In July 2013, on a Monday night, as I was getting ready to head to bed, I started having some trouble on one of my blogs. I didn’t think much of it, figuring all would be right the next morning.
via Compfight |
Next morning I woke, came to the computer and tried to access that blog; access denied. I then tried accessing other blogs; some I could see, others said access denied. I then tried to look at my websites; some I could see portions, others access was denied; yeah, that’s a big problem.
I called my friend Kelvin, with whom I share the space, and asked him to look into it, as I had to get to work. He wrote me with the bad news; per the host, I’d been hacked through two of my blogs. Luckily, the host caught the attack and froze access, which was why I couldn’t access anything. He forwarded me the email which explained part of the problem, and what I had to do to fix it.
When I got back to the hotel (as I’m out of town right now) I went to work on the problem. I’m telling you what I did so and what you should do if it happens to you you’ll be able to fix it quicker than I did.
First, the email mentioned that I’d been hacked through the footer of themes on two different blogs that I wasn’t using. Truthfully, when I saw the names I didn’t even remember having those themes on those sites. It didn’t matter; they had to go. The email recommended certain files to remove through a FTP (file transfer protocol) program. I mainly use WS-FTP, but I’m going to recommend Filezilla for those times when you have to delete lots of stuff. WS-FTP lets you delete things, but it won’t delete any folders that have files in them, which can be a pain as I’ll bring up; Filezilla will take care of the entire thing for you.
I went in & deleted the files recommended, and while I was at it I decided to delete the entire theme as well off both blogs. However, all my sites were still closed down afterwards.
The next thing it recommended was for me to go in and update all the software on my blogs. Here’s where, if I’d known something I’ll mention in a little bit, I’d have bypassed. The reason I’d have bypassed it is because I had already updated all the blogging software; all I ended up doing later on was delete and re-add what I already had. If I hadn’t updated it would be a different story; I wasted a lot of time on this step, one I could have skipped if I’d had Filezilla already on my laptop, as I have it on my main computer at home.
via Compfight |
Here’s the problem. My assumption was that the hack, which wasn’t major but still problematic, had infiltrated all my sites. What happened instead is that once my host, 1&1, locked everything down, it shut down all my sites, not just the two blogs that were hacked. If I’d thought of what I’m about to tell you now I’d have saved at least 3 1/2 hours, as I spent 4 1/2 hours on the problem.
The other thing I want to tell you about is using free themes from other people. Most people who create free themes add things into the footer and hide them with some type of scrambling program. I learned that a long time ago when one of my blogs was being found for certain terms that I’d never written about. I obtained some software so I could see what was in there, stripped it out, and never had another problem with those terms after a month or so.
However, the blogs hacked are my oldest blogs, and I had downloaded a bunch of other themes that I never used, thus I never thought about those footers. I got away with it a long time, but in retrospect I should have deleted themes I was never going to use, other than those that WordPress gives you; take that as a major hint and recommendation.
Anyway, I spent hours deleting files and folders, first with WS-FTP, which took a very long time on the one blog I used it for, then with Filezilla, which went way faster but I’m on a hotel’s internet connection, not the speedy 30 MBPS I have at home, so it still took awhile. Truthfully, it’s possible that if I hadn’t reloaded that software I might not have been able to get into my dashboards and would have still had to go through the process, but I should have done this other thing first, which would have been a snap and maybe might have saved a lot more time.
When the host locked down my sites, what they did was change the file permissions to 644, which basically shuts everything down; at least it did for me, as I couldn’t see any of my files online, though I could get in through the FTP. To make sure everyone else can see what you want them to see, you need to change the file permissions to 755.
You can do this a number of ways, but the fastest and easiest way to do it is to use a FTP program that can do it for you. WS-FTP can’t do it, but Filezilla can. I went online and downloaded it, as it’s free, loaded it up, then used the username & password that accesses all my sites at once so I could work on multiple accounts at the same time. What you do is right click on the file or folder you want to be accessible, see what the permission is, and change it by typing in 755 over the 644 or, possibly, xxx if that’s what you see. Then you hit okay and it releases those files and your stuff can be seen once more. When I was done, all my sites were back up, looking like they were supposed to; whew!
By the way, you might have an occasion to have files on your site which you don’t want anyone to know exists, hence you’ll want to be perspicacious in determine whether you want all your folders or files having their permissions changed.
Here are the major lessons to take away from here.
and Wheat Improvement Center via Compfight |
One, stay cool; by staying cool I didn’t do anything really stupid.
Two, if you don’t already have a preferential FTP program I’d recommend Filezilla. The program I use is pretty old, but I’m most comfortable with it for the most part, even if it can’t do everything Filezilla can.
Three, follow the initial instructions recommended by deleting bad stuff they tell you to get rid of.
Four, I should have tested the file permissions on one of my blogs first to see if I could regain access and if I could get into my dashboard before reloading everything; I could have always done it if I hadn’t gained access after the test.
Five, always keep your software up to date when recommendations for upgrading come your way for security reasons. At least I had that part covered.
And six… well, lucky for me I was hacked only to mess with me. They couldn’t get into my blogs or content because I have some plugins on it that protects the blogs, as well as passwords hard enough to figure out to make it more of a chore. That and quick thinking from my host saved me.
Lots to learn here; I hope it helps someone in the long run if this situation comes your way.
Ugh! I am SO sorry this happened to you. The sucky thing is, say one does not know how to use Filezilla, then they have to learn that program, assuming they already have it. Like with me, I have it but use it so rarely I have to learn it all over again.
You wrote: “Most people who create free themes add things into the footer and hide them with some type of scrambling program. … I obtained some software so I could see what was in there…” Care to share that program name? Please and thank you.
Troy, I knew someone was going to ask, and I just don’t know. It was six years ago and I can’t even remember the search term I used to find it.
Yeah, it was ugly, but it was also a cautionary tale that I got to tell others about. For now I can live with that. 🙂
No worries Mitch. I am just glad you survived.
Yes, I have come to making sure all my updates are up to date on all my sites. Thanks for the reminder and spreading the word.
I started reading this post earlier today but got side-tracked and am just now getting back to it. I’m glad you were able to fix the hack. But now I’m wondering – and quiet possibly getting paranoid – but, over the last few days, I’ve been getting comments from people on my blog with strange looking URLs. They look something like: ge2951u8nltf1n412rxi4816u05jys2ps DOT org. To me, the URL looks like a password string. Anyone else ever see commenters with URLs like that?
Actually I have Derron, along with some strange looking spam. I’ve just been blacklisting the domain names and deleting them all. If these guys just applied themselves to making an honest living some of them might be rich.
Firstly, sad to hear what has happened to you, Mitch, it has happened to so many of us online. However, Kudos to you for the ‘keep cool’ quote, the invaluable information, and for passing it on. You have enough to do when you are in the road, so I, for one, appreciate your sharing.
Thanks Mike. Getting upset wouldn’t have fixed a thing and luckily I had a friend who could at least get me some information I could work with. Still, isn’t it amazing how sneaky these guys who know how to break into things are?