I’ve been a web hobbyist/enthusiast since the mid-90s and in all that time, I’ve maintained a fairly high level of trust mixed with a healthy amount of skepticism. That balance shifted recently my personal web site was “hacked.”
Let me explain what happened: My site is designed to keep family and friends up to date on what’s going on with our family (mostly the kids). When I first launched it and for many years, I kept the commenting wide open. After all, who would take the time and energy to vandalize a little-visited family web site?
About a year ago, I was forced to control and monitor comments a little more closely. I changed the WordPress settings to require someone to register first or have a previously approved comment before they could comment. But I set WordPress to auto-approve new user accounts. After all (uh-oh), who would go through the trouble to set up a user account just to vandalize a little-known family web site?
I found out this past week that even these measures were woefully inadequate. Apparently, within the span of a few hours, “someone” (presumable a bot) created several user accounts, then used those accounts to leave comments on my posts with links to “badware” sites and embedded script code. Google immediately flagged the site as “distributing badware.” That’s when the fun began.
A Slashdot article provided insight into what Google did:
In an effort to promote the ‘general health of the Web,’ Google will send Webmasters snippets of malicious code in the hopes of getting infected Web sites cleaned up faster. The new information will appear as part of Google’s Webmaster Tools, a suite of tools that provide data about a Web site, such as site visits. ‘We understand the frustration of Webmasters whose sites have been compromised without their knowledge and who discover that their site has been flagged,’ wrote Lucas Ballard on Google’s online security blog. To Webmasters who are registered with Google, the company will send them an email notifying them of suspicious content along with a list of the affected pages. They’ll also be able to see part of the malicious code.
What happened to me specifically was:
- If anyone attempted to get to my site, they’d get a warning page saying the site was flagged by Google.
- If they chose to click through, they got a version of the site rendered without CSS or images (i.e., horribly ugly).
- If I, as the admin, tried to log in to WordPress, I merely got looped back to the login screen, preventing me from logging in.
After a few exchanges with my web hosting company (MidPhase), I realized that the onus to fix the problem fell to me. While I’ve been a tinkerer, I’m no PHP expert. That means that while I can install and configure applications like WordPress and MediaWiki, I don’t really know everything that’s going on under the hood. That means that I have no idea what’s supposed to be there and what isn’t. How the heck was I going to fix this?
After panicking for about a day, I came to a solution. I scoured the database tables looking for rogue user accounts and comments and deleted them. I then archived my WordPress files, replacing them with a fresh install. I scrapped my theme (in the event it was outdated and adding vulnerabilities) and installed a recently published theme.
I then submitted a request for Google to reevaluate my site. After one unsuccessful “rescan,” they finally cleared my site with a clean bill of health.
While it caused me to miss nearly an entire night’s sleep on Sunday (as well as hours of time that I would preferred to have spent with my kids…), it seems like everything is back up and running.
A few lessons learned:
- Google is quick to protect, slow to educate. I’m glad Google flagged “badware” on my site as I was unaware that someone had hacked it. This was done to protect the general Internet public from being infected. However, while Google blocked my site very shortly after discovering the malicious links, I would have appreciated more information on the pages that were affected. Instead, I got an abbreviated list and a vague description of the problem.
- Security is, indeed, everything. Bad people are out there. I know that now. Why would someone care to hack my measly personal web site? Most likely to simply spread malware. Because of this, I had to tightly restrict commenting on my site. I now require users to get approved for an account on the site before they can comment. This additional hassle will probably stem the already meager flow of comments, but I simply don’t have the time to go through this mess again.
- I need to be more cautious. I’ve been somewhat recklessly installing plugins and extensions for WordPress and MediaWiki without attempting to understand how each one works. Some of these pull in information from other sites. Were those sites to be affected/infected with badware, it would instantly stream to my site. By removing these plugins, I hopefully will increase my security, clean up the visual appeal of the site itself, and speed up the web site load time.
- Separate your domains. In addition to the main site, I had also created a sub-site for my wife to keep daily records as she homeschools our kids. This site was blocked along with the main site. I have since used another URL for her blog to isolate the two and prevent future collateral damage.
- A webmaster’s job is tough. I admit that maintaining this site is just a fun hobby. That said, it’s times like this that make me appreciate the job of a webmaster who must maintain 24/7/365 vigilance over the security of a web site. While I had the potential to lose years’ worth of stories, photos, and personal interest information, this is nothing compared to the personal, financial, and other sensitive data that is at risk every day on millions of web sites around the world. My hat is off to you folks!