My WordPress Blog Could’ve Been Hacked – Detectify Saved Me
If I told you that there’s one place you can go to get peace of mind that your website is secure, would you believe me? Well you should, because there is. It’s called Detectify.
I’m the kind of website owner that has always sort of been in denial. It can’t happen to me. Why would anyone ever want to hack my site?
Well, all those delusions came crashing down around my head in 2011 when the main PHP file of my home page was replaced with a web page announcing that the site had been successfully hacked. Not only was it a shock to realize that someone had actually replaced a file on my web server, but it was a very big blow to my pride. What kind of idiot allows his website to get hacked?
The reality is that over time my WordPress blog had become outdated, and increasingly vulnerable to attack as hackers scoured the Internet hunting for older version of WordPress with known, unpatched vulnerabilities. Major fail on my part. So, recently I finally finished updating my blog to a brand-spanking new theme. Confident that I had nothing to worry about in the security department, I didn’t even bother checking whether the theme or any of my installed plugins had any known security issues. It wasn’t until I came across Detectify that I realized just how close my blog was to being attacked and potentially hacked, once again.
Sure, there are other security scan plugins you can use on your site, but Detectify is just so easy to set up and use, even for a novice. Detectify is a combination plugin and web service. The first step, as is usually the case with web services – you’ve gotta sign up.
The next step is to download and install the Detectify Plugin. This is a pretty simple plugin, but it gives the web-based security app the ability to tap into every aspect of your blog and analyze it for security flaws. Detectify searches for things like local and remote file inclusion, DOM or other cross site scripting problems, PHP array path issues, remote command execution and much more. You can see all of the vulnerabilities that Detectify searches for on the plugin page.
Once you’ve signed up for the service and the plugin is installed, the last step is to confirm your installation by typing the verification key you receive via email into the field in the plugin. Then you’re all linked up and ready to roll.
Running a Detectify Scan
Once your site is linked, you’ll see it show up in your list of available domains on your online Detectify account. You can sign up to scan multiple domains if you like.
When you’re ready to launch your website vulnerability scan, just click the Scan button and let it do its job. A few recommendations at this stage: try to run the scan during a time when your site has the least traffic. Detectify will be crawling and scanning files on your site, so there will be a little bit of performance hit due to that processing.
Secondly, give the service the time it needs to do all of that crawling and scanning. It isn’t going to be a quick 30-60 minute job, unless your website is puny. Odds are for a medium sized blog you’re looking at over 6 hours. For a large blog, many more.
The best option for most people is to launch the scan before you go to bed, and you’ll have the results waiting for you in the morning. In my case, despite my brand, shiny new theme and running the latest version of WordPress, I discovered that I had several warnings related to the security of my blog.
Clicking on the Report button will take you to the page with the scan details for your domain.
Understanding Your Scan Results
The first dashboard page basically gives you an overview of how many files were scans, the types of files scanned and how long it took to scan them.
That’s every single file on your server, so if you have a lot of media files, you better believe the scan is going to take a long time. The reported results also detail the exact breakdown of scan time so you can see what part of the scan consumed the most processing time. In my case Crawling and Exploitation testing made up the bulk of scan time.
The report will also give you a history of last scans you’ve run, with discovered vulnerabilities. As you fix issues on your site, you can return here to make sure that your new scans reflect an improving situation with your site, rather than an increasing number of issues.
Of course, the best part of Detectify (and the whole point of using it really), is the detail section, which outlines very specific issues that were discovered on your site.
Fixing Your Site’s Security Issues
So here’s the thing that saved me. There were a few warnings that made me realize my site had lingering issues despite the fact that I had just upgraded everything and thought I was high and dry. One of the first warnings wasn’t too serious, but was related to the fact that the PHP install on my Apache server offers an “Easter Egg ” that could allow would-be hackers to identify what version of PHP I am running by checking which icon displays when the icon Easter Egg code is appended to my site URL.
I was unknowingly allowing the PHP version to be revealed, which also reveals to hackers where to hunt for vulnerabilities that can be used to hack into my site. I wasn’t very happy to see this (I had no idea about these Easter Egg codes).
The nice thing about the Detectify report is that even if you aren’t a web designer or programmer, the explanation of the problem and the recommended solution is easy enough to understand that you could easily fix most of the discovered issues yourself.
Detectify discovered a second vulnerability related to how I had left the Username permalink on WordPress to enumerate values, allowing hackers an easy way to siphon out user links and running through password hacking algorithms to uncover an account with a weak password.
And there I was thinking that I was standing strong with an impenetrable website. Again, Detectify provided very clear and easy to understand resolutions to each vulnerability warning.
Informational Security Issues
Detectify takes security a step further by providing you with informational security issues on your site. These are mostly very minor issues that aren’t exactly security problems, but could be ways that hackers could obtain more information about your website, providing them with research tools to find known vulnerabilities in what you do have installed on your web server.
You can fix these if you’re a real stickler for security, but most of these are just recommendations. You aren’t in serious danger if you decide to forgo most of these.
I noticed these results even included the fact that the crawler was able to discover email addresses in plain text on my site. It even included a list of all addresses found – mostly pulled from old comments.
What was amazing is that through the years I thought I had blocked all posting of email addresses to the site. Detectify advised me otherwise, and listed every single email address discovered.
Could my site have been hacked had I not used Detectify and corrected those warnings? Possibly. That’s the thing about website security. You may think that the issues that do exist on your server aren’t “serious” enough to warrant your time and energy, but all it takes is one resourceful and motivated hacker to research that security hole, and then take the time to actually exploit it.
When you’re spending countless hours building up a website that you love, and investing ungodly amounts of cash on web hosting and other website expenses, the last thing you need is some slimy hacker destroying everything you’ve ever built. So, install Detectify. Scan your site. Resolve those issues. Trust me, you’ll be glad you did. I know I am.