My Blog Was Hacked & What You Can Learn From It

hack I must admit…

When I see the “Upgrade” notice in WordPress, I always wait a few weeks before I upgrade.

Why?

Because I want to give developers time to ensure their plugins are compatible with the newest version.  Not to mention there are often bugs with the new release.

Well, let me just say I will be more diligent about doing updates in the future.

Last Thursday I came home and went to my blog’s homepage and noticed a strange-looking parse error. No content was loading at all and I couldn’t even login to the admin panel.

Craaaap! 

I FTP’d into my server and noticed my theme’s function.php file had been modified three hours earlier.  I knew something was up because I wasn’t even home at the time the file was changed.

So I called my host and their awesome support staffer (shout out to Robert!) was able to quickly verify that the site had been compromised.

He asked me if I had upgraded to the latest version of WordPress (3.5).  I had, but there was a smaller security update (3.5.1) released on the same day that probably addressed the exploit which impacted my blog.

Fortunately, I had a backup of my original theme files.  So I re-uploaded the Genesis Lifestyle Theme and that fixed the issue.  Thankfully it only took a few seconds to restore everything.

That led me to think…

There are always tips floating around about backing up the WordPress database, but you should also have a backup of your actual theme folder (located in wp-content/themes on your server).

Remember, your theme files and database are stored in two separate locations.

Take-Home Lessons

1. Back up both your database and theme files.  You can download your files manually through FTP or use a plugin like that backs up both. (See Online Backup for WordPress.)

If you want to learn how to manually upload/download WordPress folders and files using FTP, I have a tutorial on my static site.

2. If you’re re-uploading the original theme folder, don’t overwrite the style.css file because it may contain customizations you’ve made.

I was glad I remembered that on Thursday.  That would have been a pain to make all those modifications again.

The same goes for your favicon file.  If you’ve uploaded your own favicon, be careful not to overwrite it with the original theme favicon (if applicable).

3. Upgrade to the latest WordPress version as soon as you can.  Like a lot of you, I would wait because of potential plugin incompatibility.

Not anymore.  If I have to disable a few of them, so be it.

4. Contact your theme developer and let them know what happened in case there’s an exploit with your theme.

In my case, it was more than likely a security hole in v3.5 since it happened right before a new security patch launched.

How I Back Up My WordPress Sites

I used to use WP Database Backup which would email the file, but the database got so large, my mail server blocked it.

There is an option to store the backup on your server, but I don’t want a copy of my database just sitting on my hosting account.  Too risky.

Now, I just manually download my database through my hosting control panel, and I also manually download the theme files via FTP.

Backing up your database manually is pretty easy.  It may sound intimidating, but all you do is login to your hosting account and go to the “Database” area.

Most web hosts have phpMyAdmin installed…

phpmyadmin

If you use cPanel, just click the phpMyAdmin icon and it will take you to a screen that allows you to export your database.

Select the following options in the screenshot below, and a download of your entire database will begin.

export database

Your screen may look a bit different depending on the version of phpMyAdmin you have.  This is 3.5.5.

When it’s done, you will have an .SQL file on your computer.  This is your complete WordPress database with your posts, pages, and comments.

Yes, you can use the WordPress Export feature in the Tools menu, but I like having the entire database structure.

And I know plugins are convenient as well, but I just feel more comfortable doing the backups manually because I can physically see that it’s being done correctly.

I’ve heard stories about people using plugins, only to realize (when it was too late) that the plugin wasn’t backing up correctly or completely.

When’s the last time you did a full backup of your site?  Please share your routine.

Name: Email:

Comments

  1. says

    Several years ago one of my websites was hacked too, and the hacker manage to hijack some of the files and also deleted quite a few important ones. Due to that experience I learned to become more cautious when installing the website, especially database driven scripts like wordpress and joomla. For many people who are used to auto installation, there are a few things that could end your site in a hacker’s hands, I always make sure that the database prefix that I use is always some different from the default wp_ as it is very easy to guess hackers can inject your database if they are good enough to go through the security. Another thing is the name of your database, make sure they are alway alphanumeric and don’t use words but random alphabets and numbers. This makes it hard to guess and the hacker will have a hard time attacking your database tables.

