I guess I’m lucky.
I’ve been blogging since around 2002, and I’ve never experienced a site being hacked until last month, when this site was badly hacked.
Honestly, it’s a horrible feeling, knowing that you put your time and heart and energy into creating something, and then it gets hijacked for the amusement of some teenager, or dodgy porn site, or financial criminal. Ugh.
But we got through it – despite the initial panic. And so can you!
Today, in hopes it might help someone else who has just had their WordPress blog hacked (or wants to avoid the trauma altogether) I thought I’d share my hacking story.
Day One: First Sign of Trouble
My first inkling that something was wrong was a wonky plug-in. Suddenly, I couldn’t see the ‘compose new post’ window in the WordPress back end. I could write posts in HTML, but who wants to do that?
I assumed it was a plug-in clash, where an updated plug-in doesn’t work with an updated WordPress. I emailed our company’s developer, and he thought the same.
I de-activated all the plug-ins and activated them one by one. The problem seemed to have gone. Until I clicked off my blog and came back – then the problem was back, too.
At this stage, things just felt inconvenient, but not MAJOR. I assumed the developer would work it out at some point.
Day Two: Things Get Worrying
The next day, one of the team told me they were getting a security warning on my blog, indicating it had been hacked. Oh sh-t.
I emailed the developer, who said he had checked and couldn’t see any sign of an intrusion.
I called my hosting company, who said the same thing.
Still, it didn’t feel quite right. The hosts insisted that my site must have been incorrectly flagged by Norton Security, and the security alert was just a glitch, but I checked and my site wasn’t indexed by Norton, so that didn’t particularly put my mind at rest.
Throughout the day, emails flew back and forth between the developer, the hosts and myself, trying to identify the root cause of the problem.
As a precaution, I took a complete back-up of my site, database, images and all. This is important because if your site is hacked, some hosting companies will immediately take it offline, to protect other customers.
Eventually at about 10pm, tech support advised me to install a plug-in called Wordfence, which could run a detailed security scan of my entire blog. It was very much a, “We don’t think you’re hacked but if you really want to…”
Thank goodness I did.
Because there it was: around 300 malicious, modified files. The site was riddled with malware.
Specifically I’d been hit by a variation of the Nuclear Exploit Kit, which rewrites Javascript files on your blog to deliver malicious code.
It’s behind a current HUGE spike in WordPress malware infections that are leading users to sites where their machines can be infected by ransomware – a depressing software program that locks files on your computer until you pay a ransom to unlock them.
One tell-tale sign that I’d missed was that there were two new admin accounts on my site that I hadn’t spotted (because how often do you look at the ‘user’ part of your WordPress admin panel?).
But with those accounts, the hackers effectively had full control of my blog. Actually that felt quite emotional – my blog is the story of my family, and I would be devastated to lose it. I know I do back-ups regularly, as do my hosts, but still – it’s a scary feeling to see someone else has control of your site.
Not to mention the fact I was just really, really ticked off. Seriously, hackers, get a life, why don’t you?
The tech support at my hosting company was fantastic – the support agent could see two sites on my personal hosting account that were both infected, and they gradually cleaned up the infected files, working through the list created by Wordfence. By a little after midnight, neither site was throwing up a security warning, and it all seemed clean.
Phew. I headed off to bed just after 1am, feeling much relieved.
Day Three: Not so Good
By the time I sat down at my desk at 9am the next morning, both sites were again throwing up a security warning again. WTF?
Turns out, the malware was self-propagating. Every time an infected file was loaded (for example because someone loaded an image on my site) the code would replicate, infecting another file. The code was replicating as fast as my developer could remove it.
What we needed to do was identify and block the root source of the intrusion. After all, you can clean up the mess an intruder makes, but if the door isn’t closed, they’re just going to come in again.
After several hours scratching heads and looking at logs, we realised there was an old test version of a WordPress site on my shared server account. It hadn’t been touched in two or three years – which of course meant it hadn’t been updated in that time.
Stupid me.
Hackers had managed to get into the old test site, and from there were able to jump across to other sites on the same server. Every time we cleaned up my blog, they could just re-infect it.
So my developer deleted the old site completely, along with some other old files and forums that were no longer being used.
He then re-cleaned both my personal sites, and re-installed all the core files from fresh. This was a bit of a pain, admittedly – because I couldn’t remember log-ins, I had to re-purchase Genesis and two child themes. We also reinstalled WordPress, and every single plug-in was deleted, and the latest version installed.
After 10 hours, it finally looked as though everything was clean, and there was no more vulnerability allowing the site to be hacked.
Phew.
What I learned
Being hacked was ridiculously stressful, but there are a few things I’ve learned which will hopefully reduce the chances of it happening again. Here are some of my top tips to reduce the odds of being hacked, and to resolve issues if you are:
- If you’ve been hacked, back up your site before you do anything else. If you’ve got older back-ups so you can roll back to an older version of the site, so much the better. Not currently backing up? Try plug-ins like WP Backup and Vaultpress, which can back-up your site to your computer or Dropbox. But ensure you have a copy of your site – some hosting companies will immediately pull the plug on your blog if it’s hacked, to avoid the risk of you contaminating other customer accounts.
