Epilog

Was Wordpress Hacked by SQL Injection Vulnerability?

I’m not so quite so satisfied with Wordpress at the moment. One of my blogs got hacked into seemingly effortlessly by a hacker. I was trying to track his footsteps by examining my log. I noticed that the hacker used one of the search engines to find all instances of Wordpress on my shared hosting IP address and server then he hacked straight into my admin screen at the very first attempt - no cracking involved on the password - just straight in!

I dug around a bit and noticed that he had also hacked into several other wordpress blogs that happened to be on the same shared hosting. Fact is I would not even have known the blog had been hacked if he had not left a post advising that the blog had been “hacked by XXXXXX” with an invitation to email him on a hotmail account, same on the other blogs. Scanning around using google I could find qute literally hundreds of other blogs (and other php/mysql based software) hacked by the same person, plus links to a defacement hackers web site where there was a scoreboard of defacement hacks achieved.

From finding the blog it took literally 2 minutes to deface it by overriding the admin password, uploading some dodgy php files doing goodness knows what, doing something with the theme editor. Disconcerting to say the least. I also scanned around on google to see if there was any information as to how this could have been done and found very little infomation other than to upgrade to the latest version of Wordpress. There was a bit of waffle about using secure passwords but not much concrete to go on.

My suspicion is that the hacker has first overriden the admin password by using a technique called SQL injection. Basically this is where a hacker simulates a browser session by invoking a call to a php program with known vulnerability (or validation loophole) by passing arguments that are then used in a mysql call by the php program to update in this case the password. My understanding here is a little sketchy at the moment so apologies to any techies who understand this process better than I do. Once into the admin password is changed the hacker can log in and do all sorts of no good using the standard admin functions.

Here are some of my ideas ideas to protect our valuable blogs from these evil hackers?

1. Back up your website regularly
2. Back up your mysql database regularly
3. Upgrade to the latest version of Wordpress so that any known vulnerabilities have been patched
4. If you are quite technical, when hacked try to do a little digging around and broadcast your findings to the wider wordpress user community
5. use PHPMYADMIN to find your encrypted admin user password - save a copy of this then you can use PHPMYADMIN again to restore your password if hacked.

Will the Blogging Bubble Burst?

Blogging has become very much a part of life for home and office users. I sometimes wonder if blogging is just a craze like CB radio or is it here for the long term. Personally I think blogging is here to stay though its popularity may well reduce and just be less widely used in future years. For the moment at lest though blogging is riding on the crest of a wave and there is no end in sight or even any discernible trend to suggest that people are getting bored with blogging. Maybe it is a power thing, after all what other media readily offers regular everyday people the ability to reach countless millions if not billions of people around the world?

Wordpress Hosted Blogs Not All Free

Many bloggers probably start out with a free Wordpress hosted blog. But what happens when you want to move on to use your own domain name? Obviously domain registration costs some money but it seems a bit harsh that Wordpress then starts charging for the “upgrade” of using your own domain.

There is an alternative though, some hosting companies offer free hosting with php and MySQL included. I have tried a few of these out. Several hosting companies operate a cpanel interface with “Fantastico” which allows for easy installation of Wordpress. A word of warning though, some of the free hosting companies I have tried allow you to install wordpress but it fails to work.

The easiest and simplest thing is probably just to stick with a basic wordpress blog, or pay them the nominal annual amount to run your own domain name. The benefit of using Wordpress to host your blog is that you dont have to worry about upgrades so it is probably money well spent.

Can WordPress Be Knocked Off It’s Perch?

I’ve been working in IT for longer than I care to remember and I have also developed many websites during the last 10 years in a professional capacity. I started thinking about the EpilogIT blog project that foundered and Wordpress which prospered into todays blog engine of choice for most blog writers.

Now that Wordpress has achieved such world domination will anything be able to displace it? What I mean is will any developer or maybe group of open source developers be able to come up with a software blogging solution that will make bloggers think twice about which blogging platform that they choose. Personally I think Wordpress is certainly here for the long term because it gives Bloggers a solution for virtually every blogging requirement. The old adage “if it ain’t broke, don’t fix” it almost certainly applies. The plug-ins available seem to cover any requirement.

Maybe I am just an old dinosaur like Charles H. Duell, the commissioner of the U.S. patent office of 1899 who allegedly said “Everything that can be invented has been invented”. I really can’t see any brilliant new breakthrough solutions on the horizon that will allow developers to come up with a revolutionary new blogging solution to seriously rival Wordpress. Time will tell but my guess is that Wordpress is here for my lifetime.

What Happened to the Epilog Blog Engine

Back in 2005 a keen developer by the name of Marten Veldthuis was trying to develop a new blog engine by the name of Epilog and the EpilogIT.com web site was the home of this project. Sadly the project got sidelined as Wordpress gained popularity and Epilog never made the grade as a commercial project.