(Reading time: 5 – 8 minutes)
Woops. I published this piece wondering what I forgot, and it was my introduction for this article’s author, Anne Bender. Since it’s pretty late, and (contrary to popular belief) I do sleep once in a while, I’m simply going to go with “Anne is really cool and you should hang out with her at Anne On Life.”
Hacked. I Feel So Violated, Again!
-by Anne Bender
No joke: twice in two weeks I’ve been hit with malicious code on my site. The first time I rebuilt, lost stuff, moved on, fixed what I could, breathed a sigh of relief. The second time I almost cried.
I was devastated to say the least. It’s like an invasion of my home or car or … ME! Been there, done that. I carry my keys in my hand or pocket, never in my purse. Lesson learned.
February 19, 1993
There are few things we remember so clearly. For me, these things would include:
The birth of each of my children. Oh, yes, I remember all three vividly.
Being told it was not my fault I can’t cook since my mother didn’t teach me my proper role as a woman. Uh, I can cook, hole surrounded by ass!
And the day in February some stranger put a gun to me, my grandmother and my grandfather. When I was 8 months pregnant, and my grandmother holding my daughter Megan. Good thing I was poor and all he really got was my sense of security.
Seventeen years later, I still carry my keys in my hand.
And then there’s this:
Now, imagine my surprise to find my dashboard looking like that strange anomaly above. I started thinking “Oh, crap! not again!”.
See, this is how it started. The first time was my fault. I did not upgrade WordPress to its latest version. Normally I do, but I had heard rumblings of it not working quite right so I just didn’t. Mistake number one. Then, I changed themes without reading the instructions thoroughly. (Hmm, sounds like every guy I know.) Mistakes number two and three, trust me here. I didn’t backup my blog properly. Did you know there is this database file stored on your host server that you should backup? I thought something must exist, but again, I didn’t read the instructions first. Mistake, mistake, mistake.
I fixed it… no?
Step one – update WordPress. Of course, I had to update WordPress from within my site, then over on my host. This fixed my wonky dashboard.
Step two – get infected by malicious code which messes up my feed. Huh?
Never, ever, ever delete your feed. Never! Don’t do it. Don’t think it. Mistake number, oh I lost count.
Everything gets rebuilt from the bottom up!
Operation Fix Blog, take two.
First, I exported my blog using WordPress’ export feature under tools. I also noted how my site looked, widgets used, plugins I would want to reinstall, etc. Then, I moved all of my files directly from my hosting site. I was going to download them onto my computer, but my FTP program didn’t want to cooperate. Instead, I created a folder called godhelpme [no joke] and moved everything to there.
Breathe in, breathe out
Second, I reinstalled WordPress through my host. New installation, new user name, new passwords, new everything. And I waited.
After WordPress was up and ready to go I logged into my account and adjusted my settings. Here you want to change your permalinks to match your old style, re-check threaded comments if used, add profile information. At this point I stayed with the default WordPress theme. No major changes until all my information was recovered.
Here is where I ran into my first real problem.
I proceeded to import my previously exported file into my new WordPress install. My advice here would be to do a basic import and not elect to import images and such. This worked better for me, although not without its hiccups. See, not all of my posts came back.
In fact, most of my posts did not come back.
My site has posts dating back to November 2008 and through May 2010. During my first restore WordPress imported to June 2009. I hit that import button a minimum of 50 times. In the end I lost about 20 posts and had to recreate them from my feed reader and export file. I have no explanation for this as all of my posts were in that file. It could be my internet connection, my hosting provider, or just a glitch. No one could really explain this. I asked.
Time to Spruce Things Up a Bit
After everything was as close to its original state I proceeded to install my preferred theme and reinstall my most used plugins. This took the most time. Never wanting to be like everyone else, I opted to use Headway instead of Thesis.
One thing to note if you decide to go with Headway is your WordPress files must be in the parent directory. Some of you may like to use a sub-directory such as /blog. This will not work. Something to think about.
