Yes, it is true. Yesterday, my website was hacked.
And it really sucked.
My whole day was basically spent trying to figure out what to do, and how to get my site back up! I wanted to pass on what I learned to help you! I already had some security features in place, but I obviously was not protected in many areas. I take my vitamins, try to get enough sleep, exercise, eat right, but I need to protect my website as well! As I told Sammy, there are mean people out there!
Let’s backtrack. About a month ago, I woke up one day and was concerned about losing everything on my blog. That day, I signed up for Vaultpress, which I highly recommend. I do backup my blog’s database on a weekly basis, but if something happened, I would have to restore everything. With Vaultpress, they take care of everything, and it costs me $15 a month. I work in IT and see people lose files all.the.time, so it is important to me that I have something to fall back on if anything happens.
Later that same week, I had a problem with my theme on my blog, it my site just crashed. I actually needed the backup! So glad I listened to that voice in my head telling me to backup my blog!
Not too long after that, Glenneth posted on ways to make your blog healthy. At that time, I thought my blog was healthy! I installed some security related plug-ins, and one of them emails me to alert of changes to my site. A lot of the security settings say that they can cause problems with themes and plugins, so I was trying to be careful, changing 1-2 settings a day. I JUST turned on the setting that will lock people out of your site, if they have multiple failed attempts. Wednesday night, right as I was going to bed, I got an email saying an IP address had been locked out of my site, and they could retry their login in a few hours. “Oh good” I thought … I was super tired, so I just went to bed. Well, when I woke up in the morning, I could not get on my site for the life of me. It was reeaaallly slow, and I kept getting error messages. Looking at my emails, that same IP address had tried to access my site again, and once again got locked out. Apparently, the third time had been the charm for them! After letting my coffee get cold about 5 times, I finally figured out I had been hacked. I mean, there isn’t a big warning sign that says “GOOD MORNING, How’s that coffee? Oh BTW I hacked into your site!”
So, if this this ever happen to you, here are some tips! Please note, I use WordPress, so these are all based around WordPress plug-ins and settings.
So you’ve been hacked … now what??
1. Scan your computer to make sure you don’t have any viruses on your computer. I also cleared the cookies and cache on my web browser, to make sure when I pulled up my site, it was what the site currently looked like, not a cached version in my computer.
2. Change all your passwords – your backend access to your site, your FTP password (this will have to be done through your host), and your database password. To me, changing my database password is the scariest part! Once you change the database password (again, this will be through the company that hosts your site), you need to change the password in the wp-config.php file. When you view this file, you should see the user name for your database, and the password. This will walk you through changing it. Once you change the database password, your site will be down until you change the password in the wp-config.php file. Even after you change it, it will take a few minutes to propagate. I might have had a few heart attacks while waiting for it to come back up!
3. Even after you change your passwords, a hacker could still be logged in, and because their cookies could still be valid, they could still have access to your site. In order to log them off , you will need to change your secret key generator (this link will generate a set of new keys), and then update them in your wp-config.php file. (same place where you changed the database password). It really is a simple copy and paste.
4. Check your .htaccess file. Many hackers insert code in this file. This is what a healthy .htaccess file should look like. I could not really tell if my htaccess file was good, or if it had been hacked. I deleted and regenerated it. You do this by going to Settings – Permalinks, and re-choose your permalink structure, and save. I also have a setting that does not allow any changes to be made to my htaccess file through my dashboard, so I had to do this through FTP. My host has a great article here on the steps you need to take.
5. In some cases, you may need to delete everything and start over. If you do have to restore your site, make sure you do it from a backup that was taken BEFORE the hack. No sense restoring a hacked site!
6. After you get your site up, make sure to upgrade everything! WordPress just released a security update (and I had updated mine before this happened!) Make sure when there are updates, you are upgrading, because they really are for your protection! I am bad sometimes about ignoring the updates, thinking I will do them later “when I have time”. ha ha ha
7. If you don’t have the answer to something, google it! I had so many tabs open on my web browser, it wasn’t funny. This checklist also was a great help to me.
Here are the plugins that I installed to protect my site:
Akismet – filters out and protects you from spam. This is one of the first plugins I installed when I changed to a self-hosted blog.
Exploit Scanner – this will scan your site for any suspicious activity in your files and database. Of course hackers don’t make it easy for you to find what they have left behind, so this can tell you what to look for.
TAC – Theme Authenticity Checker – this plugin will scan your themes, and tell you if there is any malicious code in them, or vulnerabilities. Since I had just changed my theme, this made me feel better that it is safe!
WordPress Database Backup – this backs up my database on a weekly basis, and emails the backup to me. I just file them, in case I need them. Even though I also use Vaultpress, I like to have a copy of my database in my own sweaty, greasy hands.
WP – Mal Watch – a great plug in that scans your site, and will email you of any activity – uploading files, people getting locked out of your site (hint hint!), changes to your htaccess file, or even keyword scans.
I feel 100% more confident that my site is (more) secure. I’m sure I will be hacked again at some point, but I am breathing easier! Hopefully this will help someone out there!
Question: Any other hints or measures you take to protect your website?
Update: The day after I wrote this, I had some additional problems with my site! I found that the Better WP Security plugin was causing my site to crash. I had to manually remove it via FTP because I could not access my dashboard! I also found other people having the same problem… so it wasn’t just me! I ended up changing to Bulletproof Security, which has a ton more settings, and has not caused me any problems!
Another measure I took was the Sucuri Scanner. This is a WordPress plugin that will scan your site for malware. It found a bunch of malware on my site, and I ended up paying them to remove it! It was another expense, but so much easier than having to do it myself! The files were hidden areas where I never would have found them, so it was totally worth it to me!
Whew … this process exhausted me! I do feel so much more secure, and learned a ton! Let me know if I can help you if this ever happens to you!