I guess I’m lucky.
I’ve been blogging since around 2002, and I’ve never experienced a site being hacked until last month, when this site was badly hacked.
Honestly, it’s a horrible feeling, knowing that you put your time and heart and energy into creating something, and then it gets hijacked for the amusement of some teenager, or dodgy porn site, or financial criminal. Ugh.
But we got through it – despite the initial panic. And so can you!
Today, in hopes it might help someone else who has just had their WordPress blog hacked (or wants to avoid the trauma altogether) I thought I’d share my hacking story.
Day One: First Sign of Trouble
My first inkling that something was wrong was a wonky plug-in. Suddenly, I couldn’t see the ‘compose new post’ window in the WordPress back end. I could write posts in HTML, but who wants to do that?
I assumed it was a plug-in clash, where an updated plug-in doesn’t work with an updated WordPress. I emailed our company’s developer, and he thought the same.
I de-activated all the plug-ins and activated them one by one. The problem seemed to have gone. Until I clicked off my blog and came back – then the problem was back, too.
At this stage, things just felt inconvenient, but not MAJOR. I assumed the developer would work it out at some point.
Day Two: Things Get Worrying
The next day, one of the team told me they were getting a security warning on my blog, indicating it had been hacked. Oh sh-t.
I emailed the developer, who said he had checked and couldn’t see any sign of an intrusion.
I called my hosting company, who said the same thing.
Still, it didn’t feel quite right. The hosts insisted that my site must have been incorrectly flagged by Norton Security, and the security alert was just a glitch, but I checked and my site wasn’t indexed by Norton, so that didn’t particularly put my mind at rest.
Throughout the day, emails flew back and forth between the developer, the hosts and myself, trying to identify the root cause of the problem.
As a precaution, I took a complete back-up of my site, database, images and all. This is important because if your site is hacked, some hosting companies will immediately take it offline, to protect other customers.
Eventually at about 10pm, tech support advised me to install a plug-in called Wordfence, which could run a detailed security scan of my entire blog. It was very much a, “We don’t think you’re hacked but if you really want to…”
Thank goodness I did.
Because there it was: around 300 malicious, modified files. The site was riddled with malware.
It’s behind a current HUGE spike in WordPress malware infections that are leading users to sites where their machines can be infected by ransomware – a depressing software program that locks files on your computer until you pay a ransom to unlock them.
One tell-tale sign that I’d missed was that there were two new admin accounts on my site that I hadn’t spotted (because how often do you look at the ‘user’ part of your WordPress admin panel?).
But with those accounts, the hackers effectively had full control of my blog. Actually that felt quite emotional – my blog is the story of my family, and I would be devastated to lose it. I know I do back-ups regularly, as do my hosts, but still – it’s a scary feeling to see someone else has control of your site.
Not to mention the fact I was just really, really ticked off. Seriously, hackers, get a life, why don’t you?
The tech support at my hosting company was fantastic – the support agent could see two sites on my personal hosting account that were both infected, and they gradually cleaned up the infected files, working through the list created by Wordfence. By a little after midnight, neither site was throwing up a security warning, and it all seemed clean.
Phew. I headed off to bed just after 1am, feeling much relieved.
Day Three: Not so Good
By the time I sat down at my desk at 9am the next morning, both sites were again throwing up a security warning again. WTF?
Turns out, the malware was self-propagating. Every time an infected file was loaded (for example because someone loaded an image on my site) the code would replicate, infecting another file. The code was replicating as fast as my developer could remove it.
What we needed to do was identify and block the root source of the intrusion. After all, you can clean up the mess an intruder makes, but if the door isn’t closed, they’re just going to come in again.
After several hours scratching heads and looking at logs, we realised there was an old test version of a WordPress site on my shared server account. It hadn’t been touched in two or three years – which of course meant it hadn’t been updated in that time.
Hackers had managed to get into the old test site, and from there were able to jump across to other sites on the same server. Every time we cleaned up my blog, they could just re-infect it.
So my developer deleted the old site completely, along with some other old files and forums that were no longer being used.
He then re-cleaned both my personal sites, and re-installed all the core files from fresh. This was a bit of a pain, admittedly – because I couldn’t remember log-ins, I had to re-purchase Genesis and two child themes. We also reinstalled WordPress, and every single plug-in was deleted, and the latest version installed.
After 10 hours, it finally looked as though everything was clean, and there was no more vulnerability allowing the site to be hacked.
What I learned
Being hacked was ridiculously stressful, but there are a few things I’ve learned which will hopefully reduce the chances of it happening again. Here are some of my top tips to reduce the odds of being hacked, and to resolve issues if you are:
- If you’ve been hacked, back up your site before you do anything else. If you’ve got older back-ups so you can roll back to an older version of the site, so much the better. Not currently backing up? Try plug-ins like WP Backup and Vaultpress, which can back-up your site to your computer or Dropbox. But ensure you have a copy of your site – some hosting companies will immediately pull the plug on your blog if it’s hacked, to avoid the risk of you contaminating other customer accounts.
- Run a full security scan on your own desktop machine or laptop, and ensure it’s clean.
- Log-in to your WordPress account (if you can) and check for errant users. If you see any names you don’t recognise, delete them.
- Change every password. Change your WP admin password, your FTP password, your SQL password, your hosting account password. Make your new passwords strong.
- If you don’t already use it, add Wordfence to your site – the free version will scan all your files and identify any security holes, malicious files or suspicious changes. It will also email you alerts if a plug-in needs updating or a comment contains a malicious link.
- Old blogs should be deleted, or you need to ensure you continue to update plug-ins, WordPress and other features even if you’re no longer using a blog.
- Don’t necessarily believe your hosting company if they tell you that you haven’t been hacked. I was told I hadn’t been hacked for a full 36 hours before we realised, dur, I’d been hacked. Do a full file scan yourself (or ask someone to do it for you)
- It will help your tech support people (whether you have your own developer or are working with your host) if you have some key information in a document on your computer, readily at hand. These are your WP admin log-in details, your CPanel, FTP and hosting log-in details, a copy of the log from Wordfence or another security scan, screen shots of any security warnings you’re seeing, and details of what back-up system you’re using
- You should also make a list of the plug-ins you’re using, and your theme, along with purchase details in case you need to re-download and install fresh copies. I didn’t do this and had to spend over £100 on new theme files. Argh.