On Christmas Eve 2009 all of my websites were attacked. I have two hosting accounts with GoDaddy and all of my wordpress sites on both accounts were down. In addition two business partner’s of mine who have their own unique hosting accounts (one with GoDaddy and the other with HostMonster) also had all of their wordpress sites go down at the same time.

After almost a full month of work I have finally managed to clean my server completely of any and all malware and to rebuild my sites with MASSIVE increased security way above and beyond the standard WordPress stock installation. Knowing that I was not the only one to be attacked and that there will yet be many more people in the future I would like to outline some suggestions of both how you can prevent these types of attacks in the future and how to clean out the malware on your site if you have already been infected.

I recently purchased the “Lock Your Blog” Program from Alex Sysoef who is a WordPress Genius! The DVD is free if you pay the requested $9 shipping. In addition to having the DVD shipped to your home, you can also access the videos on his site after you pay the shipping fee. I highly encourage anyone concerned with WordPress Security to follow this link and purchase his program and go through it step by step. Just the same I will outline some of the highlights here:

PREVENTATIVE WordPress SECURITY: Keep me safe!

You have to understand that wordpress is so widely used by so many people online that it becomes a primary target for hackers. While I assume that you have already installed WordPress on your server, preventative security starts with the install process. Changing the default table prefixes and WordPress user keys is essential to protecting your site from intruders. Check out www.expertwordpress.com for a custom version of wordpress that eliminates these stock security loop-holes.

If you have already installed WordPress download and install the WP Security Scan plugin. By activating and running this plugin you will be able to determine which of the basic loop-holes you have. This plugin has a few tools that may be helpful in closing your site down from future attacks also.

Install the plugin Secure WP which will change some of the default codes in the background of your WordPress that otherwise leave you exposed including hiding the version of WordPress you are using.

Install the plugin Limit Login Attempts. The default settings are good enough but you may choose to enable to notification setting so you can receive and email when anyone tries to login more than 4 times unsuccessfully.

Install the plugin WP-DB-Backup and configure it to email you a daily or weekly backup of all your WordPress databases. This will help you restore your site should it be compromised.

Keep all your plugins and core WordPress updated. Developers update their plugins regularly to close security gaps and fix bugs that could otherwise leave you exposed. Visit the tools menu of your blog as often as possible to run all available updates.

Configure and install the Akismet plugin to automatically quarantine spam comments. Set it up to auto-delete comments after 30 days.

LIKE I MENTIONED BEFORE THERE IS SOOOO MUCH MORE YOU CAN DO IF YOU ARE WILLING TO SPEND THE $9 AND PURCHASE THE “LOCK YOUR BLOG” PROGRAM I MENTIONED ABOVE!

RECOVERY: I’ve already been hacked!

Bad news huh? Your site has already been compromised and now you need to clean it out and get it back online.

1. Contact your hosting provider and let them know you think you have been attacked. Ask them to verify that your databases are still clean of any malware. Most hosting providers do not have the resources to automatically scan and clean all of your files at any given time but they do monitor your databases and can scan them with relative ease. They may also have other suggestions to help you clean your site.

• Via your FTP client software (e.g. Filezilla) delete all your themes that you are not using. Also delete any other files that you aren’t concerned with keeping. This will speed up the time you will spend cleaning through files.

• Setup an account with Google Webmaster Tools and setup and verify your site. If Google has crawled your site recently and found any malware it will display a warning in your Google Webmaster Tools account and walk you through locating and deleting the malware. After you clean your site you will also come back here to request a new crawling to verify that your site is no longer infected.

• Also check with http://stopbadware.org/ to see if your site has been registered. They also have a lot of good tips (non wordpress specific) to cleaning your site.

Ok, now for the WordPress Security specific things you have to do. To be perfectly honest if you have been compromised then there is most likely malware code in almost every php file on your server. It spreads quickly and hides in very unique places. This essentially means you have to delete everything and start over. This means the process of cleaning malware from your wordpress site basically includes backing up all the non-replaceable files, and starting afresh. The only way to do that without losing all your content will be to purchase a new hosting account and rebuild your site almost from scratch. This will be 100% less time consuming and more secure in the long run than it would be to attempt the manual scan of every file on your server. Here is a step by step solution that should help you complete this process.

