- Don’t re-use passwords, ever.
- Make the passwords you use cryptographically strong — adequate length, no stock phrases, and a mix of cases, numbers, and symbols can’t hurt. Lots of sites are dumb about these rules.
- Use a system that works for you to generate and store them: Password Safe, KeePass, 1Password, LastPass, whatever. Google them.
- Retire old passwords, and replace them with completely unrelated new, better ones.
- Use a password system that replicates across all your devices (lappy, tablet, desktop, phone).
- Save yourself some headache by generating human-readable (but still of acceptable complexity) passwords for when you do have to read from one device and type/tap into another, or read one off to another human.
- Set your password system bug you to update your passwords periodically.
https://pw.cliff1976.net is my gift to you for generating those.
OK, long form:
We noticed something weird on this old blog. Upon reviewing on some older posts, we found links to unfamiliar businesses inserted into revisions of posts that were long done and published — like months and years later.
But those revisions were performed, according to WordPress, by Sarah. Sometimes on posts for which we know she had no editorial input.
Baroo? Who (or what) was impersonating her for the purpose of spreading their links around? We still don’t know, and probably won’t ever. Sarah changed her password on our blog some months ago and none of the link spam we could find was inserted after that point. So it seems likely we’ve plugged the leak.
Her WordPress password for our blog was of decent quality (a long enough nonsense word, mixing upper and lower-case letters), but it was of legal voting age. But I suspect the weakness here was that she was ALSO using that password somewhere else, long long ago, which somehow got hacked. Probably that username/password combo is in a list somewhere some hackers bought and sold to agents representing unscrupulous marketers.
WordPress’ post revision comparison thingie was really helpful in finding the inserted links. Compare the pink original text on the left with the green spammy text on the right. Click it to embiggen it.
Here’s how I searched in the database to find the link spam:
mysql> select p.ID, post_author, u.user_nicename, post_type, post_title, post_date, post_modified, timestampdiff(MINUTE, post_date, post_modified) tsdiff from wp_posts p, wp_users u where p.post_author = u.ID and lower(post_content) like '%a%href="http_://%' order by post_title, post_modified desc ;
Basically I’m looking for records in the wp_posts table (which includes revisions) that contain a hyperlink in the URL and have a big ol’ gap between the post’s date and the modification date. Bonus points if I can see from the post and its revisions that it wasn’t always the same author. I know there are more powerful searching methods (note the famous programmer’s adage about attacking a problem with regular expressions…and then having two problems), but this was good enough for now.
Click the above image to embiggen it. See how Lucía’s Paella was revised six million minutes after Sarah originally posted it (by the way, she’s got a much tastier paella recipe up on her recipe blog now)? That was a big red flag. But some late revisions were legit — we freshen up recipes or fix old broken links when we find them, etc. Another big red flag: “Sarah” updating a post about my facial hair, 1.8 million minutes later. Seems pretty unlikely!
We cleaned up all the offending posts we could find. If you stumble upon an old post with a link that doesn’t work, or doesn’t seem like the kind of company we, as residents of Germany would logically link to (like Australian car rentals or North American plumbers), please leave a comment and call our attention to it.