Back in January, after focusing on two big campaigns in the fall, we decided it was time to start taking care of business at home. We had a WordPress site that was ready to host a blog, and we decided it was time to take advantage of it. As we are a team at IBD, we thought it made sense to take turns writing about topics that resonate with us as individuals and as a company.
A more seasoned developer had originally created our site, and so for me to be the in-house site administrator, I would have to learn the ins-and-outs of WordPress. I have worked on lots of different systems; I’m adaptable. I opened up the Dashboard and started familiarizing myself with our Theme. I dug in and started customizing our style sheets and widgets. I was exploring the “shallow end” of our site. What I didn’t know at the time was that I was going to be heading for the “deep end” much sooner than I’d expected.
I logged into our Google Analytics page to see if our blog posts were gaining traction, to see if new people were coming to the site. Our audience was developing, probably mainly friends and colleagues, people we’d met at conferences. But we started seeing some strange things in our analytics. “film-jepang”, “image-music-note” and “Picasso-surrealismo” kept coming up, along with our other posts. I drilled down further and found “feelings-emotions-flashcards” and “bulimia-pics-before-and-after” and I knew: we’d been hacked.
Now I was in the deep end. I knew I had to learn something new: how to clean our website after being hacked. I didn’t know how they’d got in or what these things were meant to do. What I did know was that I felt violated. I went to WordPress help, and to Google, and followed my Four Steps to Learning Something New:
Step 1: Figure Out What it is You Need To Learn.
What I needed to learn was How to Recover from This Hack. Which included finding out what kind of hack this was, how I could recognize it, how I could get rid of infected files and directories, and how I could protect us from having it happen again.
Step 2: Find out who’s good at it, and pick their brains.
Thankfully the Internet is full of people who have dealt with this before. And the particular hack we experienced was very well-documented. There were two very important things that I picked up from reading dozens of forum posts and blogs about WordPress hacks.
- One: that malicious code and files are like vermin in your house. Finding files on your website that you didn’t put there feels exactly like finding evidence of mice or termites in your house. There’s a big ick-factor in knowing someone’s been messing around with your stuff.
- Two: if you see [a particular kind of file that you don’t recognize]: “Kill it. Kill it with fire.” I was thrilled to read something that made me laugh even while I was facing this ugly situation.
I did call our hosting provider, and their very helpful answer was (I paraphrase) “We’re not sure, but you should probably just blow everything away and restore a backup”.
Step 3: Decide Whether it’s Really for You, or Not.
This was a no-brainer. Even though this was an automated attack on our unfortunately-vulnerable website, I took it kind of personally. I was making the decision to get into more serious site administration. Like some kind of WordPress Rambo, I strapped on the bandoliers, put my Bowie-knife between my teeth, raised my keyboard above my head and waded into the murky waters of our site’s back end.
Step 4: Just do it. Take the plunge.
I logged into our cPanel and looked at our site structure. Using the URLs of the bogus files we’d seen in Google Analytics, I found the directories where they were hiding. And I killed them with fire. Then I changed the locks, so they wouldn’t get back in. Then I sat back and waited.
A day later, two more bogus files showed up, in another folder. I was really frustrated and angry. I went back to Step 2 and found more very valuable resources. And I knew it was time to rebuild. I made copious notes, hunkered down in our office, alerted my colleagues that we’d be offline for a while, and started Step 4 again.
I backed up everything. (It’s never too soon to back up your content). Then I blew away our entire site, with the exception of a couple of key directories and files which I backed up to re-use, first making sure there were no vermin lurking within. I installed the latest version of WordPress. I reinstalled and updated our theme. I got an update for the file that had left us vulnerable. I restored our database and image files from the backup, and repaired countless broken links. I added new layers of security to our comments forms and to the site in general. And going forward, I’ll be monitoring everything very carefully.
Sometimes you need a little push, to force you to adapt. External forces are great for getting us out of our comfort zones. But we can choose to adapt, as well. For instance, if you’re still unsure about getting into the Social Media thing, it’s easy enough to do some reading, learn a little more about it. Consult some experts or experienced users – Facebook and Twitter users are everywhere, I’ll bet you know someone who will be willing to talk to you about his or her experiences. Decide if it’s for you (if you’re reading this and you’re not already using Social Media in some way, chances are you’re at least a little interested). And then jump in … to the shallow end. Facebook and Twitter might be scary at first…
But not nearly as scary as the deep end of a hacked website.