Is Your Blog Contributor Killing Your Site?

SMS Text

So you had your site running for some time now and ready for the next leap? That’s right you know what I mean – Opening a guest blogging opportunity for other bloggers to write guest posts on your site and take your blog to a whole new level with a third-person’s perspective and giving it a fresh feel to your regular readers I don’t further need to tell you the effectiveness of guest blogging let us get down to the most important thing that comes bundled with a guest blogging opportunity – your sites security!

Yes! If you thought that a harmless looking ‘I want to submit a guest post in your site’ is the beginning of it, then I hate to tell you that it might even be the ending of it all unfortunately!

>>>So Let Us Get Down To Evaluating What We Are Battling<<<

Cookie Sniffing Via Javascript Injection

Instead of me scaring you let us go the fun way – Let us try it on our own as an experiment.

You can modify the page source of any webpage using javascript injections:

  1. First register at your own site as a guest
  2. After logging in paste following script in the URL bar: “javascript:alert(document.cookie)”. This will show the data which the site has stored within a cookie on that site about you, look for a format “user_id=something” or “PHPSESSID=something”. Typically in a default WordPress Installation the string’s value is 1,which corresponds to the admin
  3. “javascript:void(document.cookie user_id=1);alert(document.cookie);”. Now the user_id’s value is reset to 1 so refresh the page and you should be logged in as the administrator.

Check for yourself by doing the above and if you are able to successfully login as an admin with the new user name then your site is vulnerable to PHP and javascript injections. If you can’t authenticate as the admin when refreshed then you have a relatively secure installation Imagine a guest blogger or competitor doing that to you Scary isn’t is?

Don’t Panic yet – there is a way to make sure your site is, and stays YOURS!

  1. Assign Write permissions to only admin user account
  2. Set the default setting for directories as 755 and files as 644
  3. Use 750 for wp-config so your login data remains accessible only to you not even your host.
  4. Pick up the wp-config.php from its default location (root directory) and place it one location above Your wp-config.php contains all your login details, passwords and access rights. You would not want that file in the root directory which is accessible to everyone since your sites public files lie there. The wp-config.php works fine from a level above and this measure alone will protect you from a host of sniffing attacks
  5. Place a blank html file named index.htm in your /plugins folder so that the plugin folder files itself are not accessible and whenever a person tries to access the directory they will be presented with what is there in the index.htm file. This saves you from any vulnerability the plugin creator may have overlooked in his plugins and you never know how a plugin is coded


Any website is like a bank. There are many bad people around and you can never be absolutely sure that the vault is secure even if you have the best security in place. The reason I used the bank analogy is because websites and banks operate in a similar fashion – they need to open the doors a lot of time for people to come in and go out and you cant keep the doors shut all the time in the name of security.

So the only measure we have as online business owners is to prevent an attack right at the source But that would not guarantee a fool proof safe site because new loop holes keep cropping up in the frameworks every day and hence it is always safe to keep a backup of all important files and databases.

Unfortunately Spiderman’s uncle passed away before the boom of the internet marketing era otherwise he would have given a different set of advice to our favorite super hero – With great power comes greater risk of getting hacked!

Let me know if you have worked out these security measures already and also share with us if there are any extra measures you have taken to make sure your site stays secure.

Rohan Pawale

Rohan Pawale

Rohan Pawale is a computer engineer in love with all aspects of organic SEO and blogging and regularly shares advanced SEO tips for business blogs... Read Full Bio
Rohan Pawale

Latest posts by Rohan Pawale (see all)

Get the latest news from Search Engine Journal!
We value your privacy! See our policy here.
  • Pramod

    a real brainer of a post. very useful and insightful.

  • pay for paper

    oh htank ou so much! now i finally can understand what the hell is going on with my site! from the first sight it looks ok but i know that something is wrong and now due to your article i know what exactly and i can fix it) so thanks a lot!!!!!

  • EricPetterson

    I tested this one 3 of my WordPress blogs and it didn’t work on any of them. Could the success rate depend on the hosting account on which the blog is?

    • EricPetterson

      Or on the type of installation? Does the SimpleScript installation set access rights?

    • Rohan

      It will work for everyone till the step of getting a cookie reply . After that , whether the hack is successful or not depends on how secure the site really is . Hosting account and WP version impacts the success rate . If your WP is up to date then there is lesser chance that you can over ride the Admin and that is a good thing .

  • Fazal Mayar

    thanks for this post. There are so many ways to make your site secure. If you use wordpress, some plugins can make it safer!

    • Rohan

      Some plugins can also be a source of PHP backdoors since we never know how it is coded , it can always pose a risk .

  • Praveen

    Really needed for me…!

    Thanks a lot

  • Suraj Vibhute

    It happened with me two times, I enabled automatic registration to users (as contributor) and two times bots registered and published two posts something like: “adfakfljlajflkdjlajdlfkasj” I was shocked when I saw that these types of posts are live from last few minutes and Google also indexed them, from that time I am registering users manually.