If you follow me on Twitter then you know when I’m having a bad day or in this case a bad month. I don’t take make much of an effort to put on a brave face, I bitch, whine, complain and take my problems to the internet. Crowd sourcing a problem seems to work for me although it can also feel extremely isolating when you post a question and get nothing but silence *insert sound byte of solo cricket chirping.* Feeling defeated after months of back and forth trying to clean out infected files on my blog (my site was hacked into last fall), I sent one last message to Dreamhost about being at the end of my rope and pulled my last get-out-of-jail-free card, a call back request. At this point I had pretty much given up all hope. I wasn’t even sure if I could salvage any of it. I haven’t been blogging because its been broken, some days I couldn’t even log in. A month ago, I took the band aid approach and installed a new theme that ended up being written in such a way that gave hackers another backdoor into my site. Talk about putting lipstick on a pig. I was D-O-N-E as in I’m leaving this platform altogether because the “blog Gods” just don’t seem to want me here anymore. I decided to hold myself accountable and tweeted this:
— Lindsey Garrett (@modchik) July 31, 2013
I immediately heard back from HostGator and they continued with direct messages and links to FAQs which was helpful but I was still terrified of uprooting myself and my site. Bluehost threw me a couple bones and a couple people suggested I try cloud hosting. The next morning I called Host Gator and to their defense lets just say I was hyper caffeinated and riddled with anxiety that day. I tried to get some reassurance that they would be able to assist me (as in hold my hand I’m not sure what I am doing help.) The guy at the other end kept directing me to their FAQ and when I tried to interject he just kept talking over me. I had a sinking feeling I had just veered way off the path. How could this be happening I thought. Every step of the way had been an uphill battle. Do you ever feel like that? I’m not one for giving up easily but THIS? My blog was in a death spiral. I leaned back in my chair and looked out the window and saw this. I shared it on Instagram
Your last mistake is your best teacher. – unknown.
I slept on it and decided Friday was moving day. I woke up and what happens, 3 large web hosting companies went down including BlueHost and HostGator. Oh the irony. I couldn’t even change sites if I wanted to. Really? Determined to make it happen I signed up with HostGator and rolled up my sleeves. I logged on to the LiveChat and waited…. and waited until I was connected to a representative, I had but one question. How can I make sure I have exported everything I want to save out of WordPress before I move my site? There was a long pause, four minutes to be exact. The representative replied back with a generic response. I told them I couldn’t take advantage of their one step does all all transfer everything because my core files were hacked. Five minutes pass by…. nothing. “Can we verify your account?” …. 5 minute pass “I’m looking at your files.” Me: that’s impossible there are no files, like I said I need to verify something before I start transferring file over….. 4 minute pass … we are now 35 minutes into the conversation and I am feeling really really nervous. It is then suggested that I back up the entire contents of my WP files and just move them all over. Um….. I bang out the message”did you not read that I was hacked? Are you seriously asking me to backup all the files including the hidden ones with hacker shells and script.” Long pause….. “Ok let me see if I can look at your files” …. OMG…. at that point I could see this was not going to end well so I gave her some very frank advice and suggested that if someone ever mentions the word hacked that you refer them to someone who knows what they are talking about. Chat ended. I went to bed with a knot in my stomach. This was it. Three years of blogging. Over.
Saturday morning the phone rings, its Dreamhost. “Oh hey, hi, good morning” I said feeling a bit guilty about my cohort with the competition. I hear myself launch into the same looped conversation … my site was hacked … those files you removed … they are back …… I’m infected again … I’m out of hope … I’m really done this time … the voice on the other end gently said, Lindsey I think I can help you. I swallow hard. What? Really? Why? “Please be honest I’m willing to start all over from nothing. I just want my space back” I whimpered. He went on to say that he spent some time looking back at all the conversations that had transpired and then he rolled up his sleeves, and poked under the hood, specifically the change logs, ah ha, he could clearly see the problems. He explained that I had some serious vulnerabilities in the form of outdated plugins (a recent study showed that 20% of the top 50 wordpress plugins had vulnerabilities and that those plugins were download 8 million times) and a theme that was calling out to other sites as a part of its basic functionality, a big no no in the name of site security. I explained that I had already excommunicated the offending plugin but it was too late, the hacker was already back unloading a bunch of script that basically enables affiliate links, which the hackers make a buck off of, on my bandwidth. If you Googled the words modchik + homeloans you would have seen thousands of links hosted on my site.
