lose his data due to insufficient backups; it&#8217;s something else altogether for a technology professional working for one of the largest hosting outfits in the world. WordPress may or may not be intrinsically vulnerable, as was argued in this now dead <a href=\"http:\/\/news.ycombinator.com\/item?id=807584\">link<\/a>, but even if it was somehow magically immune to security exploits its databases would not survive a failed hard drive. I&#8217;m sorry, of course, that he lost data, but I would not be pointing the finger at WordPress. <\/p>\n<p>If you need help backing up your WordPress instance, <a href=\"http:\/\/redmonk.com\/sogrady\/2007\/01\/13\/itreport_backup\/\">here<\/a> are some detailed instructions on how we do it. All of the technologies involved &#8211; save the hosting &#8211; are free and open source. If you want a seamless, commercial-grade solution, I&#8217;d recommend <a href=\"http:\/\/www.backupmoxie.com\/\">BackupMoxie<\/a>, a service run by a couple of friends of mine. <\/p>\n<p>However you do it though, please &#8211; if you choose to host yourself, back up your data. <\/p>\n<h2>Is WordPress Secure?<\/h2>\n<p>In the wake of this particular attack, presumably because some of the victims were fairly high profile (e.g. Scoble), there are a great many people questioning the security of WordPress. And some of that criticism is, to be sure, well earned; following our last attack, trying to determine the file permissions that would both protect us and allow WordPress to function properly was something of a chore. <\/p>\n<p>But at the risk of sounding like an apologist for the project, software &#8211; all software &#8211; is vulnerable. If you&#8217;re on a network, you can and will be attacked. For the money or just for the fun of it. So no, I decline to join the mob calling for the WordPress developers&#8217; heads in the aftermath of a single exploit. If you want to argue that it&#8217;s less secure armed with metrics demonstrating this fact versus other similarly popular platforms, I&#8217;ll be happy to have that conversation. Until then, however, let&#8217;s talk about the real issue here: personal responsibility. <\/p>\n<p>If you don&#8217;t want to be bothered with keeping your infrastructure updated and backed up, terrific: pick an infrastructure option where that&#8217;s done for you. It&#8217;s true of <a href=\"http:\/\/wordpress.org\/development\/2009\/09\/keep-wordpress-secure\/\">WordPress<\/a>, yes, but it&#8217;s true of pretty much all software: upgrading is the only way to keep yourself safe. You can&#8217;t reasonably ignore the responsibilities of self-hosting and then cry about the consequences. That says far more about you than the WordPress project. <\/p>\n<p>Or so it seems to this &#8220;victim.&#8221;<\/p>\n<p><b>Disclosure<\/b>: Neither Automattic &#8211; the company behind the commercial wordpress.com &#8211; nor WordPress are RedMonk clients. I have, however, spoken at WordCamp on two occasions on a volunteer basis. The founders of BackupMoxie are friends of mine. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>So we got hacked. Again. It was just as fun as it sounds. The attack vector was the same this time as last: WordPress. And you know whose fault that is? Mine. The background on this unfortunate event is fairly simple to relate. A week ago last Friday, I got an email from James, subject<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[77],"tags":[],"class_list":["post-2980","post","type-post","status-publish","format-standard","hentry","category-redmonk-it-report"],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/posts\/2980","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/comments?post=2980"}],"version-history":[{"count":0,"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/posts\/2980\/revisions"}],"wp:attachment":[{"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/media?parent=2980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/categories?post=2980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/redmonk.com\/sogrady\/wp-json\/wp\/v2\/tags?post=2980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}