A few days ago, Stratos’ Sphere was hacked, or “defaced”. I’m guessing that’s what it was, because the attached image was what visitors would see, instead of my blog. This was quite ironic, actually, since I had just attended a security seminar (at work) where the “I’m safe because I’m small” attitude was found to be one of the most frequent reasons leading to hacked sites.
Here’s my account of what I had done wrong to end up with a hacked blog and what I did wrong while trying to recover, which may help others to avoid this situation or to make a faster and easier comeback.
To set the premise, let me point out that my blog is self-hosted and that I’m using a shared hosting service. I have my own domain name and I’m using cpanel in order to manage the hosted domain. So, what are the lessons I’ve learned?
Here’s my account of DON’Ts:
- Don’t panic. It’s bad, but it won’t get better with you acting all crazy. Try to search Google with the hacker’s message. See if the hacker usually leaves everything intact (except for the front page). Check out how other people recovered from attacks from the same hackers. Maybe it’s very simple to get your blog right back up (so as to tighten security afterwards). Maybe you can still make some long overdue backups to save your posts and content. Then again, maybe not.
- If you don’t know much about security or if you’re not technically inclined enough to try and become a security expert in 15 minutes, then don’t try to fix anything by yourself; ask your host for help first. Submit a ticket with something like “Urgent! WordPress blog HACKED!” as the subject. That will draw their attention. Maybe they also offer a relevant protection or recovery service you never bothered to learn about before.
- If you contact your host and ask for help, don’t go doing things on your own in between (like restoring databases or changing passwords). Wait for their advice first and then work with them.
- If you can still access cpanel and decide you should, aww… I don’t know, maybe delete unused ftp accounts with easy passwords, remember NOT to delete the ftp user “wordpress”, because that would wipe your entire wordpress installation (been there).
- Don’t try to restore any backups if you haven’t checked the backup logs first! Check for backup errors that you never cared to look for before, because otherwise you could end up restoring a one-day-old backup file containing one-month-old data (done that).
As for things to do, the first thing should be to always keep your wordpress installation and all the installed wordpress plugins updated. With that as a given, here’s my list of DOs:
- Do install a security plugin. Search wordpress.org and check out one of the first three plugins that come up.
- Do take the time to set up the security plugin completely and thoroughly. That includes tweaking .htaccess files and changing file permissions and access rights, but it’s worth it.
- Some security plugins are affiliated with security scanning services. The free version of those is most often far from elementary, and it’s certainly better than nothing. Do try them and then make a point on implementing their suggestions.
- Do take the trouble to revisit the security plugin issue at least once every three months, by searching again in wordpress.org. If there’s something newer and better or more popular or better rated, do a thorough assessment and consider changing your security plugin.
- Do install and set up a backup management plugin. Set it up to check database integrity, as well as optimize and backup your databases on a regular basis. How regularly? Well, banks do incremental backups every 15 minutes. On the other hand, a typical blog would be ok with daily backups, I suppose. You’ll be the judge of that.
- Do use compression for your backup files when possible, because it would be really helpfull if you could have them emailed to Gmail or some other really big mailbox that you may have.
- At least once a week do go to cpanel and do a full domain backup. After it’s completed, download the file and keep it secret, keep it safe (either locally or on some encrypted cloud drive). This way, if all else fails, the worst case scenario would be limited to losing your posts between the hacker attack and the last known good full domain backup.
- Do locate the closest friendly hacker/security expert and ask him to assess your blog. Beware, “remote friendly hacking attacks” may be illegal in some countries.
- Do seek the professional services of a security expert as a last resort, if you don’t have any backups or if you don’t want to overwrite everything with old backup data. In such cases, you can only clean up the mess by hiring someone to do the work. Hint: sometimes, the writers of wordpress security plugins are (or are affiliated with) security experts 😉
- Do thank God for hackers. Most of the time they are a priceless wake up call and a crash course in humility, not a disaster. Not all hackers are crackers.
DO and DON’T:
- Do try new things, but don’t get greedy: When you’re looking for some functionality and then you see a new shiny plugin which does just that, first check the plugin for reviews, update frequency, bug fixing commitment and programmer reputation. Poorly implemented plugins are gateways to your admin rights.