My site was hacked into last week, and it’s led to all sorts of problems.
It all started on Wednesday, September 30th, when I arrived in NYC to find that my blog had been down all day because of bandwidth issues. Bandwidth is the transmission capacity of a website. I pay for a certain amount each month, and had reached my limit. It was the last day of the month, so I didn’t find this to be particularly strange. I thought maybe I had a sudden surge in traffic, so I checked my stats.
Average traffic that day. Maybe even a little less than usual.
It didn’t make sense, but I brushed it off. MomWebs fixed my problem within minutes, and I was able to enjoy the rest of my stay in New York with no further problems.
And then it happened again.
It didn’t get to the point where my website shut down, but I did notice a huge chunk of bandwidth used up on Sunday, October 4th. Same for the first 3 days of the month. More than 25% of my allotted bandwidth gone. In four days. At this rate, my site would crash again within a week!
I found that the culprit – the person using up all my bandwidth – was one IP address located in Russia.
I blocked it from accessing my site, but I know that it’s just as easy to get a new IP, so I had to do more than that. I dug deeper.
It hit me that my email newsletter hadn’t gone out in a couple of days. Yes, I subscribe to my own feed just for that reason. I used Feed Validator to troubleshoot, and it gave me an error: column 0: XML parsing error: <unknown>:351:0: junk after document element. I wasn’t sure if this had anything to do with my bandwidth problem, but I knew I had to fix it right away.
I looked through my blog’s files in cPanel, trying to find the RSS source. This is when I noticed folders with strange names in my blog directory. Something like xhudq and gheizi. Just nonsense, basically. I opened those folders to find hundreds of text and PHP files, named everything from marajuana to winfrey. Weird filenames. Some of the text files contained nothing but IP addresses, one after the other.
At this point – as you can imagine – I was freaking out. I couldn’t believe that someone had hacked into my personal website. I found that “junk” – yes, that’s the official name for it – was added to my code. This kept it from working properly, which is what broke my feed. I had to go through each individual PHP file to find and delete anything out of the ordinary.
MomWebs offers a hack recovery service for a small fee, but I decided I needed to get to the bottom of it myself in case it ever happens again. I spent hours trying to figure out the extent of the damage, and I think I’ve finally fixed it all… it’s definitely been an eye-opening experience.
- Back up your files often.
- Change your cPanel and WordPress passwords every few weeks… and use a STRONG password.
- Upgrade to the new WordPress software when it’s released. It’s easy; don’t put it off. Many updates fix security issues from previous versions.
- Don’t link to WordPress. It used to say “powered by WordPress” in my footer, but I removed that. It’s like telling hackers “Hey! I’ve got WP! Come and get me!” You know?
*Update* – After doing more research, I found that there are other ways for hackers to see that you have WordPress… the version stated in your source (delete that!) and the various files that use WP prefixes. 10 Tips to Make WordPress Hack-Proof shows you how to change this.
- Check your awstats (advanced web statistics) frequently. In your cPanel dashboard, go down to Logs, then awstats.
- Break your comments into several pages. This isn’t a safety issue, but cuts down on bandwidth use.
- Check to make sure that only authorized users have access to your WordPress account (look under Authors & Users).
- There are other methods of hardening WordPress that I am going to look into, including a few plugins that were recommended to me by @YourGoToGuy on Twitter.
I apologize to those that subscribe to my feed by email, as that feature hasn’t been working since Friday. I cleaned it all up, so it should be back to normal today, but only time will tell. If you don’t receive an update by midnight tonight, someone please leave a comment to let me know!