Headway installed, check. Plugins installed, check. Spackle, paint, polish, check.
Where are my images? Since my blog was originally in a sub-directory I copied my image files back into a newly formed, same name sub-directory so my old posts could find their pretty little pictures.
Then, I recreated my feed that I deleted [learn from my mistake]. I lost every single subscriber and I only had 36. So sad for various reasons. But it worked. Everything was up and running. No wonky dashboard. No malicious code. Life is good.
Until it happened again…
I was this close to deleting the whole thing. But I didn’t. This time I restored my site to a time when there was no malicious code. And I created this massively long, strange, phenomenal password. So far so good. Yet, my keys are in my hand now. I don’t feel as secure as I once did. My site has been violated not once, but twice in about a week’s time. I’ve gone through the depths of hell and come out the other side.
I lived to tell the tale: Back up, export, be vigilant.
Save your blog and your sanity.
Anne Bender resides in rural Virginia with her
husband, 3 kids, 1 dog, and various chickens. She has an
equal fondness for numbers and words, and
a love-hate relationship with technology. Anne
plans to live near the ocean, writing fun
stories and really bad poetry. Visit Anne at
AnneOnLife.
Anne, thank you so much for this. I consider it a privilege to run this piece of yours. So far, I consider myself really lucky NOT to have been hacked (that I know of). It might happen yet. Usually does once you have been on the net long enough.
Backups: I have to manually back up this site now as the database dump is now too large to email. I usually remember, good to be reminded.
.-= Dave Doolin´s last blog ..If You Want to Be a Better Blogger, Write Better =-.
Thank you, Dave. This was not something I believed would happen to my little home on the interwebs and yet, no one is off limits. It seems hackers are indiscriminate. Some may target specific sites, but for the most part it’s a random act.
On another note, it’s good to know you do sleep sometimes. I was beginning to wonder about that. Really, just yesterday I was thinking ‘does he ever sleep?’
.-= Anne Bender´s last blog ..laptop ad FAIL =-.
I recently purchased BackupBuddy – a WordPress plugin by the iThemes guys. It backs-up EVERYTHING (not just your database) and you can either email it or if too large a file – automatically FTP it to a different server to where your WordPress, etc is installed.
Well worth the investment for piece of mind.
Andrew
.-= Andrew @ Blogging Guide´s last blog ..Income Blogging Guide Review =-.
I would agree this is no place to be cheap. Besides, I spent over a day fixing this when it happened (both times) and that definitely cost me something. Thanks for the recommendation, Andrew.
.-= Anne Bender´s last blog ..Ring Shopping & the One Meal a Day Diet =-.
Andrew, thanks. I have a couple of blogs now where the backup file is too big to email. I”ve been thinking I’ll just write a little sh script and run it as a cron job, but I never seem to get around to that. Buying this plugin might be the right thing to do.
.-= Dave Doolin´s last blog ..Blog Better with a Virtual Assistant: Tip #1 =-.
Hey Anne, I was also hacked twice in a short period of time with all sort of junky malicious code on my sites – even after I changed my passwords to crazy long strings after the first attack.
I’m curious if your attacked sites were hosted with GoDaddy as mine were??? The first time around they told me there was some crazy attack from China on one of the servers where my sites were hosted etc… but of course they were unable to offer me any help cleaning up the mess, unless I wanted to pay $150 per hour for it.
The second time they were unsure if there was a repeat of the attack from China, and again offered no help unless at the 150/hour rate.
Definitely curious about your experience, and made note to never ever under any circumstances delete my feeds!
Hi Loretta,
Yes, I’m with GoDaddy and no, they were of no help. The first time I researched their forums for answers, but didn’t contact them. I found the WordPress forums to be more helpful. The second time I contacted GoDaddy after reading about others having a similar issue. Also, the second hack was different. This time it didn’t have any affect on my feed. They told me it was a WP issue and not their problem.
Yeah, never delete your feed. Not sure what I was thinking. Live and learn.
.-= Anne Bender´s last blog ..laptop ad FAIL =-.
I’d personally consider finding a new host. Godaddy is one host that I think many programmers and web “geeks” would unanimously agree that they are not a good company to host sites with for more reasons than I can think of. It’s just a host idea for so many reasons. Just a suggestion.
.-= Jared´s last blog ..Important Update: Register Taxonomies And Post Types With Labels =-.
I’m so sorry to hear about this. I’ve had a similar situation happen before, only I was phished, and the person who phished me was logged into my wp admin at the same time I was, so therefore changing my password at that time would not matter, as they would just change it again, and they weren’t logged out when I’d change it, and once I logged out, they were still logged in. So I was forced to delete my entire site, database and all due to the fact that they had made the homepage black with an image, and “hacked by..” message, along with a virus that would proceed to download when going to the site. It wasn’t a fun thing at all.
Anyways, about this. Do you by chance have any other websites which you run, and host either on the same, or another server/webhost? Because it is possible for hacker bots to find a way to install itself on one site as a sort of “sleeper bot” which can silently execute and inject code into an entirely different domain, even if hosted on a completely separate server. In the past people have noticed in the source code of their site all kinds of spam links and text that was hidden using css “display:none” code. So you wouldn’t know it was there. But when found and removed, that “sleeper bot” would just do the same thing again, and the hidden spam text would be in the other sites source code again.
Not sure if this is what happened, or if you’re server itself may have been hacked like Loretta mentions above about godaddy.
First and foremost, DO NOT USE GODADDY.
Besides that, my suggestion would be keep an eye on your sites source code when viewing it in a browser (go to edit>view source or right click page>view source) and just do a quick skim of the code for any kind of strange or inconsistent looking code in comparison to the rest of the source.
And look into some good security plugins, for example: http://wordpress.org/extend/plugins/wp-security-scan/
Get this one, and look at others that are for other various things too.
I hope for you’re sake that this never happens again too. Best of luck :)
.-= Jared´s last blog ..Important Update: Register Taxonomies And Post Types With Labels =-.
Getting hacked sucks, getting hacked twice – well… blows some more.
I’d be interested in hearing how it happened, or do you have any idea on that…?
I have made some simple security measures to my own blogs and closed them pretty tightly (so far so good) – sometimes I can’t even hack myself in :)
Of course, I still backup everything often and automatically, so in case something would happen, I’d be up and running in no time.
.-= Antti Kokkonen´s last blog ..WordPress Easter Egg – Spoiler free guide for finding it =-.
I’m not really certain how it happened. I have changed themes numerous times, but never while WP was needing an update nor to one that was required to be placed in the main directory of my site. I originally had my blog in the subdirectory /blog. When Headway would not work properly I started researching possible issues.
I updated WP through my dashboard. When that didn’t fix it, I moved all my files to the main directory. Next, my dashboard looked like the image above so I investigated that. I found that I needed to update WP from my host. I did that and everything was fine. The next day I noticed my feed didn’t work. Malicious code had been injected into my site and there were two ways to fix this: delete and start over or go through every single file and remove the code. I backed up my posts, deleted WP and started over again.
The second time my feed was fine, but the dashboard was off. This time I made note of the last few posts I had written and restored my site to 3 days earlier when things were fine.
My thought was some time during all of the moving and tweaking I opened my site up to something. Not to mention I keep hearing sites hosted through GoDaddy are having issues. I’ve been with them a year with no problems until now.
I’m so sorry to hear about this. I’ve had a similar situation happen before, only I was phished, and the person who phished me was logged into my wp admin at the same time I was, so therefore changing my password at that time would not matter, as they would just change it again, and they weren’t logged out when I’d change it, and once I logged out, they were still logged in. So I was forced to delete my entire site, database and all due to the fact that they had made the homepage black with an image, and “hacked by..” message, along with a virus that would proceed to download when going to the site. It wasn’t a fun thing at all.
