My Blog Was Hacked & What You Can Learn From It

hack I must admit…

When I see the “Upgrade” notice in WordPress, I always wait a few weeks before I upgrade.

Why?

Because I want to give developers time to ensure their plugins are compatible with the newest version.  Not to mention there are often bugs with the new release.

Well, let me just say I will be more diligent about doing updates in the future.

Last Thursday I came home and went to my blog’s homepage and noticed a strange-looking parse error. No content was loading at all and I couldn’t even login to the admin panel.

Craaaap! 

I FTP’d into my server and noticed my theme’s function.php file had been modified three hours earlier.  I knew something was up because I wasn’t even home at the time the file was changed.

So I called my host and their awesome support staffer (shout out to Robert!) was able to quickly verify that the site had been compromised.

He asked me if I had upgraded to the latest version of WordPress (3.5).  I had, but there was a smaller security update (3.5.1) released on the same day that probably addressed the exploit which impacted my blog.

Fortunately, I had a backup of my original theme files.  So I re-uploaded the Genesis Lifestyle Theme and that fixed the issue.  Thankfully it only took a few seconds to restore everything.

That led me to think…

There are always tips floating around about backing up the WordPress database, but you should also have a backup of your actual theme folder (located in wp-content/themes on your server).

Remember, your theme files and database are stored in two separate locations.

Take-Home Lessons

1. Back up both your database and theme files.  You can download your files manually through FTP or use a plugin like that backs up both. (See Online Backup for WordPress.)

If you want to learn how to manually upload/download WordPress folders and files using FTP, I have a tutorial on my static site.

2. If you’re re-uploading the original theme folder, don’t overwrite the style.css file because it may contain customizations you’ve made.

I was glad I remembered that on Thursday.  That would have been a pain to make all those modifications again.

The same goes for your favicon file.  If you’ve uploaded your own favicon, be careful not to overwrite it with the original theme favicon (if applicable).

3. Upgrade to the latest WordPress version as soon as you can.  Like a lot of you, I would wait because of potential plugin incompatibility.

Not anymore.  If I have to disable a few of them, so be it.

4. Contact your theme developer and let them know what happened in case there’s an exploit with your theme.

In my case, it was more than likely a security hole in v3.5 since it happened right before a new security patch launched.

How I Back Up My WordPress Sites

I used to use WP Database Backup which would email the file, but the database got so large, my mail server blocked it.

There is an option to store the backup on your server, but I don’t want a copy of my database just sitting on my hosting account.  Too risky.

Now, I just manually download my database through my hosting control panel, and I also manually download the theme files via FTP.

Backing up your database manually is pretty easy.  It may sound intimidating, but all you do is login to your hosting account and go to the “Database” area.

Most web hosts have phpMyAdmin installed…

phpmyadmin

If you use cPanel, just click the phpMyAdmin icon and it will take you to a screen that allows you to export your database.

Select the following options in the screenshot below, and a download of your entire database will begin.

export database

Your screen may look a bit different depending on the version of phpMyAdmin you have.  This is 3.5.5.

When it’s done, you will have an .SQL file on your computer.  This is your complete WordPress database with your posts, pages, and comments.

Yes, you can use the WordPress Export feature in the Tools menu, but I like having the entire database structure.

And I know plugins are convenient as well, but I just feel more comfortable doing the backups manually because I can physically see that it’s being done correctly.

I’ve heard stories about people using plugins, only to realize (when it was too late) that the plugin wasn’t backing up correctly or completely.

When’s the last time you did a full backup of your site?  Please share your routine.


Comments

  1. Several years ago one of my websites was hacked too, and the hacker manage to hijack some of the files and also deleted quite a few important ones. Due to that experience I learned to become more cautious when installing the website, especially database driven scripts like wordpress and joomla. For many people who are used to auto installation, there are a few things that could end your site in a hacker’s hands, I always make sure that the database prefix that I use is always some different from the default wp_ as it is very easy to guess hackers can inject your database if they are good enough to go through the security. Another thing is the name of your database, make sure they are alway alphanumeric and don’t use words but random alphabets and numbers. This makes it hard to guess and the hacker will have a hard time attacking your database tables.

    Also make use of cloudflare or incapsula, they have helped me a lot in detecting bad bots and spammers usually it would be sufficient to keep the bad traffic away from your site as the service will detect any type of scanning or javascript injection. Alternatively you can also install plugins like wordfence or bulletproof security to stop any type of code injection.

    Just sharing my 2 cents, I hope this helps. :)

  2. After years of backups, I started using BackupBuddy last year. I can schedule database backups and full backups on different schedules. I’ve been very pleased with it.