- Run a full security scan on your own desktop machine or laptop, and ensure it’s clean.
- Log-in to your WordPress account (if you can) and check for errant users. If you see any names you don’t recognise, delete them.
- Change every password. Change your WP admin password, your FTP password, your SQL password, your hosting account password. Make your new passwords strong.
- If you don’t already use it, add Wordfence to your site – the free version will scan all your files and identify any security holes, malicious files or suspicious changes. It will also email you alerts if a plug-in needs updating or a comment contains a malicious link.
- Old blogs should be deleted, or you need to ensure you continue to update plug-ins, WordPress and other features even if you’re no longer using a blog.
- Don’t necessarily believe your hosting company if they tell you that you haven’t been hacked. I was told I hadn’t been hacked for a full 36 hours before we realised, dur, I’d been hacked. Do a full file scan yourself (or ask someone to do it for you)
- It will help your tech support people (whether you have your own developer or are working with your host) if you have some key information in a document on your computer, readily at hand. These are your WP admin log-in details, your CPanel, FTP and hosting log-in details, a copy of the log from Wordfence or another security scan, screen shots of any security warnings you’re seeing, and details of what back-up system you’re using
- You should also make a list of the plug-ins you’re using, and your theme, along with purchase details in case you need to re-download and install fresh copies. I didn’t do this and had to spend over £100 on new theme files. Argh.
- Once your site is back online, update everything – themes, plug-ins, any Javascript widgets running. Periodically check plug-ins because developers often abandon plug-ins after a while, and if it hasn’t been updated for a while, there might be a newer alternative that is more secure.
Image: Shutterstock
Oh no Sally, what an absolute nightmare!! Glad to hear you managed to sort it out without losing anything. Off I go to back everything up and set-up wordfence! Thanks for sharing your experience, and how you managed to sort it out.
Thanks Maria, it was definitely a bit of a learning curve!
So glad you managed to get it fixed and thank you for sharing your story. Off to check my blog is secure!
Thanks, so glad it’s useful to someone else.
OMG how terrible and stressful. *makes mental note to back up blog site asap*
Yes! Back up often!
Thats awful! I don’t underatand why people do it. To prove they can? Glad you’ve managed to resolve it. Hopefully thats the last of it.
Who knows why. It’s a fairly crappy way to spend your time if you ask me.
This has happened to me twice now and is such a nightmare, really stressful too. And I can’t even believe I’m about to say this but I haven’t got s plugin that back up my sites. I am going to sort that tomorrow!
It is pretty stressful – I guess your hosts do back-ups but a plug-in as a back up to your back up is a good idea!
Eurgh. I feel sick just thinking about it. Last time I tried to back up my blog – after paying £40 for specialist backup software – it crashed my entire site and I had to uninstall it. Now I’m going to have to get my head out of the sand and sort it out properly *shudders*.
Oh no! I am really lucky a lot of this is done by my developer.
I have Wordfence but I also have Sucuri which is brilliant. It was recommended by my hosts and it emails me every time something changes in my site whether it’s me logging in or uploading files or even adding a new plug in.
I’m glad you’re all up and running now x x
You can get the email alerts via Wordfence, too, it’s a really useful feature.
I am sick to the stomach, yet relieved you have now sorted it. What an absolute nightmare! Thank you so much for sharing your tips. I will definitely work through the list. This weekend for sure Xx
Thanks Caroline, really hope it’s useful to you x
Oh gosh Sally… I remember your post a week or two ago when you mentioned this blog was a collection of memories from Flea’s nursery days to her now almost secondary school-girl days. The thought someone can be sneaking into your list of users and make harmful changes to your memory bank is sickening. Thanks for all the tips, I’ll be sharing that one.
Blimey Sally – what a pain in the backside. What a lot of unnecessary stress. I’m glad your site was rescued, and will be looking at points in your cautionary tale to make sure my site is as safe as possible x
What an absolute mare Sally. So pleased you got it sorted but bloody hell!! Thanks for sharing with all your tips, I’ll be putting them into action once the kids go to bed…
My blog got hacked on Christmas eve but luckily it wasn’t as bad as yours sounds – a new admin account had been installed and a few new lines of code had been added to my theme making all mobile traffic go to a spammy site. This is a great post for anyone experiencing hacking – or even how to spot that they’ve been hacked in the first place x
Thank you for this post – kind of you to share so others can hopefully avoid this. Glad you have resolved it all now. x
Gosh that sounds stressful – glad that you’ve got it fixed (and off to back up mine
Fab tips, thanks Sally! We are now getting email alerts from Wordfence for our website – although they are freaking me out – 60 brute force attempts in one day. Maaah! Glad you managed to get back on track.
What a nightmare! Glad you’ve managed to sort it all out now though.