WordPress Security Alert ~ Please read this and act FAST!

WordPress Security Alert

img src wpsite.net

WordPress security alert! As wordpress blogger, you are constantly a target to these bad guys and so you should never slow down on your blog’s security activities.  Today, I want to quickly bring to you what happened to my blog and how I quickly reacted to it. I spook about it with my good friend Abhi Balani, the Oddblogger and he quickly suggested I post about it. In fact some of my readers already noticed and commented it.

Do you know that spammers have graduated from leaving spam comments to leaving spam blog articles? Yes, that’s what happened to my blog this early money. Look at this image that follows:  

What happened ?

The user kasiera28 registered on my blog and quickly published this article I show in image above.

After having installed Better WP Security and still playing around with the options (this plugin has tons of options to keep your blog secured), this bad user was quickly able to create an account and directly publish an article without it going through moderation. I’m going to show you in a minute how he did it and how to stop him and others from messing around your blog this same way.

New Users, Roles and Capabilities

Right now as I write, my blog is not yet opened to public registration so i paid little attention to default role of new members. However, this should  important. This is actually where there was a leakage. Check this image:

Go to Settings -> General

blog version Version 3+

wordpress security settings

  1. Anyone can register: I propose you allow this option unchecked except you know what you are doing. My option is to completely disable public registration. By the time I finally open up to guest posting, I will handle the account creation from within the admin.
  2. New User Default Role: When I came to these settings, I discovered mine was set to ‘Author‘  This is the leakage. An author is somebody who can publish and manage his/her own posts. No need for moderation. So when kasiera28 managed to sign up, he was instantly able to publish.If you are not so sure what this is, I propose you set it to ‘Subscriber‘ Read more about these Roles and Capabilities

Take action now

If you have not checked this aspect of your blog, go to Settings -> General and make sure you have the right options set.

If you are wordpress blogger and you don’t take wordpress security as important as creating engaging contents, be aware you are building on sandy soil.

I’m eager to here from you. Have you had such an experience before? Tell us in the comment box

Meet Enstine M. Muki

Enstine M. Muki has written 168 post in this blog.

Enstine Muki is The Money Making Blogger and PHP developer and Creator of CashDonator, the plugin that helps bloggers generate more income from their blogs and cWinners.com, directory for contests and giveaways.


One quick way to fail in WordPress and blogging is trying to learn the hard way - by searching for free videos and tips. That's like trying to complete a HUGE jiggsaw puzzle, for which the pieces always don't fit.

There's a better solution though...

Kim Castleberry and her team have worked hard to assemble great collection of video tutorials that you can download and get started with right now. Most of them even include transcripts in case the text format works better for you! Everything was created with the absolute beginner in mind, so you'll never feel like you're listening to a rambling tech geek. Download the videos
0saves
About Enstine M. Muki

Enstine Muki is The Money Making Blogger and PHP developer and Creator of CashDonator, the plugin that helps bloggers generate more income from their blogs and cWinners.com, directory for contests and giveaways.

Comments

  1. Hey Enstine,
    Thanks for sharing your experience bro.
    I logged in to my blog and fortunately found everything correct. No Public registrations and the default role is set to subscriber.
    But once again thanks for the post. It will help everyone out there.
    Cheers :)
    Arbaz Khan recently posted..5 Unique Blogging Tips to Build a Better BlogMy Profile

  2. Abhi Balani
    Follow me on Twitter:
    says:

    Hey Buddy,

    That’s what I told you. I am glad you fixed the default role now.

    Good luck, my friend. And thanks for mentioning me.
    Abhi Balani recently posted..How one keystone habit can set your blog on a path of growthMy Profile

  3. Thanks for this publication. It is important to know.

  4. Adrienne
    Follow me on Twitter:
    says:

    Sorry you had this issue Enstine but I think with anything this is just a learning process of what we need to have properly in place with our blog.

    I never wanted anyone to be able to register and I don’t even let my guest bloggers set up their own posts. I’m sure if I started allowing more then I might have them log-in but that’s not something I’ve even considered yet.

    Thank you for sharing this with everyone. I’m sure there are a few other people who are not aware of this either. They’re happy you shared this with them.

    ~Adrienne
    Adrienne recently posted..How To Avoid Having A Boring BlogMy Profile

    • Yes Adrienne. We learn every moment and sometimes it’s good to learn the hard way.

      I’m sure this helps many too to get themselves armed.

      Thanks for your intervention and encouragement

  5. Wade
    Follow me on Twitter:
    says:

    Wow, that’s pretty scary that someone can do that! Will make the changes!
    Wade recently posted..Blogging Tips:How To Eat An ElephantMy Profile

  6. Your Guidance made me worry about my wordpress :P now have to do something for security.

  7. Ian Eberle
    Follow me on Twitter:
    says:

    That’s really scary! You are lucky they did not do anything worse like delete some of your posts… I recently started cracking down on my WordPress security as well because hackers are getting out of control with it.
    Ian Eberle recently posted..Getting Serious About WordPress SecurityMy Profile

  8. Thanks for sharing this security alert. I will definitely beef up the security on my blog.

  9. Martin Cooney says:

    Glad you got it sorted before too much damage was done.
    Spammers are always looking to run their garbage wherever there’s a hole in a site. They are a sad bunch.

  10. Anamika S says:

    Thanks a lot for the security alert. It is better to stay cautious than regret later.

