A while back I went to my painting portfolio website late at night to change something and witnessed the heart-breaking and always dreaded message put in place by a hacker. What did it say? Just the obvious that I had been hacked, but in Russian. The design was terribly ugly, as I assume he meant for it to be. In an instant I responded by FTP-ing to the site and at first glance it didn’t look too bad. I was able to replace his index file with my copy. My site appeared to be back to normal and my heart was at rest for a moment as I thought I was clever by being able to respond so quickly. Unfortunately, I had not had much previous experience with being hacked.
Having it be late at night was to my disadvantage as I was ready for sleep and didn’t think things through concerning the reality of this recent threat and the steps to take. I did some, but should have done more. To reassure that it was just the one site I checked on other sites I host and some were fine while others had also been hacked by the same source. I took the same protocol, deleting his files, but now my stomach truly sunk as I knew clients were involved and they would be emailing and calling momentarily alerting me of the brutal truth. This turned out to be the beginning of a two-week-long nightmare of fighting the hacker’s damage and getting my sites back to normal.
What happened next is what I regret most about the experience. After deleting and replacing website homepages in defense to the attack, I decided it was enough for the night as my sites seemed fine and I assumed the hack had passed through. Never do this! What I should have done was first at least taken further actions such as alerting my hosting company, or taken my sites offline until it was confirmed the threat was dealt with. Instead, when I woke up the next morning, the hideous messages were back and even worse, all WordPress-based sites had actually been attacked more thoroughly as all folders that held sites in place had been terminated. Now it really felt like a war was going on and even though I had no desire to be part of it, I was losing.
Looking back I see there were several things I thankfully did do immediately and some precautions I took that state the obvious, but here are 5 points worth mentioning before and after you’ve been hacked.
Make sure you have your sites backed-up! BackupBuddy!
Even though I thought I had all my sites backed-up, some things were missed. For instance, make sure you have them backed-up as currently as possible because if clients are adding and changing content on their site, there is no backup taking place unless you manually do or implement something like BackupBuddy. Without BackupBuddy it means downloading all site files and theme files as well as exporting the database etc. and making sure you have the “uploads” folder downloaded as well if you are using WordPress. This can be a rather tedious and time-consuming thing to do. If I only knew BackupBuddy existed I would have been saved all of this trouble and now I recommend it to everyone I talk to that uses WordPress. It does everything for you and can be set to update your backups weekly or on command and allows you to restore sites from remote locations in about 5 minutes if a site ever gets hacked. It has numerous other benefits worth checking out.
Change your passwords
Alongside struggling to get sites back online I noticed it was all the sites I hosted with a master username and password because those clients never needed the access, only I did. This was a bad practice. I realized I had recently worked with someone over-seas and allowed them to login with my master username and password, but even if they don’t mean harm, their machine might be compromised, which is what I believe might have happened. I now choose to create new users and passwords for each individual site, especially if they are clients and even if they don’t ask for it. This way you can at least protect by isolating sites if an attack comes through a compromised user account.
Alert others such as your host.
After changing all passwords and getting some of my sites back up I consulted another developer for advice and he noticed there were two files hidden in the root directory of that master user, that I missed, which caused the hacker’s scripts to keep running like on a timer it would attack continuously if they hadn’t been found. My hosting provider also alerted of other hidden files within sites that were suspicious and likely placed by the hacker.
Update everything and run a scan
In trying to take the advice of my hosting provider I made sure plugins and WordPress versions are all updated. Also was recommended by a fellow developer to run some scans to make sure harmful code had been removed. We used Sucuri Scan for this.
Backup again and again
Once things were all back in order after the two weeks of headaches and feelings of anxiety I was at least now reassured that I could backup my sites regularly with BackupBuddy and if anything like this happens again it would be a breeze compared to what I had just gone through.