How to take down a WordPress site

Image via Wikipedia

Security issues, most concering issues and I always looks for stable things from WordPress but somehow I still don’t feel safe about WordPress. It happens frequently, if you missed, hacker hacked — you simply hacked too. Lets see, how without botnet, expert hacker — anyone can hack your wordpress site.

I recently spoke at A4U in London on the topic of Negative SEO with Dave, Ralph and Marcus.

Someone asked me after the session if they needed to be aware of anything to help protect their blog from damage. Bear in mind what I am about to explain is probably illegal and this isn’t a guide, its a warning on how to avoid the problem.

So, is it possible to take down a wordpress site without knowing hacking or renting a botnet, paying a hacker etc etc

Yes probably…

Say you have a wordpress site and haven’t prevented directory browsing in your plugins directory (add a line to your .htaccess that says ‘Options All -Indexes’ to prevent that).

The competition could look for plugin names in your source code then confirm it exists by browsing the plugins directory. If they then found a plugin that wasn’t too popular they could set up a way of trying to dupe you.

They could set up a one page site about that plugin with an announcement saying that they had taken ownership of the plugin and now supported it.

They could email you saying that they had taken over the plugin from its author and that you needed to upgrade your version due to a potential security issue and helpfully attach a zip file of the new upgraded plugin.

You might trust them and install that new version. The new version however isn’t that new, its the same as the old version but now they have inserted a few lines to add a hook in the header.

These lines insert the verification code for Google Webmaster Tools.

Now you have a competitor who has verified control of your domain on a fake google account.

They can remove files (removal request on the root?)
They could mess with the config of the www v non www

In short they could make your site disappear

So to avoid: –

Never accept a plugin from anywhere other than wordpress and vet the code
Watch the notifications in Webmaster Tools to spot anyone else getting verified for your domains.

Content credit goes to Paul Madden.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s