Lessons learned from getting this blog hacked

Source code

Source code; by Tim Lucas (CC BY) on Flickr

I suppose getting your WordPress blog or website hacked is another rite of passage that is now behind me. What had made this so scary for me was that I myself couldn’t see the hack since the malware that had been snuck into the code only displayed text and links selectively to users and my IP, language preference or browsers didn’t meet these criteria.

Google Analytics

I got the first inkling that something might be wrong when I looked at my Google Analytics stats noticed that I had received traffic for some keywords that were definitely not content on my site: porn and warez in other words. I couldn’t make head or tail of this since I had just  double checked the comments module to make sure that no spam had managed to slip through.

When I searched for some of these keywords my site did indeed come up a couple of times, but since the keywords weren’t on the pages when I checked, I filed it as a problem to be investigated later.

I can see something that you can’t

That changed when a former colleague of mine contacted me and said he could see some weird stuff on my site. He then shared his screen with my through Skype and I was able to verify that the code he got when visiting my site was different from the code I got when looking at my blog.

Now I got really alarmed. After all, I’m using my blog to share my expertise and to acquire customers. If they looked at my blog and saw porn and warez it was unlikely they’d hire me.

Fixing the problem

Big thanks go to Frederic Vuong who supplied a lot of useful links and tips to help me. However, in the end it was slightly more complicated then I was prepared to deal with. So I contacted a WordPress agency that I had worked with in the past. However, their quote of 400 USD and approx three days of work didn’t exactly make my heart sing.

In the end I found “Sucuri Security” through the WordPress forums. For 90 USD they took care of the problem in a matter of hours and I now have a one year subscription with them so that I could go back to them if there was a new infection. In addition, they have supplied me with a WordPress Plugin that helps to increase WordPress security.

Lessons learned

According to Sucuri, one of the vulnerabilities I have had on my site was a theme that I wasn’t even using. It’s a theme I had downloaded two years ago and which I kept in my theme folder but never used and of course never updated. I had no idea that this was a security risk. I have now:

– removed all themes and plugins that I’m not actually using

– installed the lockdown plugin which limits the number of false login attempts

– installed the Sucuri plugin

I’ll also include the lockdown plugin and the Sucuri service to the list of things I’ll recommend to non-profits who are building their own WordPress based websites.