1. Just in case we fail in duplicating your site we want to create a full backup of all blog in case we have to revert back to it eventually. Do this by installing the wp-db-backup plugin and performing a backup of your databases.

• After you verify with your hosting provider that your databases are clean from any malware navigate to your tools menu and select the “Export” option. Export content from all the authors. This is the process of saving all of your posts, pages, and comments. The file needs to be less than 2MB.

• On the new hosting account install a new version of WordPress. I suggest doing a custom install utilizing the suggestions on www.expertwordpress.com. The stock version of WordPress has far too many WordPress security holes and we want to install a custom version that will avoid the common issues from the beginning.

• Follow the steps listed in the “Preventative Security” section above to secure your blog against future attacks.

• Search out, download, install, and activate a fresh copy of the theme you are currently using on your blog.

• In the Tools menu perform a WordPress Import of the XML file we saved in step 3. You should now have all your old content on your new blog as well as have the same general look.

• Make a list of all the plugins you used in your old blog and install fresh versions of each on your new blog. Double check all the settings and configurations to make sure they are the same.

• Copy the content of each of your widgets under the Appearance menu to your new site. As long as you are copying and pasting the content from within the WordPress appearance menu you will NOT have to worry about inadvertently copying over any malware code.

• Custom theme changes. By now your site should be almost 100% duplicated. The only things left to do will be to make the subtle changes that you made to customize your theme. Since these can vary in a billion ways I can’t provide instructions here but whoever helped you customize your theme last time can certainly help you do it again!

Now that you have rebuilt your site from scratch you should be safe from any potential future threats. Make sure all of your passwords including Database, Hosting Account, and WordPress passwords rank high in the password quality scale including at least one number and upper case and lower case letters.

GOOD LUCK!

Jacob S Paulsen

Andrew James of AndrewJamesinc.com interviewed me today about 10 books that I would recommend that people read in 2010. I selected a top 10 list of personal development books (below). To listen to the audio interview visit Andrew’s blog here.

With the new year come the resolutions. How about deciding to read some good books? I am listing my favorite 10 personal development books. Not listed in any specific order these books will help you grow in various aspects of your life.

1. The 21 Irrefutable Laws of Leadership – John C Maxwell
2. If Harry Potter Ran General Electric – Tom Morris
3. Secrets of the Millionaire Mind – T. Harv Eker
4. Speed of Trust – Stephen M. R. Covey
5. Think and Grow Rich – Napolean Hill
6. The Greatest Salesman in the World – Og Mandino
7. The 7 Habits of Highly Effective People – Stephen R. Covey
8. Personal Power II – Anthony Robbins
9. How to Win Friends and Influence People – Dale Carnegie
10. The Power of Full Engagement – Jim Loehr

Among my greatest passions in life are smartphones and personal security. I know right; I’m geeky and paranoid. I spent my spare time in the past two weeks considering ways that a person’s cell phone can be utilized in personal security. I’m not referring to the stun gun cell phones or other fake phone weapons on the market. I’m talking about the thousands of Americans walking around with Blackberrys, iPhones, Google Phones, etc who need to eliminate risk of becoming a victim of a crime or scam. Here are my 7 most applicable (not including hand to hand cell phone combat) tips:

