At 10:21 Friday morning I got an email from an awesome WordPress plugin called Wordfence alerting me that my site had a core file changed (index.php which is the main page of the site).
I did not change that file, so I immediately went to the site and saw that I had been hacked. Then I started going through the list of sites I have and host. All 24 websites were hit. The screen grab above is what all of the sites looked like.
Fearing some serious fallout I immediately logged into my hosting dashboard to change my password. I am pretty serious about passwords and security as you may have read previously, so I am fairly confident in my passwords. Unless I am restricted I use 18-20 character passwords with upper and lower case letters, with multiple numbers and symbols mixed in. 1Password keeps me square, there.
After updating my host/FTP password I began to look through my server to figure out what happened.
All my sites use WordPress. Like any CMS (content management system), WordPress is susceptible to attacks. I take a lot of precautions to protect my data, sites, and accounts, so this was surprising to me.
So what happened?
I immediately changed my FTP password. While logged into my FTP I noticed a weird file in the root directory. A quick Google search confirmed that it was a file that the hackers placed there. I deleted the file and began going though folders and files on the server to see if anything else jumped out at me. This is when I found how the hackers got in.
It seems that the hackers got into a website that I was hosting for a friend and injected some code into his site. They were then able to gain access to my server (without even knowing my password!) and replace my sites with some Muslim hacker crap. Fun times!
How did I fix this?
As I said above, I manually went through each folder looking for suspicious files and folders. When I found them, I deleted them. Luckily my friend wasn’t using that site any more, so I was able to completely delete it from my server.
I spent about 20 minutes doing some digging, and deleting of suspicious files. At that point I was satisfied with the state of my server and went about my day.
Later at night, I went through every site and made sure that all versions of WordPress were up to date and that any installed plugins are also up to date. I knew my sites were, but I wasn’t 100% sure of the other sites I host for friends and family. They are now all updated.
I’m not a security expert, but I think I got everything taken care of. Luckily this didn’t seem like a hardcore attack. I hope I’m not mistaken on that and I end up being hacked again shortly.
What can you do to prevent being hacked like this?
- Do your WordPress updates. This is just a no-doy. It’s how my server was attacked. More than this, do your Windows updates, OS X updates, application updates, run virus and malware scans.
- You’re only as strong as your weakest link. This goes for everything. Somehow the hackers got into my friends account and attacked me and my server, even with my aggressive security measures. If you are a site admin, require strong passwords. If you are a user, use strong passwords.
- Use strong passwords. Is there an echo here? Use strong passwords everywhere. Don’t use the same password on multiple sites. Use upper and lower case letters, numbers and symbols. The longer your password the harder it is to crack. Just use 1Password already. At this point I should get some kickback from them with how often I pimp them out.
- Create backups. Do you back up your hard drive like I told you? Well, make sure you are backing up your WordPress site, too. A plugin like BackWPup works great for me.
I’m extremely lucky that this wasn’t something worse. People have been hacked and have lost personal data. Your identity can be stolen and that can lead to serious issues for years. Lock down your data and your life with secure passwords.
And do your damn updates.