    Also make use of cloudflare or incapsula, they have helped me a lot in detecting bad bots and spammers usually it would be sufficient to keep the bad traffic away from your site as the service will detect any type of scanning or javascript injection. Alternatively you can also install plugins like wordfence or bulletproof security to stop any type of code injection.

    Just sharing my 2 cents, I hope this helps. :)

  2. says

    Hi Lisa, great tips! Thank you :) I made quite the same experience couple of month ago. Unfortunately i had no backup… Now i know better. And i will never ever forget to upgrade. You made that clear ;) Thanks a lot!!!

  3. says

    A very useful post 1 As a blogger this is the worst thing i could possibly think of and i always use WordPress security plugins on my blogs. There is some nice tips in this post !
    Thanks for sharing

  4. says

    Thank you Lisa, for extremely useful information. Having a backup is extremely necessary about which most bloggers are unaware and they lost everything when their blog is hacked.

  5. says

    I had someone crash my WP blot http://TheseAreGreat.com. I host it on GoDaddy. The first person I spoke to said I needed to pay them $150 because it was not backed up. The second person I spoke to said it did have a back up and they helped me get it up and running again. Interesting, right? Why do people do things like that? Crazy.

    Now I am building another blog, http://FirstImpressionsProductions.com. Lesson learned.
    Thank you for sharing this information.
    Christine

  6. says

    hacking websites has become very common today… Even the best software and safety strategy are unable to stop this.. What we actually need is caution on the part of the admins of the websites. Many a times we see that some server is hacked coz they didn’t change the default passwords or the admin infected the machine by carelessness. So an important aspect of prevention of hacking comes from the user.

  7. says

    Getting hacked is the worst! Ensuring a solid backup system and hard to crack passwords is a must in today’s world. Not just for your websites but also for you computers! Services like Carbonite are life savers. I nice WordPress trick my developer uses is to move the wp-admin to another location like site/wp-admin, or a custom/wp-admin. It can keep some of the bots away! The name of the game is reducing risk. If a good hacker wants in, they will get in, so ensure you are backed up and have as much protection as you can in place.

  8. says

    Hi Lisa,

    I am a great fan of yours and I saw all your videos from youtube about adsense and all that stuff! I am so happy that I stumbled into this site. It has helped me a lot from the view of things.
    and I really like the post because I am starting to learn new ways. I’m so glad that you made this site. This is one
    of the most important things for people to know.

    thanks.

  9. says

    A regular data backup is the best bet. Also one should choose his/her passwords properly and shouldn’t use the same passwords for all account.

  10. says

    Thanks for the informative post!!
    As hacking is a very serious problem protect your blog from the hackers. Must have complete back up
    of all the posts. Use good plugins to protect your blog and also look from where you are getting visits and if some visits looks suspicious better look after it..Keep blogging

  11. says

    Thanks Lisa for sharing your experience with us. Many of us faced this type of problem sometime. I do agree that data backup is essential. Moreover I would like to take advantage of the technique you have provided for backup.

  12. says

    I have been hacked many times with malware. WordPress sites are so vulnerable when the the themes and plugins become outdated the hackers learn the security flaws and exploit them. You have to constantly update your sites. I have 30 of them and it can be tough. I now use Sucuri to monitor my sites and fix any problems.

  13. says

    Wow. Have to admit, I started sweating just thinking about my site being compromised…!! I just opened up a WP plugin that will help me to download my precious database files in case anything crazy should happen.

    Thanks so much for the heads up!!! ~Barb

  14. says

    Dear Lisa,

    Once upon a time i was really afraid about the hackers on my word press blog. i think, its a painful task to rescue the the content with images. that is why WP Database Backup from c panel is necessary. thanks for posting such an informative article . i really liked it and have to follow your techniques to protect the hackers. Thanks .

  15. says

    Hi Lisa thanks for sharing this with us I’m sure we can all learn something from this. I like you normally like to wait a while after an update is released, not anymore.

  16. says

    My site was also hack .. and i have a experience that ” Never Trust On Internet Friends ” .. Backup is very useful thing .. now a days i m taking back up almost daily .. Thanks LISA For This Post .. Thanks for sharing this.

