Here We Go: Hacking!
My blog was hacked last week. Sometime between 6am-9am on a Wednesday morning, EVERYTHING WAS DELETED. It’s the worst feeling. At first I was confused. I (like a weirdo, vain person) checked my blog around 9AM to make sure everything looked okay. I got a 404 error. Refresh. 404 error. Refresh. I got sort of annoyed and tried to log into WordPress. 404 error. AH! I called my hosting company and quickly explained what was happening. The customer service rep verified my URL and said those dreaded words, “It looks like you got hacked. All your files are gone.” Say whaaaaat?
Luckily I knew what to do. I worked for a hosting company back in 2009 and handled these kinds of problems daily. Sadly, most people don’t know what to do (or how to prevent it). That is exactly why I wrote this post.
How do they do it?
It’s easy to feel frustrated or personally attacked when your site or blog goes down due to hacking. Usually, it’s not personal. Your arch-nemesis isn’t sitting in their basement deleting all your files. What happens is a hacker runs automated scripts that look for known vulnerabilities in your site (especially outdated WordPress installations) and gains access through those holes. It’s like if you ignore the fact that your window screen has little rips or tears. It seems irrelevant until you wake up with 20 mosquito bites.
If a hacker can’t gain access that way, they can move on to find holes in your plugins, themes, your weak password, email or FTP. Mark wrote an awesome article titled 7 Ways I Could Hack Into Your WordPress Site. I suggest reading it!
How to prevent it.
Now that you know how they do it, it feels a little easier to prevent it. Here is my own checklist:
- Make your passwords complicated and make all your logins different. (Comic above found here via @teahousekitten. I laughed.)
- Always keep your WordPress install, themes and plugins up to date. When they find holes, they release newer versions.
- Keep backups of your blog + files hosted on the server.
- If you log into your blog as “Admin.” Change that. Here’s how.
- Remove the “Powered by WordPress” link at in your footer. Hackers can do a search for this.
- Set up 2-step verification on your Gmail account. (Great tip from Shoogle Designs)
Please note: there are many, many more measures that you can take to prevent being hacked. This article by Mastermind Blogger shared great tips that are a bit more technical and complicated. Be sure to give it a read if you feel comfortable enough to address some of these issues.
“Everything was dumb and then I sobbed.” – Quote from blogger Kara Haupt. Totally sums it up.
Still got hacked? Here’s what I’d do.
First of all, breathe. Freaking out and screaming at your hosting company’s customer service rep isn’t going to speed up the process (believe me, I’ve been there and when customers were swearing at me…I didn’t necessarily feel sorry for them). Here’s what I did (and what I would suggest you do too):
- Call your hosting provider. Explain what you think has happened.
- Ask them to scan your files for malicious code.
- Ask them when the most recent backup of your files has been taken & ask for a clean restore.
- Change all your passwords. That means WordPress, FTP, email accounts.
- Scan your computer for viruses. I don’t tend to do this with my Macs but I would definitely advise you to!
- Go to Google Webmaster and prove ownership of your site/ask for a review if you have the malware warning.
I would refer to this article by WordPress if you feel comfortable diving into some of their more technical tips (like server side permissions, changing your secret keys, checking for malware).
I’m not a hacker OR a pro at preventing it, but since it did JUST happen to me I thought I’d share my own tips in a simple, straightforward way. If you have any questions, feel free to leave it in the comments section. If I can’t answer it, I’ll find the answer for you. I also will gladly accept more tips and advice and I’m sure others would appreciate it as well.
A weekly email where I share things that made me stop and consider. Never sponsored, no affiliate links.
I got hacked before, too. ;( I didn’t even know and my host company contacted me. Luckily, they helped me restore my blog thru their backup files. ♥
Your story is so scary! I need to make sure that I back up my sites more often. Thanks for sharing your tips!
GREAT article/advice, Allie! I literally just changed my login to something different than the default “admin” I always use.
After reading this post, I wandered over to my site just to have a look, and it was gone! Thankfully, it was due to some emergency server updates or something, and they said things would be back online soon.
Quite a scare! I hope I’m never hacked.
Ah! Great advice! My blog was hacked a few months ago. And at the time I couldn’t even see it because I was at work! So I only knew from what my boyfriend had been texting me. Scariest.moment.ever.
This is great advice because mine got hacked through an outdated plugin that was installed. UGH. Luckily we kept everything backed up but holy eff if we hadn’t, I would have cried my little heart out. Your blog is like your baby haha.
Great post! It’s not about a subject we all like spending time on, but some people make us do it.
A few months ago, a site of mine got hacked by the same “group”. It was up-to-date (in everything: WordPress, plugins), had a “nice” password and all, but they got in by my Hosting account. My Hosting Provider was not so humble in taking responsibility so I’m now in the process of switching Providers. They changed the index.php and added their content but didn’t erase anything. What I had to do was fairly easy, just changed the content of the hacked index with a back up I had and the site was up and running again. :)
A few days later, when I tried to log in to my WP installation I discovered that they had taken my access. That was a scary moment. I’ll try to reproduce what I had to do to gain my access back and I’ll share it with you. The good thing is that I could still access my cPanel account to take care of the situation.
Allison, you did a great write-up on making your password more secure. I’ve been in web development for the last 15 years and pretty much focus only on WordPress these days so perhaps I can add to this discussion even though it hasn’t been commented on in a while.
One thing I’ve never really relied on was coming up with passwords myself. I’ve always used a program like RoboForm to generate extremely long randomized strings for passwords that use alpha uppercase, lowercase, numbers, and special characters (!@#$*) so the encryption level is somewhere between industry standards of 128 – 256 bits. RoboForm then saves and manages the passwords for me.
I do the usual things like you mentioned as well. Keep my web software up to date, 2 factor auth on emails/major accounts, keep backups on servers, keep backups on my own PC (2-3 clones on hard drives), run antivirus, etc.
However, a couple things that don’t overlap on our list are:
1. Using a website firewall/proxy
2. Restricting wp-admin to only be accessible to your IP
2. Using specific plugins to harden WordPress and the server in general
3. Having security audits continuously running on your website
Cool thing is that most of this is free.
I write about this all in more detail over at my own blog. I put it in as the URL for my name on this post.
That mosquito bite analogy really spoke to me. (mind blown)