How BeepTheGeek Got Hacked :(

by Gagan · 11 comments

If you’re my friend on Facebook then you might have noticed that few days back I wrote a status that my site BeepTheGeek got hacked. It was a very shocking moment when I opened BeepTheGeek and saw a big text on the home page saying:

I was very shocked to see that my site got hacked. Though the site is up now but today in this article I am going to tell you that how my site got hacked.

My biggest mistake

The super big mistake that I made was not updated WordPress from past 8 months. Yes, you read it right, from the past 8 months I did not updated WordPress. I was using the old version. This was the biggest mistake I made and that is why my blog got hacked. Lets move further and see what other factors are responsible.

My other biggest mistake

Using a lot of old version plugins : Inspite of using old version of WordPress, I did not care to update plugins also. I was using around 10-15 old version plugins. This is the other factor that was responsible for the hack.

Few other security factors that I think I might have taken :(

I wish I had installed LoginLockDown plugin : First let me tell you what this plugin actually do, it records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. Click here to download LoginLockDown plugin

As I was not using this plugin, so chances of brute force attack increased. This is a must have plugin & I recommend every WordPress user to use this plugin.

Changing the default username in WordPress : By default WordPress uses username as “admin”, it increases the chances of brute force attack so I recommend to change Wodpress default username.

I think that the above four factors are responsible for my site hack. If you’re a webmaster, just follow at least these 4 things in order to remain secure. A lot more to come on Security, so stay tuned, also subscribe to my blog for future updates on Website Security.

Related posts:

  1. WordPress Security Guide: Make Your WordPress Blog Hack Proof
  2. Most Important Settings To Change After Installing New WordPress Blog
  3. 5 Quick Tips To Consider Before Installing A WordPress Plugin
  4. How to Install WordPress on BlueHost
  5. How To Install And Configure WP Super Cache WordPress Plugin

About Gagan
This is Gaganpreet Singh, who provides SEO Training in Chandigarh and gives blogging tips at Creative Blogging Ideas

Visit my website →

{ 10 comments… read them below or add one }

Razzil January 22, 2011 at 3:54 pm

I think if you correct all above steps still blog is compromise with their security as we have to take care many other things like file permission, htaccess security, wp-admin directory password. Generally hacker attack htaccess file to gain website control.

Reply

Amjath January 22, 2011 at 3:59 pm

I thought that you sold BeepTheGeek to someone else. And this is a very informative post. Let me change my username tooo… :)

Reply

ashwin shahapurkar January 22, 2011 at 5:58 pm

Good to see that you got your site Up. and nice tips. i have already installed Login lockdown. and one question,. what if i hide the plugins directory using htaccess File ?

Reply

Nasif January 22, 2011 at 10:33 pm

Nice to hear that your old blog is online :)

Reply

Asif January 23, 2011 at 1:48 am

Good to see you back on the site. I have subscribed to your blog and read every post. Very useful no fluff.
Wish you luck.
I would like to reccomand one more plugin that is http://wordpress.org/extend/plugins/wp-dbmanager
for backing up your database.

Reply

Gagan January 24, 2011 at 5:25 pm

Thanks for the recommendation. I’ll update this article including all the suggestions given by the readers.

Reply

Amit January 23, 2011 at 3:34 am

hm…some days back I clicked a search result and saw that horrible scene (http://twitter.com/amit_banerjee/status/27095700172967936).

I asked Debajyoti of snaphow.com and he told me that maybe your domain has expired.

I am really surprised on the fact that why didn’t you updated Wordpress to it’s latest version ? It takes only a minute or so.

And moreover, you should take care of the following things

1. Secure that HTACCESS file
2. Change Wp base directory , dont keep the files in root
3. Remove Wordpress version from header
4. Choose a different username other than admin

Glad that you got the access back without much loss. Really a nightmare for any blogger. Thanks for the post

Reply

Gagan January 24, 2011 at 5:26 pm

Yea Amit, it is my very very big fault that I did not update my Wordpress. Anyways, thanks for your security measures too. I’ll keep in mind in future.

Reply

Jasmine January 24, 2011 at 3:14 pm

This is the biggest nightmare a blog or website owner can have! Anyway, I am sure the site is now back up and should be as secure as ever! :)

Reply

webtechlife January 29, 2011 at 12:14 pm

wow , your old blog is online, but I heard you sold it someone else……

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: