Register
  • Blogging Security Risk Awareness

    We have a vast number of WoW Bloggers part of our Consortium Forum community, and I would like to highlight some of the security risks that they face, whether they are aware about them or not.

    Blogs are quite often the heart and soul of a community such as Gold Making in World of Warcraft. They help to circulate content and keep ideas fresh. I myself only came across The Consortium Forums after following a link from the JMTC Blog.

    Themes. Themes, Themes, Themes, Themes, Themes… Every blog and website needs some sort of design or theme, and there is a reason that Wordpress is by far the mostly commonly used for Blogs. It provides excellent CMS features, a wide range of designs, and a great official and unofficial community behind it.
    Keep in mind that this article is not limited to Wordpress only themes and blogs! I am just using WP as my main example here.

    The real problem and security threat lies in WHERE you get the themes from. You could:
    • Make use of the limited but in many cases, sufficient, default Wordpress.com themes.
    • Use free themes that are provided all over the web for who knows what reason.
    • Purchase top-notch professionally designed themes for thousands of dollars - perhaps even a uniquely designed theme specifically for you.
    • Go the blackhat way of life and download an illegal copy of the above mentioned options. This is very easy to do if you know how to run a Google Search.


    Regardless of which route you go, each option has its benefits and risks, and all of them can be affected in one way or another whether you like it or not.
    Certain risks can include people taking advantage of your website, your content, your traffic and even your readers - for their own personal gain.


    A Sneaky Rogue Pickpocketing All
    Of Your Hard-earned Adsense and Referrals!

    An easy example

    Some themes contain backdoors in them, which allow access to your website's files and file hosting.
    This means that those who put it there, can gain access to
    • All your information
    • Your reader's email addresses (sure you may guarantee them privacy, but the hackers won't)
    • Stored usernames/passwords


    They can also go into your blog and edit your CPA, Adsense or other advertisement links.
    Uses their Referral links instead of yours
    Links to their own websites, instead of to the intended linked website.
    Inject malicious advertisements or codes into your website such as Illegal Cookie Stuffing so that it infects anyone who visits your page. This is a very common method of gathering computers for a malicious botnet army which can get you and your readers involved in illegal activity without you even knowing it.

    Another example
    Is something less damaging or alarming, but still not quite right. They will insert a piece of code into your template pages that gives them backlinks from your site (including to possibly some unsavory websites such as Sex Shops or even websites that host illegal content like warez).

    Often if you spot this piece of code in the Theme, they will also include a comment something like "By law you are not allowed to remove this code" or some rubbish like that.


    FTP Programs. An example is a program like FileZilla which is used to upload and replace the content on your website via FTP. The programs can store your account details in its memory so that its quicker for you to login next time, but often their File Encryption isn't very strong and can easily be hacked and decrypted.

    The hacker then has free reign over your website's files to do the above mentioned deeds. I would recommend that you choose to never remember the passwords - or at least clear your history in them once in a while.


    Bruteforce Protection. Bruteforce attacks on are probably one of the oldest methods of successfully cracking a password, username or problem by simply systematically checking all possible keys until the correct one is found.


    Symmetric key length vs brute force combinations chart from Wikipedia.org

    Bruteforce attacks on your website's login (especially something simply like WordPress' WP-Admin Login Screen) are rather common and eventually effective.

    However the funny thing is, it is SOOO easy to protect yourself from a ButeForce attack on your WordPress account by installing simple Plugins that limit the amount of login attempts that can be made and automatically bans the IP address when that does happen. For check this post for more information on WordPress Login Protection from BruteForce Attacks Plugins.



    Conclusion:

    If you are worried about your Blog’s security, or was alarmed to know that such things could occur and you didn’t even realize it, I highly recommend that you go do some good old Google Search Research and brush your knowledge on the subject back to a fit shape.

    If you are concerned I would recommend that you check out this link on How to find a backdoor in a hacked WordPress.

    It covers stuff like:
    • Added Code – such as “eval($_POST['attacker_key']); “
    • How to Hide Code – Gives you recommendations of where to hide your own code, and where to look for hidden malicious code
    • Database Obfuscation

    Read through some of the helpful comments on that article too.

    Something else you should get (just for added precuation and general Computer/Internet Security is the Mozzila Firefox plugin (or other browser equivalent) called VTzilla.

    Quote Originally Posted by VTzilla
    VTzilla is a Mozilla Firefox browser plugin that simplifies the process of scanning Internet resources with VirusTotal. It allows you to download files directly with VirusTotal’s web application prior to storing them in your PC. Moreover, it will not only scan files, but also URLs.

    The scanning options are embedded in Firefox’s context menu and download dialog, making the analysis process as easy as clicking a single button.


    And finally

    Seriously though guys, please pass this information along to fellow bloggers and even readers alike. Raise the awareness and help protect the blogging community (guest posting this on your blog is ok too, just comment and let us know first).