How Not to Get Your Blog Hacked
This blog was once overtaken by a hacker. He or she somehow gained access to my Wordpress site and decided to override all the posts with Asian pornography. Not cool. Luckily, a reader alerted me to the hack fairly quickly. Still, it was one of the most embarrassing experiences professionally as a software developer. Blogs of the non-technical are supposed to get hacked, not a somewhat competent web developer.
Here I’ll share a few tips on how to lower your chances of getting your blog hacked.
Static Site Generators vs Content Management Systems (CMSs)
There are two main flavors of blogging platforms: static site generators and CMSs. With static site generators, you write the blog post as a plain text file (usually in Markdown), generate the site from these plain text files and a bit of boilerplate, and then upload the site to your website hosting service. With CMSs, on the other hand, you typically log in to your blog to write your post with an in-browser editor. The post is stored in a database and the blog is generated from the data within the database.
The Hacked Wordpress (CMS) Setup
The setup that got hacked was a One-Click Install Wordpress Instance on a Small DigitalOcean Droplet.
The following plugins were installed:
- WP Force SSL to enable HTTPS.
- Yoast SEO
A single user with a very strong password was created… Pretty simple setup.
How It Most Likely Got Hacked
The blog was most likely compromised in one of two ways:
- A brute force password attack.
- Exploiting a security vulnerability in one of the plugins or Wordpress itself.
Additional Steps I Could Have Taken to Not Get Hacked
- Enabled automatic updates of plugins and Wordpress.
- Changed the password every three months and/or added 2-factor authentication.
- Rate limited login attempts and used a non-standard login URL to make a brute force password attack much harder.
- Pay to have it hosted and secured.
The New Static Site Generator Setup
After the embarrassment of having my personal blog hacked, I decided to transition away from Wordpress to Jekyll, a Ruby-based static site generator. I chose Jekyll primarily because Github has an awesome feature called Github Pages, which autogenerates and hosts Jekyll sites for free. All you have to do is plop the Jekyll source into a Github repo and enable Github Pages.
So far I am really liking the ease of posting (all it takes is pushing a single Markdown file) and low maintenance– no updating plugins or databases or servers.
It’s All About Hardening
Hardening is a security principle that implies the system with the lowest attack surface area is the most secure. CMSs have so many layers to attack: plugins, login, database, the framework itself. Static site generators have a much smaller surface area for a hacker to take hold. That is why I will continue to use static site generators for my blogging needs. If I were to use Wordpress again, I would probably pay to do managed hosting, where someone else can worry about making sure it is secure.