My site was hacked into last week, and it’s led to all sorts of problems.
It all started on Wednesday, September 30th, when I arrived in NYC to find that my blog had been down all day because of bandwidth issues. Bandwidth is the transmission capacity of a website. I pay for a certain amount each month, and had reached my limit. It was the last day of the month, so I didn’t find this to be particularly strange. I thought maybe I had a sudden surge in traffic, so I checked my stats.
Average traffic that day. Maybe even a little less than usual.
It didn’t make sense, but I brushed it off. MomWebs fixed my problem within minutes, and I was able to enjoy the rest of my stay in New York with no further problems.
And then it happened again.
It didn’t get to the point where my website shut down, but I did notice a huge chunk of bandwidth used up on Sunday, October 4th. Same for the first 3 days of the month. More than 25% of my allotted bandwidth gone. In four days. At this rate, my site would crash again within a week!
I found that the culprit – the person using up all my bandwidth – was one IP address located in Russia.
I blocked it from accessing my site, but I know that it’s just as easy to get a new IP, so I had to do more than that. I dug deeper.
It hit me that my email newsletter hadn’t gone out in a couple of days. Yes, I subscribe to my own feed just for that reason. I used Feed Validator to troubleshoot, and it gave me an error: column 0: XML parsing error: <unknown>:351:0: junk after document element. I wasn’t sure if this had anything to do with my bandwidth problem, but I knew I had to fix it right away.
I looked through my blog’s files in cPanel, trying to find the RSS source. This is when I noticed folders with strange names in my blog directory. Something like xhudq and gheizi. Just nonsense, basically. I opened those folders to find hundreds of text and PHP files, named everything from marajuana to winfrey. Weird filenames. Some of the text files contained nothing but IP addresses, one after the other.
At this point – as you can imagine – I was freaking out. I couldn’t believe that someone had hacked into my personal website. I found that “junk” – yes, that’s the official name for it – was added to my code. This kept it from working properly, which is what broke my feed. I had to go through each individual PHP file to find and delete anything out of the ordinary.
MomWebs offers a hack recovery service for a small fee, but I decided I needed to get to the bottom of it myself in case it ever happens again. I spent hours trying to figure out the extent of the damage, and I think I’ve finally fixed it all… it’s definitely been an eye-opening experience.
My advice?
- Back up your files often.
- Change your cPanel and WordPress passwords every few weeks… and use a STRONG password.
- Upgrade to the new WordPress software when it’s released. It’s easy; don’t put it off. Many updates fix security issues from previous versions.
- Don’t link to WordPress. It used to say “powered by WordPress” in my footer, but I removed that. It’s like telling hackers “Hey! I’ve got WP! Come and get me!” You know?
*Update* – After doing more research, I found that there are other ways for hackers to see that you have WordPress… the version stated in your source (delete that!) and the various files that use WP prefixes. 10 Tips to Make WordPress Hack-Proof shows you how to change this.
- Check your awstats (advanced web statistics) frequently. In your cPanel dashboard, go down to Logs, then awstats.
- Break your comments into several pages. This isn’t a safety issue, but cuts down on bandwidth use.
- Check to make sure that only authorized users have access to your WordPress account (look under Authors & Users).
- There are other methods of hardening WordPress that I am going to look into, including a few plugins that were recommended to me by @YourGoToGuy on Twitter.
I apologize to those that subscribe to my feed by email, as that feature hasn’t been working since Friday. I cleaned it all up, so it should be back to normal today, but only time will tell. If you don’t receive an update by midnight tonight, someone please leave a comment to let me know!
It’s a simple matter of checking the page source to see what CMS you are using, so taking the WP link out of the footer does nothing.
Shot in the dark, but I’m guessing your WordPress install wasn’t up to date?
I did a little more research and found a few ways to “hide” the fact that I use WordPress (removing the version # from the source and changing the WP prefix on files, etc).
I upgraded to 2.8.4 over a month ago, so that wasn’t the issue. I have a feeling it might have been a cPanel breach…
this is a good one thanks
I’m not a blogger, but awhile back there was a hacker piggybacking on my email. The reason I found out was I wasn’t getting all the email I normally do in a day and there was an exclamation point on my email file and a yellow caution triangle. So I contacted my email provider. They said my email was out of sequence, so someone else was using it from another computer and was using another format. I asked my husband if he was using it from his computer since he doesn’t have windows XP, and he said no. My provider sent me up the command to a highly trained tech and I explained it wasn’t my husband, and how was I suppose to get it back in sequence and what was causing this. He told me most likely a hacker got my email address from either a forwarded email where all the recipients addresses are visible to each and every forwarded recipients (which might be because a girlfriend was always doing that, even when I asked her to stop it), or he said if I went to blogs where your email could be seen by other people, not just the owner of the blog.
He said hackers have been going to blogs, especially mother blogs and getting email addresses of people who enter giveaways, contests or post comments there. Then they take these email addresses and put them together with a computer disc that has several hundred thousand common passwords. He said when they get a match, they hack into your system, and can start piggybacking on your email. That means use it to send out their email, but have people respond back to another email that is really their own. They do this to cut spam advertising expenses, or to do other illegal activities. The tech looked into it and they found out where the piggy backing was coming from. They stopped it. I don’t know if they took legal steps against this hacker or not, and I don’t know what country it was even from. Yet, I did get an email a few days later and I didn’t open it. It said it was from I think a Winifred B. Snodgrass, or a Willimenia B. Snodgrass or something like that, and the short message said, “Because of you I can’t send my email” I didn’t open it, but I imagine they were going to hit me with a virus or something if I did. I think it was the person who was hacking illegally, and it probably wasn’t even their real name.
So I only go to blogs now and enter giveaways where only the blog owner can see my email address.
I only leave comments on blogs where I can use a form like this, where only the blog owner can see my address.
I change my log on computer password now at least every two weeks, after the tech said that is best, and he said to use Upper and lower case letters, as well as numbers and also symbols to make it harder.
Of course I have a virus protection service I subscribe to, but
hackers are smart.
I am so sorry you have gone through what you have. I know it’s a pain, but you had a bigger one than I did.
Hang in there and God Bless You.
Its sad that all this even happens. Too bad that you had to go through this.
.-= Peggy Gorman´s last blog ..Let’s Keep A Jolly Secret!! =-.
Wow–just now reading this. Sorry this happened. Mean people suck!
.-= Ann´s last blog ..Seventh Generation–Free Sample =-.