‘I Didn’t Think It Would Happen to Me’: WordPress Security
“I didn’t think it would happen to me. Yes, I had read some of the warnings, seen some of the signs, just thought they were directed at someone else. Not at me.
It came at a point when my defences were low, and my system was weak. I think that was how the virus spread so quickly.
I couldn’t believe the way it spread its tentacles. Even after I thought I’d got rid of it there was still the odd trace in the system. It’s hard to be sure it’s gone completely… and won’t come back.
I felt horrible afterwards, like something shameful had happened. Something I didn’t really want to talk about. Even though I knew this was something caused by the actions of someone else, it still felt like my fault. I didn’t want to admit my weakness.
But after a while I thought it was better to speak out. I can see other people doing the same thing. Taking risks. Assuming this is something that won’t happen to them.
Which is why I thought it was time to say something. Share something of my experience. I’m no expert in knowing how to stop this from happening, but I can pass on what I have learnt – not least that keeping your fingers crossed is no defence.”
What do you do when you see posts on WordPress security?
Click on through, follow the advice, and see what you need to apply?
Or turn away, thinking they can’t possibly be talking about *you*?
I have to confess, until a few weeks ago, I was in the turn away category. WordPress geek that I am, I still didn’t think security was something I needed to bother my head about.
Little did I know.
I’m still not entirely sure how it happened, only that at some point while I was in the midst of moving house, and struggling with an unbelievably slow mobile connection, my WordPress sites got hacked. Infected with malicious malware code that not only did bad things to my sites (yes, all of them) but potentially threatened to do bad things to visitors who stumbled by without adequate malware protection.
Yuk, yuk and double yuk.
Doesn’t come close to describing how awful an experience this was, especially at a time when I was struggling to get online and sort things out. (Of course, this kind of attack will always come when part of your system is down.)
Fortunately, bloggers being bloggers… there are lots of resources out there talking you through how to get yourself out of this kind of situation. It’s not easy, it’s not for those who fear a technical challenge (but probably is for those who’d balk at the price of getting someone to dig you out of the hole again. There are people around who can help, but it’ll cost you.)
I won’t go into the ins and outs of what happened, or all the things I had to do to unpick it, but I will say this:
- Don’t assume it won’t happen to you
- Don’t ignore posts on WordPress security
- Do keep up to date (version of WordPress, and plugins you use)
- Do use a proper password
- Do look into at least the basics of what you need to do to keep your site(s) safe and secure.
Some resources that helped me, hugely, at the time, listed below:
(learning, from this post from WP Dude, how to look at my .htaccess file was what helped me through this, thank you!)
WordPress Security: A Comprehensive Guide
10 Practical WordPress Security Tips
11 Best Ways to Improve WordPress Security
Top 5 WordPress Security Tips You Most Likely Don’t Follow
WordPress Security Tips and Hacks
I am not a blogging, security or WordPress expert, and no, I don’t understand everything in these posts either. I probably am still taking some risks. I guess we all are. But at least I’ve got a better idea of what to do and what to look for. You should too.
Do you have any good resources on WordPress security you’d like to share?
If you’ve ever experienced something similar… you have my sympathies! Did you find you were able to talk about it?
~~~
PS Do you know I feel strange posting this – like I’m going to jinx myself or tempt evil hackers back to do it again. But I’m going to ignore the bad feeling, because I really do feel that this is something we need to talk about more, and wake up WordPress bloggers to.
[...] This post was mentioned on Twitter by Todd Rutherford, Joanna Paterson. Joanna Paterson said: ‘I Didn’t Think It Would Happen to Me’: WordPress Security: “I didn’t think it would happen to me. Yes, I… http://bit.ly/d60oX0 [...]
Your post is a wake up call. Like you I thought that it could only happen to others – now that it has happened to someone much nearer home I will be taking some action. Thank you for writing this and sharing these resources.
Thanks for your post, Joanna – I have recently had to deal with some nasty viruses on my laptop because of a stupid incident in an Internet cafe where I let the owner install a program to allow me to bypass their security filter. I didn’t know that’s what he was doing, but didn’t make the point to find out. Sharing these stories with each other really does help us overcome our feelings of invincibility online. Something I know I suffer from at all times!
Glad my article could help you
Neil
Just recently I have found that someone keeps turning my comment off,
I dont know how this is happening or how I can stop it. Has anybody got any ideas?
Hi Joanna – I also felt uncomfortable posting when I’d been hacked. It felt like I had the blogging version of nits.
As you say – it is so easy to assume it’s not going to happen to you. I’m glad you got it all fixed.
Hi Joanna, excellent article and I am very proud of you for coming forth and talking about this. WordPress cracking never seems to be on anyone’s top priority to-do list until only after they get hacked.
