I’m not sure if it was Zero Cool or Acid Burn, but they finally got me. (By the way if you get that joke you’re one of my new favorite people).
How did I get hacked?
To be honest I’m not entirely sure of the root cause. Somehow a bit of malware snuck past Trend Micro Titanium 2012 and corrupted a few base files that run Firefox. From what I read this specific malware is a virus that is essentially a key logger, which gives it the ability to log what I type (think passwords).
Once a password to one of my sites was obtained the hacker then proceeded in creating an additional Admin User and decided he would embed some type of javascript. Luckily, he either wasn’t very intelligent or my timing was amazing, because he only touched 1 post and he also messed with an inactive theme.
What did I do?
Well, I freaked out.
As it turns out of all the sites they could have gained access to, it had to be this one. After freaking out for about another 5 minutes here’s what I ended up doing.
- Deleted the hacker’s username.
- Immediately created a new Admin user and new password, then deleted my old Admin account.
- Read the Google Safe Browsing alert (about 5 times).
- Added my site to Google Webmaster Tools.
- Read the malware diagnostics provided by Google Webmaster Tools.
- Contacted my hosting company (Blue Host), who couldn’t do much, but gave me a few useful links which I read through:
- http://www.stopbadware.org/home/security#identifying
- http://25yearsofprogramming.com/blog/20071223.htm
- http://www.unmaskparasites.com/security-report/
- Realized that I’m not smart enough to actually use the above sites to solve the problem.
- Called hackrepair.com and spoke with Jim Walker (who was awesome by the way).
- Paid Jim Walker $279 to manually review my site for any traces of malware (looking back this was a bit steep, but better safe than sorry).
- Ran a Full Scan of my computer using Trend Micro…twice. Everything was clean.
- Installed malwarebytes and ran another Full Scan. Everything was clean.
- Ran Trend Micro and malwarebytes specifically on my Firefox files…again. Everything was clean.
- Submitted a review request through Google Webmaster Tools asking them to remove the Safe Browsing notice now that the malware had been removed.
- Bookmarked http://wordpress.org/tags/vulnerability to check in the future.
- Installed the following plugins on ALL of my sites (still in the process):
- Login Lock (FREE) – prevents someone from trying to brute force hack your password by blocking IP addresses after a certain number of failed attempts
- File Monitor Plus (FREE) – alerts you whenever any files on your site are changed
- Bulletproof Security (FREE) – to be honest I’m not entirely sure what it does, but it was highly recommended by hackrepair, so I installed it (check out the video below)
- Backup Buddy ($150) – this plugin allows you to run malware scans on your entire site, database and full backups anytime you want and a couple other features I haven’t used yet.
What didn’t I do?
Here’s a few things that were recommended that I didn’t do.
Move some of my sites onto a new server/host. I was told by Jim Walker that having all my sites on one shared hosting account is just asking to get hacked. I actually have a separate Host Gator account, but I just haven’t used it yet. I’ll likely transfer over half my sites to Host Gator in the very near future.
Follow Matt Cutts’ advice. Though I’ll likely do this in the near future as well.
Sign up for Code Garage. This is a service run by some of the guys at The Keyword Academy, which I’ve heard nothing but amazing things about. However, I decided to go with the Backup Buddy plugin because it was cheaper and I had already spent $279. I may regret this, or I may end up switching over to Code Garage in the future; I’m still undecided.
*Update 12/31/11 – I have been at Code Garage for a couple weeks now, and can definitely say it was a great choice.
Lessons Learned
Securing your assets (aka your sites) are one of the first things you should do. If you’re not backing up your sites regularly, you need to start.
Don’t leave inactive plugins, themes, or anything else on your sites that you’re not using. It’s just a red flag that says, “Come hack me.”
Keep everything up to date and make sure you read about the latest WordPress vulnerabilities (if you’re using WordPress).
Last, but not least, don’t take anything for granted. My heart literally sank when I thought I might lose an entire site, or possibly all my sites. That’s hundreds of hours of work over the last few months and starting over would be absolutely horrible.
Would love to hear if anyone is doing anything above and beyond what I’m now doing.
That stinks, at least you were able to fix it and learned an important lessen on how to secure your sites.
I like “Better WP Security”, it stops brute force and does some other things too.
“Bulletproof Security” doesn’t work on media temple shared hosting…media temple has an issue on their end…Bulletproof Security works fine on bluehost.
Sweet, I’ll definitely look into Better WP Security.
Hey Wes! Nice to talk to you again. I have a lot of websites as well and it would be devastating to have them all hacked just because pone site was compromised. I think the last and most important thing you could do is purchase reseller hosting. As far as i know you can setup a different cpanel for each website to minimize the damage if one website is hacked.
Anyway hope all is well for you and make sure you have a great new year, keep chuggin buddy!
I actually just purchased another hosting account. I’m looking into reseller or potentially just having several shared hosting accounts, that way I can build up a nice little network of sites as well
Happy New Year!