Update: Over the past several days I’ve been working closely with Sucuri to work through issues caused by the attack. Blog posts were disappearing, characters were appearing and I even had my own IP blacklisted. As a result of fixing these issues and sleuthing out any backdoor hacks you may have seen this post appear and reappear several times. I am so sorry and hope that this is all behind us.
The phone rings and somehow you know that the news is going to rip the fabric of an otherwise normal day. That is how I felt when my senior copywriter, Michele hit my cell over the weekend. Not that a call from her signals bad news but somehow my mind knew before my ears heard the news. My site had been hacked. In fact, I later discovered two of my sites had been hacked.
I felt violated, as though someone had ransacked my home and spray painted a note on the front door to mock me. Worse, a much needed weekend of rest had turned into a nightmare journey of fighting cybercrime.
I was not going to write this post, fearing that even using the H word would invite a return visit. But running scared is not my M.O. and this is an opportunity to help others avoid being burned by slimy human beings who break things for kicks.
Though I wanted to curl up in a corner and cry. I gave myself a 1 minute cry break, bucked up and did the following:
- Changed all of my passwords. I have always adhered to strong passwords but bumped it up a notch to super strong.
- Ran a virus scan on my computer (I use Webroot)
- Contacted my web host. My hosting company is amazing and they ran security scans on my site to help isolate the problem and navigate me through the crisis.
- Changed my website control panel and FTP passwords.
- Purchased a server monitoring subscription and initiated a repair ticket.
Getting hacked not only causes emotional distress but can damage your business. Malware can cause search engines to blacklist your site. Your site visitors can be infected. All of this can damage your reputation and bottom line. As a business and communications professional I urge businesses to have a plan and a backup plan. Your website is an asset and you should absolutely be proactive by taking every measure to secure it and have a good plan in place should something go wrong.
There were things I was doing well and others that I allowed to slip. Listed below are the lessons I learned that you can apply to your own business.
- Do not rely on one security measure. Your webhost may be great but if you use a CMS, themes, scripts or plugins you are still vulnerable to attacks.
- Just like the software on your computer, make sure that you are always running the latest version of your CMS, theme and plugins. Failure to upgrade may expose you to security vulnerabilities.
- Remove unused items. Delete any unused themes or plugins. Again, if you’re not using them you’re not updating them.
- Backup on a regular basis. Even if your entire site were taken down, a backup will ensure that you can restore your site quickly.
- Be judicious about what you install. Check out reputable sources for information on themes and plug-ins. Do research to see if there have been problems.
- Use very strong passwords. Follow the advice of security pros and include a mix of upper and lowercase letters, numbers and symbols. Do not use personal information such as birthdays, phone numbers and addresses.
As an additional resource I created a list of articles on keeping your site secure. Please feel free to add to it with tips and references of your own.
Getting hacked sucks, but like every crisis it can take you down or help you to fortify your defenses for the future. These attacks are not going away so it is important that we become educated about the resources that can help us be proactive.
Have you ever been hacked? Commiserate in the comments and share your tips for getting through it.
Karen Swim says
Oh Pat, so sorry that you endured that nightmare. My hosting company was also helpful and my hacking was obvious, as my home page was defaced. Yet, malware still requires some sleuthing so it took days to suss out other problems even though the site was disinfected immediately. Not fun.
Pat Williams says
Oh yes, I was recently hacked too and thanks to my web host, he found the problem and fixed it. I would never have known they were in my site except their code was created to use with basic wordpress themes. Since my site is custom, the code created problems and slowed it down. I’ve now made more challenging passwords and also I no longer use “admin” as a user name.
Karen Swim says
Hi Daria, oh it feels so good to be back! I think many WP people may also keep the WP default theme so they can activate it when they’re having problems for testing – bad idea! Delete unused themes including the defaults.
Daria Steigman says
So glad you’re back! Very useful advice (just thinking about plug-ins I should delete).
Oh, and I [heart] Webroot too.