As many of you may have already noticed, Feministe has been having some DDOS problems. Lauren and I have been working on them, and appear to have mostly wrested back control (we’ve just put the site into Maintenance Mode while we test a few thingsover the next few hours) . Here’s a few suggestions for other people on self-hosted WordPress blogs (if you are on a wordpress.com free blog service you are fully protected and don’t need to know any of this):
Update WordPress Now!
The problem was caused by a hacker exploit that affects WordPress versions before v2.8.3 – so if your blog runs on an older version the very first thing you should do is immediately upgrade to the latest version of WordPress. In fact, do that before reading the rest of this post. Make sure you back up your blog content first, using the WordPress Export function. (If you have a huge blog there are some extra concerns, email me). Then change all passwords to a STRONG password – “all users, database, FTP, control panels, everything.”
Your blog might already be compromised
If you have already been hacked, upgrading won’t fix that, because it won’t overwrite some of the scripts that the hackers have place using a backdoor exploit. Read more from Lorelle on what you need to do if you have been hacked. If you’re not particularly confident digging around in the files that you can only access through your domain management control panel (provided through your webhosting service) then you will probably need some help from people who’ve done this sort of thing before.
Make sure all your plugins are upgraded to the latest version. There is a possibility that some plugins you use and love will not be compatible with the latest version, bite the bullet and go and find another up-to-date plugin that offers the same functions (and send an email to the authors of any incompatible plugins to see if they can update it).
There are plugins which will help block the most common hacker avenues and harden your blog’s security generally – I strongly recommend installing at least Secure WordPress, and consider also Login Lockdown, WP Security Scan and WordPress Firewall. There are plenty of other security plugins out there that other people recommend highly, but these are ones that I’ve personally installed on sites where they (a) haven’t broken the blog and (b) are proving useful. Here’s a post that offers 11 suggestions, but I don’t think all of these plugins are necessarily compatible with each other.
Unrelated to security issues
Revisions: the WordPress revisions feature in versions 2.6+ has its uses, but if you’re someone who takes a while to write a post and are saving drafts on multiple occasions, the number of revisions stored can seriously bloat your database.
- You can turn the revisions feature off entirely using the wp-config file if you are old-skool, or using the No Revisions plugin.
- If you do find revisions somewhat useful, then you can control the way the revisions feature behaves using two very useful plugins: Delete-Revision (checks for redundant revisions and deletes them) and Revision Control (limits stored revisions to only a few instead of possibly dozens).
Okay, I’m off to take a walk before I spend the rest of the day upgrading and securing client sites. I won’t be doing other blogging, but I will monitor this thread and will respond to any questions. Seeya!