Again with the passwords

TLDR:

  • Don’t re-use passwords, ever.
  • Make the passwords you use cryptographically strong — adequate length, no stock phrases, and a mix of cases, numbers, and symbols can’t hurt. Lots of sites are dumb about these rules.
  • Use a system that works for you to generate and store them: Password Safe, KeePass, 1Password, LastPass, whatever. Google them.
  • Retire old passwords, and replace them with completely unrelated new, better ones.

Bonus Points:

  • Use a password system that replicates across all your devices (lappy, tablet, desktop, phone).
  • Save yourself some headache by generating human-readable (but still of acceptable complexity) passwords for when you do have to read from one device and type/tap into another, or read one off to another human.
  • Set your password system bug you to update your passwords periodically.

https://pw.cliff1976.net is my gift to you for generating those.

OK, long form:

We noticed something weird on this old blog. Upon reviewing on some older posts, we found links to unfamiliar businesses inserted into revisions of posts that were long done and published — like months and years later.

But those revisions were performed, according to WordPress, by Sarah. Sometimes on posts for which we know she had no editorial input.

Baroo? Who (or what) was impersonating her for the purpose of spreading their links around? We still don’t know, and probably won’t ever. Sarah changed her password on our blog some months ago and none of the link spam we could find was inserted after that point. So it seems likely we’ve plugged the leak.

Her WordPress password for our blog was of decent quality (a long enough nonsense word, mixing upper and lower-case letters), but it was of legal voting age. But I suspect the weakness here was that she was ALSO using that password somewhere else, long long ago, which somehow got hacked. Probably that username/password combo is in a list somewhere some hackers bought and sold to agents representing unscrupulous marketers.

WordPress’ post revision comparison thingie was really helpful in finding the inserted links. Compare the pink original text on the left with the green spammy text on the right. Click it to embiggen it.

comparison of pre-spam and post-spam versions of a post I originally wrote, and "Sarah" updated

Here’s how I searched in the database to find the link spam:

mysql> select p.ID, post_author, u.user_nicename, post_type, post_title, post_date, post_modified, timestampdiff(MINUTE, post_date, post_modified) tsdiff from wp_posts p, wp_users u where p.post_author = u.ID and lower(post_content) like '%a%href="http_://%' order by post_title, post_modified desc ;

Basically I’m looking for records in the wp_posts table (which includes revisions) that contain a hyperlink in the URL and have a big ol’ gap between the post’s date and the modification date. Bonus points if I can see from the post and its revisions that it wasn’t always the same author. I know there are more powerful searching methods (note the famous programmer’s adage about attacking a problem with regular expressions…and then having two problems), but this was good enough for now.

Click the above image to embiggen it. See how Lucía’s Paella was revised six million minutes after Sarah originally posted it (by the way, she’s got a much tastier paella recipe up on her recipe blog now)? That was a big red flag. But some late revisions were legit — we freshen up recipes or fix old broken links when we find them, etc. Another big red flag: “Sarah” updating a post about my facial hair, 1.8 million minutes later. Seems pretty unlikely!

We cleaned up all the offending posts we could find. If you stumble upon an old post with a link that doesn’t work, or doesn’t seem like the kind of company we, as residents of Germany would logically link to (like Australian car rentals or North American plumbers), please leave a comment and call our attention to it.

See also:

Correct Horse Battery Stable

4 thoughts on “Again with the passwords”

  1. Steven

    Goodness, that is some very thoughtful hacklinking. When I self-hosted and got exploited over and over again (via plugins, alas) the stuff that was added was not nearly so content-related.

    This kind of behind-the-scenes stuff is always interesting to me, natch.

    1. cliff1976

      Some other technonerd pals have suggested the password thing might just be a coincidence and that WordPress is inherently so insecure, and its plugins (to paint with a broad brush) moreso, and that I should just give up the fight and go with a static site. Maybe something based on Jekyll.

      I’m already doing that for a couple of smaller sites: https://www.omgdumplings.com and https://mahlzeit.regensblog.com were set up originally in Jekyll and https://www.bergburg.net was a WordPress blog converted to Jekyll. But it had drastically fewer posts and media attachments than Ye Olde Regensblogge, so I’m still hesitant to move 15 years of content off of one site and into another. That’ll be a monster project. Not to mention finding a way to notify my non-RSS-using readers of new posts via email…though I suppose there must be ways around that.

  2. papascott

    1) I’ve used a 2-Factor-Authentication plugin with WordPress in the past. It might help.

    2) You may want to look into “WordPress as a Headless CMS” to generate a static site. That way you can keep and maintain your content in WordPress without any PHP or connection to the database in your finished site.

    1. cliff1976

      That sounds like a great compromise. Thanks!

What's your take on it?

This site uses Akismet to reduce spam. Learn how your comment data is processed.