  11. Security is main anxiety at this time.Really i was not aware about that but now your showing is making me very eager to check and correct that settings because i don’t want to hitten.
    Thanks

  12. Nishant Srivastava says:

    Hackers are very smart, but bloggers are their dad, they know how to protect their blogs, if we use all precautions then there will be very less chance of hacking, and we know we can recover our blog after hacking but still if it’s hacked once,then another will try to hack again.
    BTW Great Post..

    • Hey Nishant,
      Glad to see you here this weekend and thanks for your contribution
      Though hacking is a constant thread, we shall never stop reinforcing our security.

      Hope you have a great weekend

  13. Interesting… I have never changed any settings, now I am going to check all my blogs. I am sure they are all set up ‘anyone can register’ :) There are good lessons to learn. Thanks for sharing.

  14. Shalu Sharma
    Follow me on Twitter:
    says:

    Thank you for brining out this important security alert. It will help bloggers using wordpress a lot. These spammers are getting smart. I can’t understand why they do it since when the web-master will find out they will remove it anyway. But its always a good idea to be alert all the time.
    Shalu Sharma recently posted..Bhang, India’s holy marijuanaMy Profile

    • Hi Shalu,
      These guys are just wicket. The only option for us is to be awake and act fast.
      They got my blog for a few minutes and luckily, the damage was kept very low. We have to be very vigilant.

      Hope you guys are doing well in India ;)

  15. Juan
    Follow me on Twitter:
    says:

    before this i allow someone to be a guest author by check the anyone can register, but after two day, somebody(others) post article and not got my permission first, i think this is spam. So i agree with you, we should uncheck the option on setting to avoid this mistake
    Juan recently posted..PETRONAS E01 Engine Specification for Proton Under DRB HicomMy Profile

  16. akhilendra says:

    spamming is a big issue with wordpress, user registration process is so simple that even bots can easily do that. I have to shut down user registration on my blog to control it. Right now, the default role which i m offering is subscriber. Subscribers can’t post anything, so thing are better now. Thanks for sharing this info.

    • Hi Akhilendra,
      Thanks for reading and dropping a comment.
      That’s the best settings you’ve made on your blog. You are never going to have a case like mine.

      Kodus

      Hope to see you here again bro

  17. Enstine, what a pain! I had this happen to me quite some time ago. After the experience I turned off the registration.

    Great topic for your readers. Thanks for sharing!

    posted by Galen Morgigno
    Galen Morgigno recently posted..Jeffery Combs – Reinventing Yourself | Oct. 16 2012My Profile

  18. Hey Enstine, Thanks for sharing your experience with us. There are a lot of bloggers who allow new members to register for guest posting, but I’m not doing it. I always accept guest posts and publish it as a guest blogger, not their own name and I don’t make them contributor.
    Ehsan Ullah recently posted..How To Get Google Authorship Verified For Your WordPress BlogMy Profile

    • Hi Ehsan,
      After this experience, I had to disable the public registration option. I’ll put in place a quite sure procedure for guest bloggers.

      How has it been with you buddy? I have been away now I’m back

  19. Hi Enstine,
    Glad you were able to act on this “slight issue” quickly! I have never encountered this before, so it’s really helpful for me. I checked my settings on my personal blog and everything seems okay. Not that my personal blog is a likely target for hackers, but of course, no matter how small a blog is, it’s still not right for any hacker to mess with it!
    Thanks for sharing your experience!
    Felicia recently posted..PokerStars All-Star ShowdownMy Profile

    • Hi Felicia,
      Good to have you here this weekend.
      Yeah, I was able to act fast enough on this and avoid more damage. Sometimes your blog doesn’t need to be too popular to be a target. It’s always good to take precautions even from the very start point.

      FYI Felicia, my new free blog installation service is now live. Just let your friends know about it

      Hope you have a splendid weekend ;)

  20. It’s not a WordPress Security bug. In WordPress if registration is enabled, the default assigned role is “Subscriber”. Here you might have changed it. You can use “user role editor plugin” for better user management in multi author blogs.

    • Hey Sujith,
      Thanks for reading and commenting.
      Some bloggers have confirmed having found their settings this way. Whatever option is by default, it’s crucial to check that all is the way you want so you don’t get hit.

      BTW, I’m interesting in getting Windows 8 Metro Interface. I’m using XP ;)

      Hope you have a nice week

  21. android uygulama says:

    Wow, that’s pretty scary that someone can do that! Will make the changes!

  22. Kshitij Jain says:

    Thanks for this wonderful post. Really if we want to stop hackers to hack our website we must have to give attention to some points like 1) Never use pirated themes. The hackers sometimes create backdoor in it. 2) Never use nulled plugins. They also have backdoor. So you must use original theme and plugin to save yourself from being hacked. Also you can use bps security like plugin. By the way thanks for publishing such a nice post. :D

Speak Your Mind

*


CommentLuv badge
This blog uses premium CommentLuv which allows you to put your keywords with your name if you have had 3 approved comments. Use your real name and then @ your keywords (maximum of 3)
Transform your blog to a Money Generating Monster
  • Why most blogs don't make money or make very little money!
  • How to take your blog to $99.9+ a day in simple hidden 3 steps!
  • How to add 1000s of ads to your blog and still not stuff your blog!
  • How to write articles that will force readers to buy so you earn commissions!
  • NB: This is guaranteed to work for your blog!
Here revealed are the hidden 3 STEPS you need to write that article that transforms your readers to HAPPY buyers.
We strictly respect your privacy!
SEO Porwered By Wordpress SEO Plugin by SEOPressor