It Happens
Sensational title? You hear about it on other blogs, it happens to government sites, It happens to Al Gore and to Bill O’Reilly… But you never dream it will happen to you. I recently found out that my WordPress site had been hacked into by a dirty, stinking, filthy spammer. It wasn’t even flattering, since I was not specifically targeted in the hack, but only one of hundreds more that were used by a script made to crawl and automatically find vulnerable sites and exploit them. The hacker didn’t even have to exert any effort. This was truly insulting.
Traffic and rankings drop off the map
It all started when I logged into my Google Analytics to check on my stats. I wanted to see if I had broken another traffic record, instead I found that my search engine traffic had dropped by about 80%. I frantically checked Google for a keyword I know I rank for, and found that I was completely absent from the results. I checked another term, and I was nowhere to be found. I had been dropped from the search results.
Since I had no idea why, I started to think that I might have built links too fast, or that maybe I had been sandboxed or something due to climbing too high too quickly. There was nothing I did that could have fallen outside of Google’s guidelines. I was stumped until I searched and found that there was a possibility that I was hacked and might have hidden links on my site. I checked my source code on a few pages and didn’t see anything fishy. After scouring for more information online I ran across an obscure post describing the exact problem I was having.
They will take advantage of you
Since I hosted my sites on an inexpensive shared server, it is possible that my site was sharing the same server with many other websites. Hackers with malicious intent can scan for vulnerable sites, and break into the site using SQL Injections and/or other methods. They don’t do it for sport, they do it to ad hundreds of outbound links from your site to another for SEO reasons. They hope to make a quick buck by inflating their rankings overnight. My hacker was placing hundreds of links to a .edu website that had a vulnerability they exploited causing it to redirect back the their Canadian pharmacy site. It was a double-layered scheme that helped them protect their site from being de-indexed by putting the heat on the school website. I’m still confused, but here is the bottom line: If you use open source platforms… secure your site!
Securing WordPress
There are a few steps you can take to help minimize the chance of attack by “security through obscurity”.
- Upgrade! Keep your WordPress install up to date at all times. Apply any patches released by the WordPress development team ASAP when they are released. They often will seal up any security holes that may have been found.
- Use a dedicated server: The cheap hosts like Dreamhost and Bluehost (and many more) use shared server environments. This allows hackers to sign up for cheap accounts and get access to a sever box that could be hosting a lot of vulnerable sites. Even more expensive cloud hosts like Mosso or MediaTemple share servers, but the high price of an account increases the barrier to entry purely for malicious intent, so it’s less likely. A dedicated server is the best way to go. (Not to mention the fact that your site loads a lot faster, so your visitors and Google bots will like that). If you don’t want to drop that kind of money, skip this step.
- Remove “WordPress” and “version” references where possible in your theme. Any mention of “Powered by WordPress” should be removed from the footer. If your theme includes a “generator” meta reference in the header, remove it. This allows for easy scanning by a hacker by letting them know that: A: You are running WordPress. B: What version you are running. This is a beacon for them that can be easily turned off without any issues.
- Remove any unused plugins, they can have holes you may not know about. It’s best to delete them from your wp-plugins folder if they are doing nothing. While you are in the plugins folder, add a blank page title “index.html” or “index.php” this will prevent others from being able to see what plugins you have installed simply by going to “www.yoursite.com/wp-content/plugins”.
- Try to limit access to your wp-admin directory using a .htaccess file. Lock down the directory so that only certain IP addresses (your own) can access it. Use the method described here. Or try this plugin. (I have not tried the plugin personally)
- Re-name your “admin” default user to something else. For details, look here.
- Back up your site! This will not prevent an attack of course, but you can recover quicker if you are messed with, and you can refer back to the original file to see if anything fishy was added. It’s hard to see funky changes in your database if you don’t have a reference point. Make sure to back up your entire directory by dragging your wordpress install onto your local machine, and then back up your MySQL database.
- This is only the beginning: Check out this post for more. It seems like a headache, and it really is.
You may not know until it is too late
The fact that I had been hacked had gone undetected for so long due to the fact that it was virtually invisible, even in my source code. The added code was only showing the filthy links it added if the browser was determined to be the Googlebot. One way I found the links was to impersonate the Googlebot with Firefox. Another way to see if you were hacked is by typing “site:https://www.yoursite.com buy” without the quotes of course. The “buy” added on the end was meant to catch the most common word the hackers would use in a dirty link. You can replace it with other common spammy words if you would like. Try this out, and if you see what I saw, you may start to cry.
The steps I mentioned above are only a few ways to begin your security measures.. there are many more. If you have been hacked, I encourage you to find out what was done and clean it up.
Proactivity is important
If you run wordpress or other open source CMS’s, you need to take the steps to make sure you are upgraded and secure. Risking a plugin conflict is not as important as ensuring you are not dropped from Google. After I cleaned out my site by removing the added lines of code from my theme, removing the added user from the database, and removed the new hidden plugins that were added, I was able to request a reconsideration from Google. I didn’t get an actual response, but I think they got the message because my site seems to be ranking better again.
Follow the rabbit holes below to learn more:
TechCrunch: WordPress Security Issues Lead to Mass Hacking