1. If you are lost or kidnapped: Modern smart phones come GPS enabled. For little to no cost you can download and install software onto your phone that will allow authorities or loved ones to log in to a 3^rd party website to track your phone. Most of these services also include options for backing up data from the phone, remote wiping the memory and locking the device to prevent calls. In addition to helping you track down your lost or stolen phone it could potentially help authorities track you down if you become lost or stolen and your phone is on you or your attacker. Even if your phone is not GPS enabled authorities are able to triangulate your position based on the GPRS signal from the cell phone towers. This can often pinpoint your location within a 50 ft radius. If you are in a boat that is capsizing, put your phone in a plastic bag to keep it dry, and blow air into the bag before sealing it to be sure it floats. This will help rescuers find your location in an emergency. Mobile Security Software Suggestions: (iPhone) (Android) (BlackBerry) (WindowsMobile) (Nokia Symbian)
2. In a world of viruses and hackers you may wonder where you should be keeping your most private and sensitive data. Online servers or other “password vault” services are vulnerable and your computer is just as weak to crashes as viruses and hacks. The answer is on your smart phone’s SD memory card. Cell phones are virtually impossible to hack from a remote internet connection. As long as you keep your Bluetooth turned off, or at least make your phone “Not Discoverable” you remain safe from any local hackers too. Even if you break or damage your phone, the memory card will not be damaged easily and even dropping your phone in water will not cause you to lose any data. Are you afraid you will lose your phone? No problem if you are employing one of the programs mentioned above. Just remotely backup your data and then wipe the memory device.
3. ICE: EMTs and hospital staff across the nation are being trained to look in the address book of a victim’s cell phone for an emergency contact. You are advised to create a new contact in your address book under the name of ICE which is an acronym for In Case of Emergency. This empowers emergency medical technicians to contact a loved one to ask about allergies to medicines or to simply inform them of your injury or accident.
4. Cell Phone users are less likely to be victims of random attack. Next time you find yourself in a quiet parking lot or in a dark alley just pull out your cell phone and call someone. If they don’t answer, pretend that they did and begin a fake conversation with their voice-mail. Potential attackers are likely to avoid people who are on the phone since the potential victim could easily describe the assailant or at least alert the 3^rd party to the action. What should you talk about? Your location and your surroundings. Also indicate that you are on your way to meet with someone else. Example: “Yeah I just came out of the building on the south side. Where are you meeting me? I don’t see you yet, how far away are you?
5. Ever had a phone conversation that you wish you had recorded? Use your phone. Most phones have the option to record voice notes and many smart phones have 3^rd party software that will even allow you to record phone calls. Next time you are in a debate with your boss or an argument with your ex spouse… record it. Without drawing any attention turn on the recording feature on your phone and set your phone down on a surface where the microphone will be between you and the other person. Be aware that each state has different laws that govern your right to record conversations with or without the consent of all parties.
6. Having a cell phone means having constant access to a digital camera. Use it. Next time you are involved in or witness to a traffic accident use your phone to take pictures of all the damage and the license plates of the cars involved. Other good times to take pictures include when you meet someone for the first time, when driving somewhere for the first time (landmarks), or when you rent a car or check into a hotel room (existing damages).
7. Of course a cell phone can be used to call 911 from anywhere. Any cell phone can dial 911 even without having been active on a current plan. The international universal mobile emergency number is 112. Keep your old cell phone in the trunk of your car along with a charger to use in case of an emergency when your own phone is dead or unavailable. Purchase a “crank” cell phone charger that will power your emergency phone with a little muscle work. This would be especially useful if someone threw you in your own truck and left you there. Especially seek out an emergency phone with CDMA service. CDMA technology has much wider coverage in remote areas outside of the city. The biggest CDMA wireless carriers in the US are Verizon and Sprint.

In March of 2009 Ami was very much so wanting to re-decorate our bedroom and she went out looking for bedding at a variety of stores. One particular comforter set stuck out to her and she sent me the following image via text message.

This particular set was marked at almost $300 at that time and she knew we were not prepared to buy it but hey… she can dream right?

Friday night Ami spent at least an hour looking online for a new bed set. We decided the time was right to make a purchase and she had been looking in stores and at a variety of websites for just the right thing (Naturally I was no help).  The bed set in the above picture was out of her mind (or was it) having been 10 months ago that she saw it. Yesterday we decided to go out shopping. Ami requested we stop by the store where she had seen the bed set of her dreams and when we got there…. you guessed it. There it was. We were informed by the store staff that it had been discontinued and discounted. We got the very last one at 20% off and my wife is one happy lady.

Its amazing what good things really do come to those that wait. I learned early in my life to plan ahead for big expenses and to keep from making spontaneous purchases on a whim. This new year set clear goals in each aspect of your life. As to your financial plans write down a budget and set expectations for savings, vacations, and large purchases. Make 2010 the very best year of your life!