You may have noticed that I haven’t been posting much lately. This week was a total bust. I didn’t have any fun, new crafts. I didn’t have a tasty new recipe. I didn’t even have my Alexa Friday.
That’s because I spent the time I normally spend writing cleaning up after a hack.
I was totally unaware of the hack until Google sent me an email alerting me to some unsavory pages appearing on my site. Pages that were garbage and spammy and clearly not mine. I started by manually hunting down those pages in my website’s control panel, but I knew I couldn’t stop there. Clearly, there was some sort of vulnerability the hackers exploited. As long as that vulnerability existed, I was in danger of continued hacks.
I spent a lot of combing through my folders, looking for files that didn’t belong. I googled files that didn’t seem right. What the hell is tinymce.php anyway? (Turns out, that file was actually necessary!) It seemed that as quickly as I found bad files, new bad files would pop up. I couldn’t stay on top of it.
Furthermore, the hacker modified important pages, such as my index.php and more. I was throwing errors everywhere. What was worse, though, is when I didn’t throw an error. If you forgot to enter the final / when typing a page address, it wouldn’t throw a 404 error. It just went blank. If you typed a partial address, it didn’t redirect you to the complete post. It just went blank.
What was I going to do? I can’t spend forever cleaning up the hack, but I couldn’t find the vulnerability.
I did a clean reinstall of my whole site instead.
I saved all of my images and I backed up my SQL database. Then, I did the scariest thing yet. I deleted all of my WordPress files from my website. YIKES! Using Filezilla (I LOVE FILEZILLA!), I uploaded the newest version of WordPress to my site. I wanted to manually do it to make sure I saw what was going on and where things were going. It was a tedious process, but I did it.
Now that I had a clean, unhacked copy of WordPress, I wanted to protect it. I asked around, and my first — and least expensive — step is to secure my site in WordPress. I’m currently using the iThemes Security plugin. It has a great base of free features, and offers further protection for a fee.
My next steps? Purchasing firewall protection for my site. It’s not cheap, and this site isn’t turning much of a profit yet. I’m still researching to see which firewalls provide the best bang for the buck, and if there are any firewall services that offer a free trial while I compare options.
Any suggestions? Have any of you been hacked, and if so, what resources do you recommend?