January is “Help-I’ve-Been-Hacked” Month

Okay, not officially. But it sure seems like hacked is the new black. I had barely cleaned the New Year’s confetti out of my ears before I was called upon to reconstruct a WordPress site that had been completely taken down by some malicious files. Luckily, the database hadn’t been attacked, and I had a relatively recent set of site files. So, we were able to get that site back up and running within a matter of hours. Other websites have not been so lucky.

A notice arrived from Google a couple weeks ago letting me know that a site I maintain for a friend contained some suspicious files. I combed the site files for anything that seemed nasty, and ran a malware check, but couldn’t find anything wrong. So I reinstalled the WP core files and crossed my fingers. Three days ago, a similar notice came from Google about one of my own sites – a relatively dormant site that I set up for a developing side business. Very little content, but a plug-in that I hadn’t used before and wasn’t all that familiar with – the likeliest suspect as a vulnerability. I deleted the entire site and moved the whole thing over to one of my other host servers that I trust a bit more.

Consequently, however, I am stepping up the security features on all my sites. Not just making sure that all WordPress installations are kept up to date, but installing other security features, like login limiters, two-layer authentication and so on. It’s a bit more of a pain for me, but if it keeps the brute-force buttheads out, totally worth it.

Contrary to the popular image (and the overwhelming majority of stock photo examples!) the source of a website hack isn’t a dude in a hoodie tapping at his laptop looking for state secrets. The reality is much more mundane and much scarier. Full disclosure: I’m not in any way a website security expert. I try and keep up with the literature enough to keep my clients as safe as they can be without undue inconvenience; most of my clients’ sites don’t involve transactions involving large amounts of money or storing personal information of any kind. So, keeping sites secure is more about minimizing the risk of obnoxious e.d. or other stupid ads from being injected into the hone page content. By robots. Annoying but very persistent robots, trying millions of user/password combinations to gain access to an admin account. Sigh.

There are two steps to mopping up after a hack is detected. First, diagnosing where the point of entry was. With WordPress sites, it’s often an ill-considered and unvetted plugin that hasn’t been maintained by the original developer or whose code was easily exploitable. Sometimes, finding the source of the hack — the specific line of code that was added or changed — and fixing it is enough to get back on the road. Sometimes it’s not.

If you’ve got a set of daily backups — and believe me, you should! — you can try rolling back to the last date that you knew things were clean and happy. Generally that works; though not always. But it’s a way cheaper and easier option than rebuilding from scratch or a two-year-old, incomplete backup.

I guess the main lesson is that there’s no one-size-fits-all solution to cleaning up after a hack. My experience is that every hack is a different animal, and with each one I learn a new little trick or method for patching things up. The real main lesson is to be prepared! In general, I suck at considering the Worst Case Scenario in life, but this is one place where I’m in your face about it. Back up your website at least every week! Make sure your password is hard! Change it often! Don’t share it! Don’t use public networks to log in to anything! Live with a little inconvenience to avoid a lot of inconvenience down the line.

Stay safe!