I had a very similar situation happen to my wife’s site which was bringing in a nice income for us until one day we got hacked. We lost so much and just like you, we felt horrible that many of our visitor’s computer’s probably ended up getting viruses downloaded to them.
That scenario set me out on a mission and here just recently I published a WordPress security ebook. I’m also currently working on a free course on WordPress security.
Like you, I realize that by blogging about this topic I’m making myself a target, but you know what, someone’s got to stand up and fight back.
Glad you got everything back up and working. Here are some other precautions to take:
- Install the plugin WordPress File Monitor
- Use a password manager so that you can create strong, unique passwords for all your sites
- Don’t immediately trust people on social networks and click their links
- Install the Block Bad Queries (BBQ) plugin
- Don’t keep backups online (like database backups)
- Run your email and FTP through SSL
@wolfgang – If that’s all that’s happening, it’s probably a problem with your WordPress installation. You can try disabling some plugins and seeing if that fixes things.
If you’re concerned that someone else is logging into your blog and doing this, install the BTEV plugin so you can log who’s coming and going and what changes are being made.
Joanna, I’m sorry this happened to you – it is a devastating experience and very emotional, which may surprise people who have been lucky enough to avoid being hacked. I’ve never been confident enough to go it alone blogging, and rely on WordPress programmers to manage security of my sites. Yes, it costs a little money, but it’s well worth it for the peace of mind and assurance of an ongoing Web presence.
Thank you for sharing your experience. Too many WordPress users ignore good security practices until it is TOO late. Hopefully your post helps prevent other users from suffering from being hacked as well.
After hearing horror stories like yours from blogging friends, I looked into security options for my blog. My techie husband values and appreciates John Hoff’s book WordPress Defender. Hoff also understands customer service and lending a helping hand.
So sorry this happened to you, Joanna! I can sympathize because I went through a very trying period of dealing with an insidious virus that infected my computer system. While the two experiences may not be exactly the same, both situations were no doubt equally trying.
It takes real persistence and determination to correct these kinds of problems. I’m sure your post will prove helpful to your fellow WordPress bloggers — both in providing guidance to those whose sites have already been hacked and in offering preventive measures to those fortunate enough not to have faced this issue firsthand.
So sorry to hear about your experience Joanne. “Coming Out” is one of the best things you can do for yourself as well as for your follow bloggers.
Thank you for sharing your story and links to resources that can prepare us for and help extricate us from the same scenario.
God bless.
Cheryl
Marion thank you – that’s really why I thought I needed to write and share this. I wanted to try and bring it a little closer to home.
Julie these things can happen so quickly – just a few seconds, or a click on something dodgy… then hours and hours of aaaaargh!
Neil it did, it really did. Thanks for sharing the resources you do.
wolfgang no idea I’m afraid, but please see John’s resposne to you elsewhere in this comment thread.
Cath as usual you hit the nail bang on the head: “the bogging version of nits”. I know exactly what you mean. Glad your problems are behind you too
I have no idea what hell your getting hacked would have created for you, but I am off to read these suggestions/solutions today! Thank you!
(I am on a Mac not a PC, does that protect me from what you experienced?)
Oh Joanna I am so sorry! Yes, I’ve lived this nightmare with a client and it was horrible. His site even got banned from Google. I cried on a few occasions. I think the cure was worse than the humiliation of the attack but I did end up with good security resources, Webroot for my own systems and a vigilance about being more careful. Thank you for sharing Joanna, we all need to be reminded about security.
Diana I’m no expert, but I very much doubt it, sorry!
Karen the more I read about this the more I realise it’s not such an out of the ordinary event – horrible, really horrible as it is. (Yes, I cried too
) Hopefully forewarned is forearmed though…
Joanna, happened to me too! I was so sure that I was too sophisticated for such things to affect me. Only sloppy users get hacked, right? People who click on obvious scams? Nope. Oops.
I can’t recommend Securi.net highly enough — they helped me clean out Remarkable Communication amazingly quickly (after I spent weeks and three different developers trying to close all the nasty little back doors), and they also monitor the site multiple times a day to warn me if anything happens again.
We just had one of our CB writers hacked (his personal site, not CB) as well. It’s so insidious. It does happen to smart, web-savvy users!
And it’s such an awful feeling. I know what Karen means, it really does make you want to cry. Then take a shower.
@Diana, nope, being on a Mac does not protect you (many Mac folks are a little complacent about security), because what’s hacked is your WordPress site, which doesn’t live on your Mac.
I also have a feeling that it’s only a matter of time before we see some ugly Mac viruses. My computer genius friends tell me there are some security loopholes in the Mac OS that could be exploited by bad guys.
Sonia thanks so much for sharing your experience here, even though it’s a reminder of what truly is a gruesome experience. I’m sorry you had to go through this too. Thanks for the tip about Securi.net too – will check that out.