Blogging, Community, Strategy, Web Tools, Wordpress
How To: Prevent Your Blog from Being Hacked
Alright, picture this: You arrive at your favorite local coffee shop and order yourself a triple-shot non-fat soy latte. Taking your warm and heavily caffeinated beverage, you plop yourself into the nearest comfy chair and open up your fully charged laptop.
From here you connect to the provided free wireless, cruise the inter-webs for a bit, and finally decide that you probably should actually post some decent content on your blog. At this point you head over to your self-hosted site, that you lovingly built from the ground up with your bare two hands, you then type in your username and password, and proceed to click “Log in”.
Well don’t look now, but there is a decent chance that you’re about to be hacked.
Whats the Big Deal?
Well the root cause of your current issue is that you are on the coffee shop’s network, along with a ton of other people, all sending your information to the internet unencrypted.
And the first rule about shared networks is that one must always assume someone malicious is on there with you. No joke! When I say always, I mean always.
You may be thinking “big deal, I’ve done this plenty of times” and for a fact, so have a lot of other netizens. But I can tell you from experience, in running a large organization with thousands of users and thousands of computers, that there are plenty of people that are bored brilliant enough to get your data.
For example, you may recall that big fiasco recently where Google accused China of hacking email accounts. Well Google at the time gave their users the choice of accessing their Gmail accounts with either http or https. That has since changed. When accessing Gmail, Google rewrote the application to force the use of https. Awesome! (This is the same solution that banks use)
How Does This Happen?
In trying not to get too technical, basically when you use your web browser to make a request on the web, it actually goes across the inter-tubes as plain-unencrypted-text. And don’t get confused, I hear the following all the time.
“But when I type my password in, it doesn’t show up. So it has to be safe!”
Example:
Right? RIGHT?? Wrong!!!
Don’t believe it. The password field only “hides” the characters from someone peering over your shoulder. But when you click that beautiful blue “Log in” button, it sends the data across the web looking something like this.
username = jared.folkins
password = myCrazyPassword
And you are extremely vulnerable because of the fact that anyone else on the network can proceed to “sniff” this unencrypted data. Sniffing is basically some nerd (like me, only evil) stealing your data off the network using known tools. I have personally done this hundreds of times while on client’s networks to show vulnerabilities. So look around you, all those other people connected to the same coffee shop offered free wireless, well they could be ready to have a laugh at your expense.
Solutions?
The only way to make 100% certain that your password will not be sniffed, is to encrypt the data.
This is typically pretty costly.
Which like we talked about is what Google, banks, and even the WordPress site does. For the most part, any site you come across that is using https:// is probably safe to assume as encrypted, as long as no funky warning messages popup.
Example (Make note of the https:// instead of http://) :
Should you want to encrypt the traffic by enabling SSL, you need to;
- Purchase an SSL Certificate from a licensed authority (Approximately $15-$89 annually)
- Install the SSL Certificate on your webserver
- Configure Apache to listen on port 443
- Create an Apache re-write rule to force the server to direct all requests to port 443 instead of 80
This may read simple, but for a lot of bloggers, this solution is simply out of the range of their technical skill set. My suggestion is that if you run a personal blog, and its net value is greater than a couple hundred bucks annually, hire a consultant to help you out.
But, there is a less costly way to do this as well.
On my personal blog, I choose not to encrypt my data, meaning that I don’t use SSL. Though I have the technical expertise, the value of my blog is not high enough for me to justify the annual certificate expense. So my solution is to write my posts using a word processor.
Only after I get home and connect to my personal network or someone’s network that I trust, do I choose to login to my blog and copy/paste the sweet post that the world wide web seemingly craves.
*I also wrote some scripts to backup my database and web application nightly. This way I know I can restore my site.
Not interested in paying anything? There are free ways too.
Use a free blogging service like blogger.com or wordpress.com as these sites pay for the SSL certificate which allows for the encryption of your data. For me, this is not ideal, I want control over my content. But for a lot of people, this solution works just fine.
UPDATE:
There technically is one final free option, which would require that you create a self-signed certificate and only use it for the authentication portion of your site, not the content portion. This solution is pretty technical though, so I don’t think most people would be interested.
If you are, let me know. I can do a follow-up post.
Conclusion..
My aim is not to create internet “terrorists” around every corner. I don’t want people screaming and running for the hills. But I do think it is important for most everyone to have some idea of how they are vulnerable, assess the risks, and then make the best choice possible.
If you have questions, feel free to ask. There are a lot of skilled people here at ChurchCrunch and over at ChurchIT, and we are happy to answer anything and everything.
Buzz it!
Leave a Reply
24 Responses to “How To: Prevent Your Blog from Being Hacked”
-
Tweets that mention How To: Prevent Your Blog from Being Hacked | ChurchCrunch -- Topsy.com
[...] This post was mentioned on Twitter by John Saddington and churchcrunch, Michael Brisk. Michael Brisk said: RT @churchcrunch: How To: Prevent Your Blog from Being Hacked http://bit.ly/dgF75v [...]
-
WordPressハッカーズ
How To: Prevent Your Blog from Being Hacked | ChurchCrunch…
この記事は以下サイトで紹介されています。 WordPressハッカーズ…
-
What’s In It for We? : How I Began Blogging for 8BIT | ChurchCrunch
[...] and I had agreed that I would write 4-5 posts at 400-500 words a piece. But if you happen to look, here, here, here, here, and here, you will see that on average my posts were around a thousand words [...]
-
7,025 feedburner + twitter followers
-
-
-
-
-
Understanding WordPress Issues: Third-Party Commenting Systems
This threat does not apply if you’re automatically logged in, does it? What about clients like Tweetdeck and such for instance?