I asked my knight in shining armor, why help now? After all my previous attempts, why this time? He said after reviewing my case that he could see that I was working hard to repair things and that I sounded like I was … “at the end of my rope?” I suggested. “Yes, end of your rope, so I took your case to a supervisor and got permission to intervene.” Hallelujah. In that moment I felt the heaviness lift from my shoulders, I think the clouds parted too. I blurted out that he was not only saving my blog he was SAVING me. No pressure. I told him I was willing to abandon my past work and delete the entire database if that was necessary but he said we wouldn’t have to go to that extreme.
Don’t become low-lying-fruit.
For the next few hours…. uh huh, hours, we worked together, correction, he worked and I took notes. I learned my site was being attacked by what they call a zombie (a computer slave to hands of a hacker) a hacker we traced to Brooklyn but really who knows. My site fell prey to hackers because I didn’t take steps to ensure its security, easily becoming what they call low lying fruit. Don’t become low-lying-fruit. Reminds me of that dont-wake-up-in-a-ditch post I wrote a year ago.
In the last few minutes of our call, I admitted I was afraid to hang up. I felt like I was cutting a lifeline, being shoved out of a nest. He thought that was funny. I don’t think he really knew how much what he did meant to me. I stalled for a few seconds and then said well, I guess this is it. Good-bye and thank you from the bottom of my heart Eric.
Today is the first day back, the site has a new look and a new direction. I’ve learned over the past year that you don’t need a fancy template with a bunch of bells and whistles. What you do need, besides good content, is a solid infrastructure with a good measure of security in place, something I totally overlooked and will always pay attention to. If you are a fellow blogger, learn from me and do your homework. Here is a list from my Evernote notebook I call Surviving Zombie Server Apocalypse.
Preventing a WordPress Hack
- Keep your Operating system updated.
- Keep your WordPress and all plugins and themes UP TO DATE. WordPress released 3.6 a few days ago.
- Delete all INACTIVE Plugins. Don’t let them just sit there, you are asking for trouble.
- Always BACK UP your database making sure you have a copy of the folder named WP upload <– that’s where are your images are stored.
- Routinely look for recent updates to any installed plugins, if a plugin is abandoned (no updates in a year) seriously consider replacing it with another reputable one.
- update prepackages software installed from the web. Secunia.com can advise you if you are running a vulnerable version.
- Add security plugins to your WordPress site (see list below)
Articles about Securing Your Site
How to Fix a Hacked WordPress Blog – JPratt
WordPress Security Guide – JPratt :: A 6 part series about securing your WordPress site or blog.
Dreamhost Wiki page My WordPress site was hacked :: an excellent start. I read this cover to cover.
WordPress Security Plugins
Bullet Proof Security :: stops the hackers at the htaccess files. Its pretty technical and may take some help getting it configured correctly to work with your server and other plugins.
Wordfence :: a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation.
Better WP Security :: from plug in site “As most WordPress attacks are a result of plugin vulnerabilities, weak passwords, and obsolete software. Better WP Security will hide the places those vulnerabilities live keeping an attacker from learning too much about your site and keeping them away from sensitive areas like login, admin, etc.” (Works with WP ver 3.6)
Hide my WP ($20) :: this plugin cloaks your WordPress site,
VaultPress :: They offer database backups, real time scanning and one-click repairs, subscription required.
Sitecheck Sucuri :: Sucuri SiteCheck scanner will check the website for known malware, blacklisting status, website errors, and out-of-date software. Free scan with optional subscription service.
If you have any questions or found this article because you are going through something similar, please contact me I would be happy to share my resources.The information and links above are provided for general informational purposes only and are not intended or replaced as professional web developer advice. Please see the modchik disclaimer for more information. The lawyers I don’t have made me say that.