Anyways, about this. Do you by chance have any other websites which you run, and host either on the same, or another server/webhost? Because it is possible for hacker bots to find a way to install itself on one site as a sort of “sleeper bot” which can silently execute and inject code into an entirely different domain, even if hosted on a completely separate server. In the past people have noticed in the source code of their site all kinds of spam links and text that was hidden using css “display:none” code. So you wouldn’t know it was there. But when found and removed, that “sleeper bot” would just do the same thing again, and the hidden spam text would be in the other sites source code again.
Not sure if this is what happened, or if you’re server itself may have been hacked like Loretta mentions above about godaddy.
First and foremost, DO NOT USE GODADDY.
Besides that, my suggestion would be keep an eye on your sites source code when viewing it in a browser (go to edit>view source or right click page>view source) and just do a quick skim of the code for any kind of strange or inconsistent looking code in comparison to the rest of the source.
And look into some good security plugins, for example: http://wordpress.org/extend/plugins/wp-security-scan/
Get this one, and look at others that are for other various things too.
20 security plugins to keep hackers away –>
http://blog.taragana.com/index.php/archive/20-wordpress-security-plug-ins-and-tips-to-keep-hackers-away/
I hope for you’re sake that this never happens again too. Best of luck :)
.-= Jared´s last blog ..Important Update: Register Taxonomies And Post Types With Labels =-.
I second that WP Security Scan suggestion. I think I have an article buried on here somewhere about it too.
I definitely have an article explaining how to remove the admin user, from back in March 2009.
.-= Dave Doolin´s last blog ..If You Want to Be a Better Blogger, Write Better =-.
Not using the admin account is easy. I’ve posted a few ways to change the dafault admin account here: http://new2wp.com/noob/why-shouldnt-use-wordpress-admin-account/
But the easiest way is to just create a new account that has administrator access levels, logout then login with the newly made admin account, and then delete the default admin one, and attribute all/if any posts made using it, to your new admin account. Simple as that.
.-= Jared´s last blog ..Important Update: Register Taxonomies And Post Types With Labels =-.
I’ve been keeping an eye on my other site. It’s with a different hosting service and appears to be unaffected. I hadn’t even thought to check my source code. And I’m definitely going to check into those security plug-ins. Thanks.
Woah, great timing. Well, obviously not great timing to be hacked; I meant great timing on the post.
Yesterday I discovered I’d been hacked and literally everything is gone. Rebuilding today (though, I’m actually almost looking forward to it now). Hope it doesn’t happen to you again though, its a horrible feeling.
I was in the process of changing the look of my site, so it wasn’t too big of a deal to rebuild. The problem came about when I lost most of my posts and I had just started writing some paid posts. Those had to go back up. Then, of course, there was the feed issue. One thing I found was I was not alone. Many people had reported having similar issues and posted their resolutions. After that it was one deep breath and the push of a few buttons.
Good luck with your rebuild and here’s to keeping future hackers away.
.-= Anne Bender´s last blog ..Uh, Excuse Me? =-.
Thanks, may need it. Luck to you too!
Very demoralizing really, but its not a huge big deal – just a matter of calming down before you start changing things I think.
Bummer Anne, that’s really sucky that you had to go through that.
I’d recommend using the Login LockDown plugin by Bad Neighbourhood.
http://www.bad-neighborhood.com/
It’s a lifesaver.
.-= Josh Kohlbach´s last blog ..Back Woes, Book Reviews, and Tuantuan Sleeping Bags =-.
I’ve used login lockdown myself. It works well.
Nowadays I just turn off registration, and register people manually as needed. Avoids that whole rpc danger.
.-= Dave Doolin´s last blog ..Blog Better with a Virtual Assistant: Tip #1 =-.
Anne, you might try importing your posts but leaving the “import attachments” check box unchecked. I was importing an export into a test site and discovered that if you have an attachment fail all posts after the attachment get lost even when it says they are there…Unchecking the box brought them all in, at least for me.