  3. Hi Lisa, great tips! Thank you :) I made quite the same experience couple of month ago. Unfortunately i had no backup… Now i know better. And i will never ever forget to upgrade. You made that clear ;) Thanks a lot!!!

  4. This is great advice. I want to create a system for protecting against site compromising. This will be a great start. Thanks Lisa.

  5. This is my first time in your blog site…but i tell you i am scared about hacking, that is why i am always prepare and having a backup files…
    thanks.

  6. Great point . Well detailed . Thank you

  7. this is why i say online business is risky if even blogs of experts like you can get hacked.

  8. Yeah, I got hacked too, but just changed themes and that seemed to get rid of the compromised code. I was updated to the latest version too. 3.5.1 What I’m wondering is how often to backup.

  9. I’m sorry your blog was hacked! Best of luck in the future!

  10. A very useful post 1 As a blogger this is the worst thing i could possibly think of and i always use WordPress security plugins on my blogs. There is some nice tips in this post !
    Thanks for sharing

  11. The most amazing idea was about the theme-backup and in that case style.css otherwise database backup is well known fact to restore the hacked website.

  12. take proper precaution follow strict guidelines while approving comments and stay away from third party applications they are the main source for sharing personal information

  13. First of all the article is so nice and useful
    Its very important to keep a backup of your blog.As we don’t know when it will be attacked

  14. Thank you Lisa, for extremely useful information. Having a backup is extremely necessary about which most bloggers are unaware and they lost everything when their blog is hacked.

  15. I have been follwing you for a while and have always admired your videos and content you provide. thanks Lisa.

  16. I had someone crash my WP blot http://TheseAreGreat.com. I host it on GoDaddy. The first person I spoke to said I needed to pay them $150 because it was not backed up. The second person I spoke to said it did have a back up and they helped me get it up and running again. Interesting, right? Why do people do things like that? Crazy.

    Now I am building another blog, http://FirstImpressionsProductions.com. Lesson learned.
    Thank you for sharing this information.
    Christine

  17. it’s funny – i too upgrade wordpress after a while, basically for the same reasons as you

  18. hacking websites has become very common today… Even the best software and safety strategy are unable to stop this.. What we actually need is caution on the part of the admins of the websites. Many a times we see that some server is hacked coz they didn’t change the default passwords or the admin infected the machine by carelessness. So an important aspect of prevention of hacking comes from the user.

  19. Getting hacked is the worst! Ensuring a solid backup system and hard to crack passwords is a must in today’s world. Not just for your websites but also for you computers! Services like Carbonite are life savers. I nice WordPress trick my developer uses is to move the wp-admin to another location like site/wp-admin, or a custom/wp-admin. It can keep some of the bots away! The name of the game is reducing risk. If a good hacker wants in, they will get in, so ensure you are backed up and have as much protection as you can in place.

  20. Excellent article! I just got a new blog setup and I am definitely going to backup my theme and upgrade to wordpress 3.5.1. So sorry to hear you got hacked but glad that you were able to get everything restored.

  21. Hi Lisa,

    I am a great fan of yours and I saw all your videos from youtube about adsense and all that stuff! I am so happy that I stumbled into this site. It has helped me a lot from the view of things.
    and I really like the post because I am starting to learn new ways. I’m so glad that you made this site. This is one
    of the most important things for people to know.

    thanks.

  22. Work on secured connections, Change your password once for a month, Hacking the website is became very easy these days.

  23. A regular data backup is the best bet. Also one should choose his/her passwords properly and shouldn’t use the same passwords for all account.

  24. Thanks for the informative post!!
    As hacking is a very serious problem protect your blog from the hackers. Must have complete back up
    of all the posts. Use good plugins to protect your blog and also look from where you are getting visits and if some visits looks suspicious better look after it..Keep blogging

  25. Thanks Lisa for sharing your experience with us. Many of us faced this type of problem sometime. I do agree that data backup is essential. Moreover I would like to take advantage of the technique you have provided for backup.

  26. I have been hacked many times with malware. WordPress sites are so vulnerable when the the themes and plugins become outdated the hackers learn the security flaws and exploit them. You have to constantly update your sites. I have 30 of them and it can be tough. I now use Sucuri to monitor my sites and fix any problems.

  27. Wow. Have to admit, I started sweating just thinking about my site being compromised…!! I just opened up a WP plugin that will help me to download my precious database files in case anything crazy should happen.

