Hacked: Lessons Learned and Relearned

Hacked!A couple of weeks ago while I was on vacation my WordPress site was hacked. It started first with a weird email from Wordfence trying to tell me something but it was so garbled I knew either it was in serious need of an update or something worse had happened. When I got to my site, I found something worse had happened. What was weird was I could only see the hack on one device. So when I contacted my hosting provider, they of course said it was my PC (I was on an iPad).  The reason for contacting them was early evidence seemed to point to something hacking into my site from the host. This would mean the host server was hacked. As I didn’t have my laptop with me with my usual tools to look at things securely (such as turning off all JavaScript and Flash in the browser so I could minimize the chances of compromising my laptop. My wife had her work laptop but I was not going to compromise it. So I just decided to leave my site down. This is not something a commercial site could do. Imagine the sales Amazon would lose if it were down for an hour. But my site isn’t an e-commerce site. Instead it is just a blog.

The early answers from my provider were I should scan my PC to make sure it isn’t affected. Agreed, always a good measure. I run antivirus that is pretty highly respected and a malware prevention program but as we all know, the vulnerabilities they don’t know about they can’t protect you from and even then they are not foolproof. I knew the hack was on the site and not my PC. I had logged in local and looked at the code and there it was “Hacked By Explo!T3r”.  Don’t do a Google Search for that as you will be surprised how many sites have been hacked by the same or similar group and are still hacked and un-repaired and may not even know, but Google knows. Okay, search but don’t visit their sites just in case. And the worse part about it was it was all tangled up the cache so I would have to make sure to wipe my cache once I cleared up the mess. I backed up my site as it was so that I could download it and do a file by file comparison with a previous backup to see what was changed or infected. Additionally I scanned it with both antivirus and malware scanners to see if there was something evidently evil about it. Nothing found.

A senior engineer at my hosting provider asked me when was my site working. I hadn’t logged in in over a week so I told him when I was last on the site. And they said they would restore a backup for me from that time period. Now, I wasn’t aware they were backing up things also. I know I have to run manual backups and I download them to a cloud provider so I have “off site” backups so to speak. I know I could automate this process and I have in the past but the free plugins that do backups have some limitations and being that my site isn’t for commercial gain, I have to keep things low to no budget. Plus that is in keeping with my open source spirit. So when I finally got back from vacation I looked and my site was really down now. Database Connection error. I guess their backup didn’t massage my database before backing up. So I knew what I had to do.

First I checked the modified date on all files on my site and decided I would wipe the site and roll in the last manual backup I ran. When did I run this backup? The end of June. I have violated my very own rule. Backup and backup often. Also backup before going forward. So I lost all of my July posts, which was a shame as they were really good and have brought a lot of traffic to my site.  Don’t worry my “Social Media for Small Business” series will return and soon have some additional entries.

So after restoring my site to the June backup and changing my passwords to the most complicated passwords I have ever used the site is back up and running. I looked through the code and the hack modified entries in my database so either they compromised MySQL for my site, did a SQL Injection hack, used an account with author privs that had a less than awesome password, or even an exploit of one of the recent vulnerabilities that were fixed by the latest update to WordPress 4.2.3

Here are some lessons learned:

1. Backup and backup often (I failed my own rules here).

2. Update often. (I didn’t have any pending updates of plugins or WordPress so I was technically as good as I could get).

3. Complex passwords. I use complex passwords but I had an account that did not. Wordfence offers a scanner that checks password complexity.

4. Compare backups. There is a lot to learn by comparing files from one backup to a newer one. What has changed since the last backup?

5. Verify your .htaccess files are set correctly.

6. This one will be controversial. Country blocking. Wordfence (paid version) has an option to block by country. I had turned this off because my site seemed slow and I was looking to see if my .htaccess file had become unruly with too many entries. However if you have a topic on your blog that might be controversial (my entries about my Faith), then you know you may offend someone. While I want my site open for everyone, there are some countries where the majority of hackers come from so blocking their countries (determined by IP address ranges and domain suffixes) will save you some headaches.

Look at my WordPress Security Essentials to see the things I do and should have done to protect my site. In this case, do as I suggest, not as I do.

My WordPress Security Essentials

WordPress Security

If you have run a WordPress site a bit, you may (or maybe you haven’t) noticed that sometimes it feels like your site is a target. If you don’t view your logs, you may not even know. But once you start watching a little closer you will find just like every other site on the Internet people, bots, and zombies like to come and rattle our door knobs to make sure your doors are locked. And if they aren’t, they will just walk on in and if they are, some will try every key on their key ring to make sure your doors really are locked.