.-= Coffeemuses´s last blog ..A Rerun Of Spring =-.
I suspect I’ll be referring to your comment in the future!
There is so much to know in this field.
.-= Dave Doolin´s last blog ..Social Media: Incremental Not Exponential =-.
I remembered from the last time I had to import posts that it wasn’t necessary to check the attachments block. I did try it both ways since I was having issues anyway. Unfortunately, I still lost about 20 posts and all the comments that went with them. I imported more than 50 times and was thankful to only lose that many posts. I couldn’t find anyone with a similar issue and finally gave up and just recreated those last posts.
.-= Anne Bender´s last blog ..What a Hack! =-.
An anonymous reader tweets:
“Read your hacked post. Good stuff. I use Semi-secure login for WP http://bit.ly/bV7Iv9 Didn’t comment because I don’t advertise my security”
The short link is http://wordpress.org/extend/plugins/semisecure-login-reimagined/
.-= Dave Doolin´s last blog ..Social Media: Incremental Not Exponential =-.
Anne, I definitely feel your pain. I had my WordPress blogs on Godaddy hacked twice this month.
That, and a few other reasons, are why I left Godaddy.
.-= John Soares´s last blog ..Why I Left Godaddy Hosting =-.
Man…I’m going to come up to speed on this stuff pronto. Your scaring me to death…ugghh.
Brandon
Do a back up right now! In fact, I’ll do one right now too, only takes a couple of minutes.
.-= Dave Doolin´s last blog ..Social Media: Incremental Not Exponential =-.
What a story and one that I have learned a lot despite being fortunate of not (yet) being violated. I am glad that despite all the “hell” you went through you still managed to put it back up again. I have to honestly admit that I rely purely on my webhost to do the backups for me and use this nifty little plugin I learned from Dave’s previous post.
I’m having to do manual backups for WiaW now, the zip file is too big to email.
I’m seeing this whole backup thing as something I need to add to the Blog Maintenance Challenge. I thought everyone kept up with backups. They don’t!
.-= Dave Doolin´s last blog ..If You Want to Be a Better Blogger, Write Better =-.
Omigosh Anne – can I ever feel for you!
I had my own run in with my site but it was something I did and poof! It disappeared just like that. I can definitely relate to how it feels to lose all your hard work, but twice and through no fault of your own!
Admiration going out to you for having the patience and tenacity to restore – good on you (and may the hacker(s) eat nails and suffer from indigestion for the rest of his natural life)
.-= Valentina´s last blog ..Frank Kern’s State of the Internet Address =-.
I hope you’re backing up (or checking your backups) regularly.
Don’t recall how your service works… I’d want to keep an eye on everything anyway.
.-= Dave Doolin´s last blog ..The Queen of GPO Speaks – violetminded Spills It =-.
I strongly second the frequent backups.
You can also use an ftp program to copy all of your files to your hard drive.
.-= John Soares´s last blog ..Why I Left Godaddy Hosting =-.
And if you get hacked, see if your hosting provider has a roll-back feature. This allows you to go back to an earlier set of files for your site, earlier than the hack.
This is what I did when I was hacked on Godaddy. I then had a clean site and had the time to go (try) to plug my security leaks.
.-= John Soares´s last blog ..Why I Left Godaddy Hosting =-.
I’ve had a few complete blackouts which were invariably mine or my host’s fault (BlueHost). The backup software has saved the day more than once and I now use it religiously. In fact, gotta run a backup right now…
.-= Jorgen @ Personal Branding´s last blog ..How to Land a New Gig with Twitter =-.
Nice to see you here, the other Anne!
I have lost count of the times my sites have been hacked. It’s the bane of running too many sites – you just can’t have everything up to date at all times. Worse was when my main site got DDOSed – which is worse than hacking. I lost a lot of income thanks to those idiots…
.-= Anne´s last blog ..Web Design for iPhone =-.