  17. says

    Hi Lisa,

    No one likes there site to be hacked and I feel sorry for you and your site. Anyways, your post should serve as reminder that not all upgrades are good and that before upgrading something in your site, conduct a double-check first. It’s not bad to be cautious sometimes isn’t it? I like the screenshots. It makes things easy to understand. Thanks for sharing this informative and important post.

  18. says

    Hi Lisa,
    Been a long time lurker on your blog but decided to pitch in with my comment here :) – One of the WP sites I was developing for a client recently got hacked simply because our developers hadn’t taken some basic precautions in securing the site. In most cases, this is quite easy with WordPress – our personal preference being Better WP Security or WordFence (not affiliated with either). Just goes to show that you always think it will never happen to you, but when it does, it can be a costly mistake!
    Cheers,
    Dee

  19. says

    I was hacked recently by a guy who is probably from the other side of the world.

    He says he is a computer engineer.

    He hacked my blog and told me to upload a video about ISLAM.

    The video says that ISLAM is the true religion of God.

    He sent me an e-mail the next day and said to post that to my blog and he gave me the new password he created.

    I got back in with the help of BlueHost support and changed the e-mail addresses inside from his to mine.

    Now my blog looks different.

    I messaged him back and he said he can fix it if I give him the password.

    I said thanks but no thanks, and he said I can hack your blog again, but as you wish.

    WEIRD!

    I should become a computer engineer so I can be more educated and informed about this.

    Thanks for sharing Lisa.

    • says

      Ok that’s very odd. But there are different breeds of hackers. Some are what they call “considerate hackers” who do it just to see if they can get in but they don’t want to harm you. I had one hacker email me and told me how to close an “exploit” I had on my blog. He said he was a fan and didn’t want to harm my site but just wanted to see if he could get in.

      • says

        Yes that’s odd for sure. I was talking to him again and he said that it was a hacking mistake and that he did not mean to screw anything up. He says that’s why he gave me the password. I still don’t trust him though so I have to get it fixed. He offered to fix it. That’s very nice of the person to tell you about the exploit. Thanks for sharing Lisa!

  20. says

    Hey Lisa,

    Its something that everybody really needs to be careful of. Whether its making sure your file permissions arent universally set to 777 , your site has the latest version of WP or else just is backed up regularly.

    Like another post I awoke one morning to find a clients site with a bloodcurdling graphic ( some islamic stuff ) letting me know my site had been hacked.

    Lesson learned..

    Mike

  21. says

    Hey Lisa, Thanks for sharing your experience and Yes, Hacking is become common now days so we have to make sure that we have to make backup of our blog every time and I really like the way you tell us about how to make backup.

  22. says

    I use OSE Fireawall now after my WordPress site was last hacked. It blocks a lot of standard attacks, and haven’t had any problems since. I also keep my site updated a lot better than I used to.

  23. says

    There’s a guide called BlogDefender that really helped me tighten up security on my blogs. In it, it recommends a plugin called Automatic Updater that… you guessed it… automatically updates WordPress to the latest version.

    With WordPress being so popular, hacking will probably just get worse. My brother’s wordpress blogs have been hacked several times already this year.

  24. says

    But i think many of hosts have automated back up option for websites. I see such notification in Hostgator that last backup at xyz time.

  25. says

    Are you a Back Up Buddy user Lisa? I still need to get that plugin for backing up, but I don’t know if it’s adequate for backing up absolutely everything in the event of a compromised WP site

    • says

      I prefer to use something at the hosting level so I have my dedicated host back up regularly and I do my own. For some reason I hate relying on plugins and some of these tools.

  26. says

    thanks for the nice reminder . Perhaps everybody know about risk in online working but feel save upto the movement when not anymore. We should take backup of all our work which we did in past year so incase if something happened unusual so we can relay on it.

  27. says

    thanks for the valueable sharing, I got hacked too, but just changed themes and that seemed to get rid of the compromised code. I was updated to the latest version too. 3.5.1 What I’m wondering is how often to backup.

Leave a Reply

Your email address will not be published.