I wasn’t surprised people were trying to hack my blog. What surprised me were how many people were trying to hack my blog–there was a time when I probably had more hacking-related traffic than I had reader-related traffic.
If you have a WordPress blog, you’re probably in a similar situation.
The reason, as with any crime, has to do with money. Hacking is a big industry these days.
The primary motivating factor is generally linking. There’s a huge industry in getting more traffic to web sites, because, let’s face it, there’s no point in running a web site if nobody is looking at it. I can tell you from my own experience that increasing readership just by writing and doing a bit of promotion on my own is very difficult, so it’s no surprise to me that people will try to buy readership instead.
At the simplest level, blogs are very attractive targets from two standpoints: You can post comments to them, and put links in the comments. But if you’re lucky, you can seize an account on the blog and add actual posts, with even more links in them.
There was a time when links were king, when it came to search engine rankings. All of the major search engines have tweaked their algorithms since then, but a consultant can still sell incoming links as a metric successfully to unwitting clients.
Another reason to seize the blog itself is to participate in attacks on competing blogs. If a crook can steal a WordPress blog and enable pingbacks, the crook can then use armies of WordPress blogs to launch pingback attacks on rival blogs, potentially taking them down.
A fourth, even worse reason, is if they can steal a blog that has a reader base, they could inject their own content onto that blog and attack the readers themselves. It could be as innocent as showing them ads, or as bad as installing malware on them.
Of course, a crook could stand up an army of blogs to carry out these nefarious purposes, but stealing them is cheaper, easier and safer. If they can hijack an established blog like mine, then they can use me for cover–it looks like I’m doing the bad stuff, not them. And if they’re posting comments, of course the comments are coming from fake or stolen e-mail accounts, so there are plenty of unwitting accomplices in these crimes.
It’s a dangerous world out there. I only knew the half of it, until I installed a product that logged all of the malicious activity it detected and deflected. That’s why I recommend installing a plugin such as All-in-One WP Security and Firewall and at least enabling its four most basic features. It’s not much, but if everyone did those four basic things, the blogosphere would be a safer, better place.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.