Some friend bloggers’ hacking experiences brought me back to the time I got hacked. Perhaps, my experience could help others deal with theirs, or better yet, help prevent it happening to them.
Back in January 2010, my blog got hacked. You can read about it in a post called h-a-ck-e-d and hacking begginers. Had that hacking experience not happened, I would still be evading or postponing much needed anti-hacking security measures, the way I evaded anything that, though important, entails a lot of work. Hmmm, this reminds me of some other matters that I have put off for a long time, like CPA, listbuilding, and other undertakings which may prove to be profittable. This post itself is long overdue, as some blogger friends had long invited me to guest blog about my hacking experience and what I did about it. Procrastination. Yeah, i even procrastinated about the need to overcome my procrastination.
Post Hacking Damage Control
First off, “I told you so”. I had browsed through a lot of blog security articles before but never really took them seriously. I thought I was an exception to the rule and my blog wouldn’t be hacked. After all, who would be interested to hack a blog that doesn’t have that much following? So, after finding out about the hacking, I had to wallow in the proverbial “I should have…” moment.
After a speechless minute, I proceeded to contact my webhost. Following protocol, they have suspended access to the login page to prevent further damage. I contacted my host and I was given back access to my site.
The first thing I did was to search for that hideous page that replaced my original main page. It was an index.html file that usurped my index.php page. On refreshing, the original main page flashed back to life and I realized how beautiful it was. Then, I had to browse through each file and folder in my account to restore proper permissions. Following the rule of 755 for folders and 644 for files, this exercise took me a painful couple of days to restore just the file/folder permissions structure of the main domain site. I have yet to check the files and folders of the subdomains and add-on domains under it.
I thought that was it. For a few days, the blog continued on its merry way, only to be totally suspended again after the webhost received feedback that my blog has been tagged as a phising site. This time, the blog and all my other add-on sites, both earning and non-earning, took unwanted vacations for a little over a week. My webhost did their own scans and found a script which had been planted in an interior folder (in the default theme folder! How clever!). The script was the culprit for the phising activites. It has something to do with trying to fool email recipients into revealing their paypal data, using my domain as the source of the scamming stupidities. The webhost renamed the file to stop it from executing itself but left it up to me to delete it. Thus, I promptly deleted it and its zipped version. Imagine someone using a sledgehammer to smash a trapped mosquito. That’s how I felt back then.
Whew! Finally it’s over! In its 8 days of non-operation, I only lost the opportunity to earn a little less than a thousand dollars, ok, kidding, actually just a few measly dollars (as my websites are relatively new and not earning much yet). I can only imagine how much the more established webmasters would have lost in the same period.
Wait! A week later, I received an email from my host that I have exceeded the email sending limit. What? At first, I thought it was my test self-hosted autoresponder that’s probably gone bonkers, but after deactivating it, the sending limit warnings kept on coming. After another combing through, Lunarpages pointed out an experimental email sender file I had installed a long time ago. The hacker, it turns out, had exploited and continued using it to send emails pretending to be sent from a Canadian bank. So, without hesitation, to the trash bin it went.
My primary suspect that breached my security was a keylogger that got through due to my earlier hacker-friendly online lifestyle. Thus, I made sure this time that my internet security application imposed stricter measures against probable illegal incursions. In fact, I have really become paranoid enough to the extent of always having my task manager in view so that I could monitor every cpu usage spike and see who’s causing it. I also intended to buy a full version of BitDefendfer Internet Security but put it on hold again after finding out that the bug that caused some firefox plugins to not work has still not been resolved by Bitdefender.
I also installed the free version of Zone Alarm. It does get to be annoying sometimes with its popups but it makes you feel secure and protected at the same time.
I was advised about using Login Lockup to protect my login page. As with all plugins, I tested it first on a localhost server test site. It didn’t work as expected, and instead messed up my test site making it inaccessible anymore. Needless to say, I did not proceed with the Login Lockup plugin installation on my blog. Too bad, it would have been one good ‘first line of defense’ for my blog.
While in the past, I used to wait for months before I update wordpress to its newest version I now procrastinate only for a week or two (because I research first for reports about the new version’s bugs and discrepancies) before updating.
Whereas I used to be click-happy when it comes to links in my emails, I am more cautious this time. I have stopped my practice of satisfying my curiousity for each email that comes my way (even from the spam folder). Instead I hit the delete button more often now.
Just recently, upon the ‘heads up’ of Sire of wassupblog I found a working alternative to Login Lockup. The ‘Limit Login Attempts’ plugin worked when I tested it. Another plugin passed my testing too – the ‘WordPress Firewall’ plugin. Proof that both plugins are working are the multiple emails I receive everyday about attack attempts being made on my blog e.g. ‘directory traversal attacks’*, etc. Now, I shiver at the thought of all the still unprotected wordpress blogs out there without these 2 plugins.
To sum it up, I believe the following are the basic things one should do in the event of a hacking situation.
1 – Contact your webhost immediately and pray that they are as helpful as Lunarpages, or better.
2 – Ask your webhost for help in scanning your whole website to locate malicious scripts hidden within your directories.
3 – Once you regain access to your site, change passwords. Use stronger passwords this time.
4 – Check the dashboard and make sure that the (User) owner’s email is still your email address reflected in there.
5 – If you are still using ‘admin’ as your username in wordpress, change it to something else.
6 – Check your directory structure. Follow the permissions rule about folders and files.
7 – Check your domain’s email account (the one you configured to be your email; e.g. firstname.lastname@example.org). If it has lots of bounced emails, or sent emails that you didn’t send yourself, proceed to change your email password or completely delete that particular account and create a new one. Then check your directories for some possible mail sending script.
8 – Update your wordress version.
9 – Install ‘Limit Login Attempts‘ plugin.
10 – Install ‘WordPress Firewall‘ plugin.
I’m sure there must be some other things I should do to make my sites more hack-proof. So far, these are the things I’ve done. How about you? What measures have you taken to protect your sites? Or, are you going to wait, like me, until it happens to you? Remember, the attacks are not necessarily made by humans. Most are robot apps that were programmed to find and exploit weak points and doorways in anyone’s sites. Thus, it doesn’t choose; it just razes through all sites that are on its path.
: is exploiting weak or insufficient security validation or sanitization of user-supplied input file names, so that characters representing “traverse to parent directory” are passed through to the file APIs. (source: wiki
Latest WordPress Security Measures
Here’s a video I found just recently which prodded me to insert this update to this post.
Watch the above video to know the importance of creating appropriate user accounts for your wordpress site. Using your admin account for every activity you do in the dashboard is risky.
The expert speaker, Dre, will tell you what to do on your server side and on your wordpress admin side to secure your site even more, and a lot more strongly suggested things you can do e.g. using stronger passwords and utilization of password managers, disabling some features in your wordpress dashboard, really important security plugins you must have in your arsenal, etc.