A while ago my wife sat quietly at her computer, responding to comments on our blog. “John,” she frantically shouted, “something’s wrong with our website. Nothing is coming up.”
Everything had been deleted and replaced with a single file enticing people to enter their Chase Bank username and password. Dozens of thoughts raced through my mind as I slumped in my chair.
“When was the last time I did a backup?”
“How am I going to fix this?”
“Was anyone compromised by using our site?”
“Was our WordPress database still intact; are the thousands of links still valid?”
“Were the hundreds of hours my wife and I spent meticulously putting captions on the thousands of photos in our gallery all in vain?”
Fortunately the databases were untouched and our host service restored a copy of the backup they took a few days before our site was hacked. Our blog was down for a day and a half but, after an enormous hassle with our host provider, a fifty dollar restoration fee, and some configuration adjustments our site was back to its original state. The only thing we lost were a few comments.
At this point I concluded I must take security seriously or, I should say, much, much more seriously. The entire next two days I spent scouring the web researching web security. I was shocked to learn how many sites have been hacked and overwhelmed by all the different ways hackers can break into a site. The hardest part of the research was sifting through all the advice posted by people who don’t know what they are talking about.
Here’s what I learned about how to protect your site and the solutions I came up with. Maybe our attack can prompt you to take measures to protect your site so you won’t be staring at a blank screen.
If a site is hacked the source of the attack originates from one of three places:
- The host’s server
- Confidential information can be intercepted as it travels between your computer and the host’s server
- Your home computer
Your host’s server
This is a fairly common point of attack. Hackers embed scripts into your code or put harmful files in your site. The code or files could be anywhere or anything: html files, WordPress code, or configuration files to name a few.
I took care of this by updating WordPress and all other programs we are using (which should always be done regardless!). I didn’t just click the update button on the admin dashboard; I saved a few critical files and then deleted ALL WordPress files. I then replaced all the files I deleted with safe, updated files I downloaded from the WordPress website.
The few critical files I saved were visually scanned using a text editor for embedded malicious script and uploaded back to the site, replacing the ones I downloaded from WordPress and the other programs. In this way I’m guaranteed that all harmful files have been eradicated.
I also replaced all the html files with the ones I had on my home computer which I knew were safe.
On another note: your host’s server could be infected and a hacker could gain access to your site this way. There is little you can do about this. Google can let you know how many infections your provider’s server has had which will give you an idea of how safe it may be. Check out this link: www.google.com/safebrowsing/diagnostic?site=YourProvider.com (substitute YourProvider.com with the URL of your provider).
Interception between your computer and the host’s server
Information such as passwords can be intercepted in cyberspace as they are sent from one place to another. One way to prevent this is by encrypting the information using an SSL connection. Since in my case this is a relatively rare occurrence I will look into this only if I get hacked again.
Your home computer
This is the most common way your site can be compromised. Hackers can infect your home computer and then through it gain access to your website. They place malware on your computer which can steal your passwords (and other private information). I spent most of my time dealing with this threat.
The first order of business was cleaning all the malware off my computer. I did this using a free program called Ad-Aware and found over fifty instances of malware. We thought Norton was protecting us, but it turned out it wasn’t.
Since you are never guaranteed to be 100% malware free, critical passwords must be protected. I came up with an eloquent and simple solution to protecting my WordPress admin and FTP passwords using a free program called KeePass.
I also found out that my FTP program, FileZilla, wrote my password to a text file that was vulnerable to hackers. With a simple change to the configuration file, I prevented this from happening. I wrote detailed instructions on how to make this change.
We learned an important lesson by being hacked and have responded by beefing up our security. My hope is that you pay attention to security BEFORE it is too late. If you care about your blog or website, it’s worth the extra time to set up some security features now.
Subscribe to our
RSS feed Like us on
Facebook Follow us on