So uhhh…you may notice things look a little (a lot) ~different~ around here.
The theme is basic af, and there are photos missing and probably some formatting issues all over the shop but y’know what? Right now, I don’t care.
Because it could have been a lot worse.
Here’s the how and the why of my blog getting hacked.
A few weeks back I noticed something weird was showing on my Feedly account. For my blog, it was showing “Buy Real Valium” instead of my blog name.
Naively, I assumed it was a mistake by Feedly and went about my merry way. I figured they’d fix it themselves. TERRIBLE IDEA.
When I realised that wasn’t going to happen, I tweeted them and asked them what was going on. They didn’t know. But soon, a few followers started to point out that the problem was bigger than I thought.
When you searched Google for “creatively cat”, almost all the listings had been changed to inject keywords to do with dodgy pharmaceuticals. I say this in the past tense, but many of the pages are still showing this way:
The reason they are still showing like this is because I’ve had to resubmit my sitemap to Google to re-index my site properly. I have no idea how long it will take to fix and display properly, but the update in meta wasn’t even the biggest issue.
All of those links (in fact almost all of the posts on my blog) were redirected to a different site when you clicked on them from Google. The site, as I’m sure you can guess, sells dodgy pharmaceuticals. JUST WHAT YOU NEED, RIGHT?
Upon discovering this, I straight up panicked. I think anyone would. If someone can get into your site and change the information on search engines and redirect your traffic to some shitty site, they could probably delete all of my posts completely.
I jumped into action as soon as I could. By that I mean I tweeted and posted on Facebook to get some advice on what to do. I can safely say, in my situation, that for every arsehole hacker out there, there are several developers who want to help you out. I had two absolute heroes work tirelessly to try and get the issue fixed (special shoutout to Richard Hickson who talked me through it all on Skype!). FYI, my hosts were absolutely useless. They would not touch the site with a barge pole once they saw it had been injected with malware.
So what exactly had happened to the site?
In short, a hacker had managed to gain access and set themselves up as an administrator to my blog. This is despite me recently changing to a more secure password, but as I don’t know exactly when they gained access I’m not sure if it was before or after this change – thank fuck I also updated my other passwords.
Once they had access, they were able to inject some code that created the SEO updates and spammed my site with these keywords in a way that I couldn’t see from the front-end or back-end. Particularly evil, as that makes it 100x harder to detect and fix. If I hadn’t been sent the Google results, I may not have noticed.
The hacker also managed to do this in a way that meant if you deleted any suspicious looking files, they would automatically be re-created as soon as you deleted them. As one of the developers who helped me soon found out when they tried to fix it for me.
How did the hacker get in?
So I can’t be completely sure on how they got in, but from both of the developers I spoke to it is highly likely to have been via a vulnerability in a plugin or my theme. If your plugins and theme aren’t kept up-to-date, this can be an open door to sophisticated hackers who will take advantage of those vulnerabilities.
What can be done about it?
After allowing two developers to have a look around the site (and the second into the “cpanel” file manager where you can access all of the files that make up your site), it was determined that really the only way to resolve it was to uninstall WordPress and start over with a new installation that wouldn’t have the malicious code or files the hacker created.
I had to export my posts and pages from that WordPress installation and save them to my laptop, then delete everything else. I had my hosting providers guarantee in writing that every file had been deleted from the server before installing WordPress again.
If your blog gets hacked, you may not necessarily have to start over in this way – it was just the only real solution given how “deep” the hack had gone. I was very fortunate that I still had access to the site to retrieve the posts and pages before deleting everything.
Don’t let this happen to you.
Now you know what happened, and a rough idea of how, let’s get into what you need to do to protect your WordPress blog.
Create regular backups
Your hosting provider should be creating semi-regular backups of your site, but don’t just trust them. Use a plugin like Updraft Plus to create backups and have them either emailed to you or saved somewhere separate from your blog’s server. If they are only saved on the server, they are vulnerable to attack too.
Make sure to adjust your settings in Updraft to automatically create the backups rather than trying to remember to do them yourself!
Get better security for your blog
I recommend installing Wordfence, as it has a multitude of settings and tools to lock down your blog more securely than just relying on your password. Don’t worry about getting the paid-for premium version, the free version is just fine for your blogging needs.
Make sure to run a scan of your site once you have installed Wordfence to see if it flags any suspicious files. It gives you the option to fix (if it’s a known file type), or to delete. Hackers are really sneaky and can install files that may not look suspicious to you – Wordfence has pretty good intuition so if it’s raised as suspicious or dangerous, it’s likely something you should take a closer look at.
Since the hack, I still have bots trying to access the site. With Wordfence, I can block specific IPs so (in theory) they can’t keep trying to gain access, but I also get email updates if anyone tries to log in to the site that isn’t me. It does loads of other stuff, but in short, if I’d have had Wordfence before I don’t think I would have been hacked. Or at the very least, I’d have known about it a lot quicker.
Keep WordPress, your theme and all of your plugins up-to-date
As I said, this is more than likely to be the reason the hacker was able to get into my site. Plugins, in particular, can be infiltrated by hackers but keeping them updated means any issues or vulnerabilities the plugin developers have encountered are fixed in the update.
Set a regular reminder to log into your blog if you aren’t using it that often just to make sure no updates are due. They don’t take long to do, and it’s really not worth the risk of ignoring them.
Delete unnecessary plugins and themes
Have an audit of the themes and plugins you really need, and delete any you don’t. Also, check your active plugins to see when they were last updated by the developers.
If they haven’t been updated for some time, try and find an alternative plugin that does the same thing but has been updated more recently. Older, untouched plugins are incredibly susceptible to attack.
You may find that by having a clearout of plugins, your site will start loading faster and generally performing better…hurrah!
So on a final note – please, please, please action the advice above to protect your site. Some hacks can delete everything you’ve created before you’ve had the chance to stop it. Because there are ways to make doing so much, much harder for these hacker pricks, you should be implementing them before its too late. Take it from someone who cried many tears and had several headaches over this.