No one ever wants to hear those words. “You’ve been hacked!” Sure enough, when I went to the blog, I was greeted by this:
It slowly scrolled up and told me how good my security was, but how they were far better. Blah Blah Blah. I figure that it’s just a group of script kiddies somewhere who don’t have a clue and are just getting their jollies from defacing some websites. The real kicker here was that I went to check each of my websites, and they were all showing the same thing! 🙁 That’s one of the joys of shared web hosting. When one is torched, it’s almost a sure thing that everything is gone.
I contacted my hosting provider Dreamhost and received instructions on how to get my websites back up and running. Unfortunately there is no simple way to roll them back, so I had to go through each one and create new WordPress installations, copy the database and uploads from the hacked folder into the new one, and re-install my themes and plugins. This started off as a very slow process, but after the third or fourth time, I began to get the knack of it. Let’s just say that I’m now pretty proficient in understanding which WordPress files are key to holding your data.
So how did these punks get in in the first place? I don’t know. The most likely scenario is that one of my WordPress plugins or themes had a vulnerability in it, allowing them access to all my sites. Wordpress plugins get updated all the time, and it’s a big pain to keep them up to date – especially when you are running multiple sites. Some of my sites are not actively used, so I rarely log into them. That makes them especially vulnerable to hackers looking for access.
How do you manage multiple WordPress sites to keep your plugins or themes up to date? There are some services out there that allow you to update everything from a single dashboard! One of the free ones I found is WP-Remote. Their website claims “Monitor and update all of your WordPress‐powered sites. 68,253 WordPress websites already do.” I created a login and added a plugin to each of my blogs that I wanted to manage. Voila! This is what the WP-Remote dashboard looks like:
You can see the list of WordPress sites on the left hand side, and easily determine whether they are up to date or require action. Installing updates is as simple as clicking a single button on the right side to update all. Within seconds everything is good to go! This is a brilliant service, and saves me a ton of time! I’ve made a habit of checking in with WP Remote in the morning and updating any files that require it. Did I mention that it’s free? They sell a premium version of their service that adds things like automated backups, but I’ve discovered that I don’t need to pay for those. Why not? Keep reading, and I’ll tell ya!
Updraft Plus is a fantastic (and free!) WordPress plugin that performs fully automated backups on whatever schedule you set, and saves them locally as well as on virtually any remote storage location. They offer a premium plan that gives you more control over how those backups are performed, but I’m OK with the free version for now.
Free managing dashboard. Free automated backups. What a great deal, right? Yup! But there’s one area that I DID decide to splurge a little money on. I’ve been a faithful Dropbox user for years, and I’d worked my way up to 14GB of free space, but it just wasn’t enough. So with the money that I saved from the other two services, I upgraded my Dropbox to the Professional plan. For $109/year I now have 1TB of space. That’s more than enough for all my backup needs. Famous last words.
So while this hacking incident has cost me some time and money (lost Adsense revenue and increase purchasing) I’ve learned a great deal about WordPress installations, the critical files, bulk management, and now have a solid backup/restore plan in the event of a catastrophic failure in the future. It was a difficult pill to swallow, but I think that the lessons learned far outweigh the loss.
Let’s hope that I never have to deal with this again. But if I do, I have the right tools in place to minimize any downtime.