February 23, 2012
Well, that happened faster than I thought.
Yesterday, I spent quite a few hours rebuilding my blogs, as nearly all of them managed to get hacked. It was a porn-site redirection attack, inserting javascript into each and every PHP page in the WordPress system.
It started with one blog, but by midday, it had spread to three of my four sites. The site that got hit first was the newest one, so it was surprising that a site with very little traffic was indeed a target to someone out there.
While this issue is never fun to deal with, I expected it would happen at some point, and took the appropriate precautions. They saved my bacon.
Luckily, I have a few friends in the security world, who had armed me properly for how to identify and overcome an attack like this. They also had me prepare to block such attacks, but in this case the hacker found a way around the defenses. That’s not unusual, as new attacks are created every day, and tools like WordPress firewalls and exploit scanners only update so fast.
So, how do you prepare for a potential attack?
1 – Prep your site. Install plug-ins to ward off the more common attacks before they hit. The WordPress Firewall and Exploit Scanner can help quite a lot with this. Both tools were able to deflect quite a few attempts to access my sites before whoever got there yesterday found a back door.
2 – Know what’s on your site – always. There’s a great plugin called WordPress File Monitor that scans your files regularly to see if anything has changed, and alerts you by email when it finds anything that has changed. Sometimes, it gets annoying, but this time it let me know that all my WordPress files had changed at once. This was something that allowed me to address and fix the problem so much faster than I would have been able to do otherwise.
3 – Back everything up. There are plugins that can back up entire WordPress sites – with their content databases – to Amazon S3, DropBox, or your hard drive. Use them! If you do get attacked, you will have to restore from a backup, and so you better have one handy. I had been backing up, but a configuration error meant that many posts ware lost. I have copies, but that will take some time to restore manually.
Luckily for me, I saw the attack happen, confirmed it, and started cleaning up everything all within hours of the actual attack. That kept my readers safe and my headaches limited to the fact that I mis-configured my backup and lost some posts.
And if you do get hacked?
@Snipeyhead – a noted WordPress Security expert – has posted a great guide on what to do next. You can find it via this link. [Note, she does not pull punches, verbally or visually, so her site is very mildly NSFW] The article is a bit old, but the strategy is sound, well researched, and spot-on still today. Follow the process she shows in that post, and recover what got hit before your visitors get infected by drive-by downloads or you lose face due to defacing of your sites.
Remember, change ALL passwords, including the FTP/sFTP logins and your web host login. That’s in addition to the site logins, database logins/users, and any other security info you have on your site. If you can’t identify how you got hacked, then play it safe and change everything.
Now that everything is back online, I can say I weathered the storm. It can be MUCH worse, and it’s never fun, but you can indeed overcome attacks against your site quickly and effectively if you prepare ahead of time.