Automatically logging in still passes your username/password across the wire. Only difference is, you aren’t prompted for it but because you saved this information into your browser, it hands it over to the application requesting it without your intervention. In other words, it isn’t any different than if you were to type it in manually.
* * *
Disclaimer: I am not advocating hacking, I am trying to conceptually show how hackers steal data, so that you can protect yourself.
* * *
@brynte
Well, not exactly. In that once you send your username and password, the server sends back a cookie with a unique session ID. Your web browser will use the cookie kinda like a regular old door key. To “unlock” the websites door.
So the next time you go to that site, it doesn’t ask for your username/password again, it just says;
“Hey, this web browser just accessed me. And the browser has a cookie(key) from my domain with PHPSESSION_ID = 12345 which is that dude named Brynte. Go ahead and unlock the doors and let him on through.”
But this opens up another can of worms where a hacker can now sniff for your unencrypted cookie data which includes your SESSION_ID, and then proceed to “spoof” your cookie.
Spoofing is where a hacker will grab your cookie data, create a duplicate, and then pretend to be you.
If you take one thing away from this post, just remember that the best thing to do is encrypt your traffic, or get on a friendly network.
A good rule of thumb if your data is important.
Bad:
-ftp
-http
Good:
-sftp
-https
If you Google this stuff, there are plenty of tutorials that will teach you how. Again, I use this knowledge to secure my employers data, not to steal (obviously).
Thanks Jared, I know some things about security… I know that cookies can be abused… But did not know how hackers use them? Not until now. You just added another valuable tip to my safety precautions list….
Awesome! Glad it was helpful and I appreciate you saying so.
-peace
Overall, a good post Jared. I’d just like to add a couple things.
1. You shouldn’t be using any publicly-available network to transmit sensitive data (in other words, going anywhere you’d have to login).
2. Using SSL is a step up, but unless you know what you’re doing, there are a few SSL attack vectors that can take advantage of the ignorant.
3. Self-signed SSL certs are better than nothing, but I’d take a pass on using them if they were the only option (that means we’re back to #1)
Personal opinion: Sniffing packets on a network isn’t any more of a crime than listening to a noisy conversation nearby.
@AaronMelton
I agree with a lot of what you said.
“Personal opinion: Sniffing packets on a network isn’t any more of a crime than listening to a noisy conversation nearby.”
Though this, is just a really gray area to me. I think we will see the morality of this choice being defined culturally in the coming years, as the computer science arena is not heavily regulated (yet).
-peace
It may not yet be a technical crime but morally if you haven’t been invinted to sniff ones data then doing so is a breach of privacy.
In the UK that at least has some protection in law. I’m sure some clever lawyer would (or even has) turn that to their use.
@Stuart
Privacy? I always tell my folks that if you want privacy, don’t do anything online.
But yeah, I think the “spirit” of the law would point more to what you are suggesting.
@brynte
I would have to look at the data when using tweetdeck. A quick google search revealed.
http://revision3.com/forum/showthread.php?t=29665
“TweetDeck mostly uses SSL, but will randomly not use SSL occasionally.”
I’d take that with a grain of salt though. I would have to test it for a bit to truly know for sure.
Ok, thanks. Very good to know. (Although the value of my blog is not much at all, it’s good to know this stuff.)
I would be very interested in a how-to on setting up a self-signed certificate. That could be very useful.
Also, a follow-up question about trusted networks: How vulnerable are cellular networks to sniffing? I rarely use public wi-fi any more even when available because i have great 3G and a ridiculous data plan. I suspect it is more secure, but I’m really not sure.
So I think the best way to answer this is just how I choose to function personally.
I choose to use my 3G data network where ever I can, rather than a coffee shop wifi. I have read some white papers on trying to gather data off of 3G, and most of the times the carriers plug the security holes rapidly. Sill, you are sending your data to your site in plain text. But the cell carrier does encrypt the packets on the way to the tower.
I do want to again state, that I encrypt my data using SSL when the risks are high enough. Mission critical stuff just needs to be encrypted.
Hope that helps.
It does help, thanks!
Ditto for a post on setting up a self-signed certificate for the authentication portion of WP-admin. If not here, atleast on ChurchIT. Obviously its good not to get lulled into a false sense of security, but learning the skills can give you just that much more of springboard.
Awesome post.
A minister friend of mine still uses MS Front Page to maintain his organization’s web site. I’ve reminded him NEVER to update his web from a free WiFi hot spot. FP uses standard ftp w/ the user ID and password going in clear text across the air. I’m working on converting the site to a CMS but that’s a different story.
@PatrickB
Yeah this is funny to me.
For years my Dad would read to us from a Giant Red picture Bible. And I can remember asking him about the Israelites and why they just didn’t have faith in God, instead of wandering the desert for all those years.
Obviously, as an adult that child like faith is now lost and has been replaced with a pretty heavy sin seeking mindset. Meaning that I have stupidly chosen to find out the hard way and do some “wandering” of my own.
In this same fashion a lot of people get warned about security concerns pretty early and pretty often. It only becomes an issue when something bad happens and they have to learn the hard way. And as the consultants, we end up sitting back and shaking our heads thinking “Why didn’t they just have faith that I knew what I was talking about?”
It never ceases to amaze me that the Bible practically teaches age old lessons in the oddest and yet most compelling ways.
-peace
Question. How does this compare to logging into an unsecure wordpress site over a 3G connection (say on a 3G iPad). Is a 3G data connection just as bad or worse than a public wifi connection?
Hi Brett, please see above response to the same question.
-peace
very helpful jared as work primarily out of coffee shops for this season of life!