Having hosted many a WordPress site mostly for fun and rarely for profit, I have used a lot of free or nearly free tools to protect my sites. It is only in the last two years I have started to pay more money to be sure my sites were not easily compromised. So here are some suggestions on some good ways to protect your site.

1. Backup and Backup often.

Assume your site will be compromised. If your website were to magically disappear today with all of your content, what would you do to get it back? Re-setting up WordPress is easy. Remember the “famous five minute” install? But your content is irreplaceable. Backup and backup often. If you are self hosted most providers offer ways to backup your site and your database. Remember, you have to backup both pieces if you want to be able to restore everything about your site to original condition. Look for another post that goes into great details about backups and backup options.

2. Don’t make it easy for bots and zombies to log into your site.

Everybody probably hates reCAPTCHAs but they do make it harder for automated attacks to get into your website. One plugin I use is “Are you robot google recaptcha for wordpress“. That is the name of it. There are others but this one works well. Google recently simplified the whole reCAPTCHA process with this. This is what your login will look like after you add it. You will need to have a Google Gmail account so you can log into their API (Application Programming Interface) and get developer keys to run this. This is free and so is the plugin.

Are You A Robot Login

3. Update Update Update

Sure, it is a challenge. You can’t always be sure if you update your WordPress version to the latest your plugins or customization will still work. But if you installed WordPress 4.0, there was a major security flaw found and they quickly released 4.1. Meanwhile hackers discovered the flaw and began writing stuff to exploit it. The same is true with plugins. Sometimes well meaning plugins have major flaws. If you follow security bulletins offered by some security sites, you can almost keep up. But it is important to update and it is of course important to test after the update to be sure your site still works.

4. Two Factor Authentication

If you aren’t using Two Factor Authentication on every possible website you can, then you should be. It is super easy to add TFA to your WP site. First go and download the plugin “Google Authenticator” from WordPress.org. Second before you install it, go and download the Google Authenticator app for your mobile device (either Apple or Android). Before you activate this, you will want to be able to scan a QR code from your mobile device so that adding it to your phone (after you install the app) is easy. Secondly, once you enable this, it is kind of like locking one set of doors before the real set. You will have to know your Google Authentication code and your password to log in from now on once you enable it.

Note: To disable this in the event you some how lock your self out of your site, you can temporarily move or rename the Google Authenticator plugin out from under the plugins directory.

By default it does not enable itself on all accounts on your site. So you have to visit each account and enable it. Here are what the settings look like for each user.

Google Authenticator Settings

And after you enable it, your login screen looks like this. So when you login, go to the Google Authenticator app on your phone and get the current code to log on.

Google Authenticator Login


For security reasons I can’t show you my authenticator screen but here is what the screen looks like except there will be an entry for your WordPress site on your phone.


Google Authenticator Screenshoot


5. Don’t let “people” try to login over and over again.

WordPress does not by default limit the number of login attempts allowed. But a simple plugin called “Limit Login Attempts“. This sets limits on the number of times you allow someone (or something) to attempt to login. And it locks the account if they try so many times. And it can email you after so many attempts if you want. You can set time limits on lockouts and duration times as well.

Limit Login Attempts


6. Firewalls help keep the “evils” out

I looked for a free firewall plugin. I settled on “WordFence Security“. It has grown on me and is now my “Go To” plugin when someone says “Help! People are rattling my website”. WordFence scans your site, shows you when something has changed that shouldn’t have. Granted sometimes those alerts are false positives. It will block IP addresses from things that keep trying over and over to get into your site. It has advanced blocking features and also does Caching (if you want to speed up the performance of your site). A post on Caching and other performance tuning will be done at a later date. And lastly when my site was constantly under attack from certain countries, I was forced to buy the premium version of WordFence to allow me to block by country. I want my site to be viewable to the world but sometimes you have no choice so I paid for a license and I now block a few countries as they constantly rattled my doors. This cut down dramatically on any attacks I was receiving. Also, I like being able to easily see the logs of who has visited my site. It is always nice to see Google and Bing have visited me each day to index their site for their search engines.


There are certainly other products in the market to secure your site such as Sucuri, which scans your website and claims to be antivirus and firewall. I am also told they will help clean up your site in the event you have been hacked (for a fee of course). And there is iThemes Security Pro which has a plugin that works a lot like WordFence. I would certainly consider all three and decide what seems the best fit for you.

Stay Safe Out there!