There are two ways to publish a blog: free hosted blog publishing network like blogger.com or installing blogging software on your own server under your own domain name (‘standalone blog publishing’). The WordPress blog publishing platform (“WP”) is quickly growing to be the industry standard for standalone blog publishing. By WordPress’ own estimates, over 22 million users have installed WP on their servers. WP offers bloggers a lot of flexibility through an endless number of third-party created plugins which add functionality to core WP functions. WP fans also create a lot of free themes that give WP blogs unprecedented variety in “look and feel.” Increasingly, WP is used not only for blogging but for publishing static web pages and other non-blog uses.
Abandoned WordPress Blogs: The Internet’s Ticking Time bombs?
While WP has enabled millions of bloggers to quickly and conveniently publish their thoughts on an endless variety of topics, WP does have a dark side. Due to its Open Source code and architecture, WP is normally very safe and secure because patches for any security vulnerabilities are released swiftly by the huge community of coders who use WP. Unfortunately, this community-based security requires that a blog’s owner update to the latest WP version. This is where the danger lies. If a WP blog is abandoned by its owner and doesn’t get updated to the latest version of WP it becomes a ticking time bomb waiting to be scanned and exploited by attackers looking to turn the blog into an attack site that automatically loads and installs trojans and other malware into unsuspecting visitors’ computers.
According to the New York Times, a whopping 95% of all blogs are abandoned within a few weeks they are created. Applying this percentage to WP’s installed base of 22 million blogs, close to 21 million WP blogs are abandoned. Even factoring in automated updates done by some hosting providers for these blogs, the sheer volume of millions of abandoned WP blogs is a cause for concern. These non-updated abandoned blogs can become easy targets for attackers who have studied older WP versions’ vulnerabilities. Attackers can easily turn abandoned WP blogs into attack sites for trojan and other malware distribution.
Just in recent months, hackers used SQL injection and other database vulnerabilities in the WP blogs hosted by Network Solutions to redirect these blogs to an attack site. The attack site loaded the unsuspecting visitors’ computers with a variant of the BUZUS trojan. Shortly thereafter, WP blogs hosted at the huge registrar GoDaddy also reported similar attacks. Both attacks focused on WordPress installs that weren’t upgraded to the latest version of WP.
eReviewGuide.com’s Blog Malware Protection Resources
The solution to WP-based malware attacks must be approached from both the website visitor’s side and the blog owner’s side. Focusing on only one part of this equation doesn’t fully solve the problem.
- Safe Browsing best practices
Here are some practical steps you can follow to maximize your computer’s security when browsing websites:
- Always keep your Antivirus/antimalware software updated
We can’t emphasize this enough. Although many antivirus programs have auto-update set as default. Many users turn off auto-update. This is a serious mistake. Make sure auto-update is turned on, and that you always check that your antivirus/antimalware program is up to date.
- Run more than one Antivirus/AntiMalware scanner
Since there’s new variants of trojans and other malware that use WP blogs to proliferate, make sure you get a “second opinion” on your system’s security by running two alternate security programs. When one fails to detect, at least you have another software that might pick up on the problem. NOTE: many programs don’t work with each other so make sure to install security applications that can work together.
- Read search engines’ advisories re site
After you enter a search term into a search field, quickly read the search results first before you click on any result’s link. Look to see if there are no warnings regarding the website listed. Search engines scan websites to manage their indices. During these scans, possible attack sites are identified and a warning notice is posted for these problem sites’ listings in search result pages.
- Use Firefox
Firefox continues to be a safer alternative to Internet Explorer due to its built in protections against auto-installs. Firefox also has attack site and forgery site blocking set as default. Download your copy of Firefox here.
- Blog Security Best Practices for WP blog owners
If you use WP for your blogging platform, here are some key tips to help you do your part in the fight against the use of old WP installs to spread malware.
- Always keep your WP install updated
WordPress is open source and has a support community composed of thousands of coders. These two factors make WordPress very safe since vulnerabilities are reported quickly and patches/upgrades released within a short amount of time. However, you can’t be protected if you don’t update your blog to the latest version. Coordinate with your website’s host administrator so they will automatically update your WP install whenever a new version is released. This will minimize headaches down the road in the event you abandon your blog in the future.
- Use only plugins that are trusted (from WordPress.org plugins)
There are some reports of plugins that have security vulnerabilities. Make sure to use only plugins that are present in WordPress’ official website. Don’t use plugins with unknown or shady authors. In the event that you want to go ahead with a plugin that can’t be found in WordPress’ plugin database, do a search for the name of the plugin to see if there are any complaints or bad reviews before you install.
– Take off version
Malware distributors find abandoned blogs using older versions of WP by scanning for publicly viewable version information on these blogs. Make it harder for them by removing version information from you WP blogs using plugins like WP-Secure Remove WordPress Version.
- Disable comments
If you aren’t actively monitoring or maintaining your blog or see yourself spending less time on your blog in the near future, you may want to disable blog comments now. There have been reports of attackers using blog comments to insert code that compromises blog security. Make sure comment moderation is turned on—even for commentators that have had previous comments approved.
- Lockout failed login attempts
Install the Login Lockdown plugin to prevent automated password guessing/brute force bots from repeatedly trying to gain access to your blog. Login Lockdown lets you set the number of login attempts before blocking further login attempts from the same IP address. This nifty plugin also lets you set the lock out period’s duration.
– Scan WP for security issues
The WP Security Scan plugin scans your WP install for security vulnerabilities and recommends corrective measures.
- Talk to your host’s techs and admins
Keep in constant communication with your host’s admin personnel and technicians. Find out about their WP and third-party script security policies. Make sure they are keeping a backup for you. If it costs extra, go ahead and spend a little extra for the added peace of mind. Make sure to discuss their WP update policies in case you decide to stop blogging or no longer have the time to maintain and/or monitor your blog. Review your rights under the hosting contract in regards to cases of security breaches involving your blog.
- Vigilance is the key to protection
When it comes to malware attacks, it’s a continuously evolving arms race out there. You have to keep up with the information race to make sure you are protected both as a net user and as a blog owner/operator. As a user, take extra time to make sure your browser settings and antimalware/antivirus applications are set up and running correctly. As a blog owner, make sure you are not setting up your blog for future exploitation by making contingency plans in case you no longer have time to maintain your blog. Regardless of whether you are a blogger or a web user, you can and should play a part in defusing the threat posed by abandoned blogs to the Internet’s security.