I’ve been blogging since 2008. I thought I was knowledgeable in the ins/outs of blogging. Boy, was I wrong. Last week, my blog was hacked. I couldn’t access it to fix it. I felt vulnerable. I felt helpless. I’m writing this post so you don’t have to experience this for yourself.
I had no warning. I thought my blog was secure. It wasn’t. Little did I know, someone accessed my blog, installing code into my template that forced a redirect to another web site. But that wasn’t enough. Little by little the very content of my blog was destroyed by this individual. By that afternoon, I couldn’t access my blog at all. When anyone would try to access my blog, they would get the “white screen of death.” I thought backing up my site was enough security. I mean, it makes sense, right? Wrong.
I enlisted (paid for) the help of a company that vowed that it would scan, repair & remove malicious content on a web site in a matter of a few hours. Eight hours later, this company stated that no malware/viruses were detected. They kept insisting that all of my problems (including the redirect) were due to an outdated version of WordPress. “Update your WordPress!” they said. Well, I can’t do that if I can’t access my site! Frustrated, I reached out to the Twitterverse and dozens of knowledgeable, understanding bloggers responded to my plea. I subsequently requested, and received, a full refund from this company.
Meanwhile, I continued to maintain content with the company that hosts my blog. Initially, they indicated they would be unable to help. But, at this point in time, I found the malicious code, removed it, and now needed to block the back door access the hacker was using to get to my blog. By 4 pm (nearly 36 hours after the attack) I had complete access to my blog again.
There are still a lot of unanswered questions. The hacker started the attack by adding the redirect code to my blog theme. I deleted the theme, downloaded a fresh version from the designer and within moments, the white screen would return. Even after all the security searches and scans; the moment I reactivate that theme my blog goes wonkers. I’m sure there is some code hiding somewhere in my blog that is causing this. Deleting the theme, for me, seems to be the best and safest way to deal with it.
All this said, no one should have to go through what I did. So, the point of this post is to give you ways to prevent this from happening to you. Following are some quick (and relatively easy) steps to maintaining the security of your self-hosted WordPress blog:
- Keep your WP current and updated. I know all the updates are annoying but, with each one, WordPress is providing you with a safer version. When a security issue or other problem is indicated, they issue and update. While the continuous updates seem annoying and unnecessary, they are the first level in keeping your blog safe & secure.
- Keep your plug-ins and themes updated. Outdated themes and plug-ins make your blog vulnerable. Keep your active plug-ins updated. Delete any plug-ins or themes that you aren’t using or wont’ be using in the near future.
- Password integrity! Regularly change your passwords! This includes your WP passwords, your host passwords, & your ftp passwords.
- Back-up your blog! This should be a given, but it’s not. Don’t just back it up once a month or once week. Back it up every day. There are several plug-ins that allow you to do so. Each update overwrites the previous and can be sent directly to your Dropbox, Google Drive, email, etc.
- Use some sort of security on your blog! I personally use a plug-in called iThemes Security Pro (Thanks, Jennifer, for the recommendation). It not only scans your blog for unauthorized access, but also provides tools to keep your blog safe & prevent hackers from gaining access.
All of these suggestions are relatively easy and require little technological savvy to implement; a little that will go a long way when it comes to keeping your blog safe! Any questions?
15 Responses to Blogger 911: I Was Hacked