    Thanks so much for the heads up!!! ~Barb

  28. I use special antihacker plugin. It’s very good securiy against hackers.

  29. Dear Lisa,

    Once upon a time i was really afraid about the hackers on my word press blog. i think, its a painful task to rescue the the content with images. that is why WP Database Backup from c panel is necessary. thanks for posting such an informative article . i really liked it and have to follow your techniques to protect the hackers. Thanks .

  30. Hi Lisa thanks for sharing this with us I’m sure we can all learn something from this. I like you normally like to wait a while after an update is released, not anymore.

  31. Nicely written.
    Fixing hacked websites for a living, I can say from experience- Well done!

  32. My site was also hack .. and i have a experience that ” Never Trust On Internet Friends ” .. Backup is very useful thing .. now a days i m taking back up almost daily .. Thanks LISA For This Post .. Thanks for sharing this.

  33. Hi Lisa,

    No one likes there site to be hacked and I feel sorry for you and your site. Anyways, your post should serve as reminder that not all upgrades are good and that before upgrading something in your site, conduct a double-check first. It’s not bad to be cautious sometimes isn’t it? I like the screenshots. It makes things easy to understand. Thanks for sharing this informative and important post.

  34. Hi Lisa,
    Been a long time lurker on your blog but decided to pitch in with my comment here :) – One of the WP sites I was developing for a client recently got hacked simply because our developers hadn’t taken some basic precautions in securing the site. In most cases, this is quite easy with WordPress – our personal preference being Better WP Security or WordFence (not affiliated with either). Just goes to show that you always think it will never happen to you, but when it does, it can be a costly mistake!
    Cheers,
    Dee

  35. I use a plugin called backwpup that can backup everything to dropbox or a different FTP account. I have daily backups for my database and weekly for all the files.

  36. I was hacked recently by a guy who is probably from the other side of the world.

    He says he is a computer engineer.

    He hacked my blog and told me to upload a video about ISLAM.

    The video says that ISLAM is the true religion of God.

    He sent me an e-mail the next day and said to post that to my blog and he gave me the new password he created.

    I got back in with the help of BlueHost support and changed the e-mail addresses inside from his to mine.

    Now my blog looks different.

    I messaged him back and he said he can fix it if I give him the password.

    I said thanks but no thanks, and he said I can hack your blog again, but as you wish.

    WEIRD!

    I should become a computer engineer so I can be more educated and informed about this.

    Thanks for sharing Lisa.

    • Ok that’s very odd. But there are different breeds of hackers. Some are what they call “considerate hackers” who do it just to see if they can get in but they don’t want to harm you. I had one hacker email me and told me how to close an “exploit” I had on my blog. He said he was a fan and didn’t want to harm my site but just wanted to see if he could get in.

      • Yes that’s odd for sure. I was talking to him again and he said that it was a hacking mistake and that he did not mean to screw anything up. He says that’s why he gave me the password. I still don’t trust him though so I have to get it fixed. He offered to fix it. That’s very nice of the person to tell you about the exploit. Thanks for sharing Lisa!

  37. Hey Lisa,

    Its something that everybody really needs to be careful of. Whether its making sure your file permissions arent universally set to 777 , your site has the latest version of WP or else just is backed up regularly.

    Like another post I awoke one morning to find a clients site with a bloodcurdling graphic ( some islamic stuff ) letting me know my site had been hacked.

    Lesson learned..

    Mike

  38. Hey Lisa, Thanks for sharing your experience and Yes, Hacking is become common now days so we have to make sure that we have to make backup of our blog every time and I really like the way you tell us about how to make backup.

  39. I use OSE Fireawall now after my WordPress site was last hacked. It blocks a lot of standard attacks, and haven’t had any problems since. I also keep my site updated a lot better than I used to.

  40. Scary stuff, do you use any plugins to warn you?

  41. There’s a guide called BlogDefender that really helped me tighten up security on my blogs. In it, it recommends a plugin called Automatic Updater that… you guessed it… automatically updates WordPress to the latest version.

    With WordPress being so popular, hacking will probably just get worse. My brother’s wordpress blogs have been hacked several times already this year.

  42. Blogging people are always afraid of getting hacked, Your post is very informative on how to prevent this. Thanks for share!

  43. How is this happenning ? Blog’s google can be hack ,doesn’t it ?

  44. But i think many of hosts have automated back up option for websites. I see such notification in Hostgator that last backup at xyz time.

  45. What type of attack you faced.Now days mostly hacker used DDOS OR DOS attack.which is very strong attack

  46. Now days hacker are becoming more genious they use hacking for monay purpose mean becoming black hat hacker

  47. Are you a Back Up Buddy user Lisa? I still need to get that plugin for backing up, but I don’t know if it’s adequate for backing up absolutely everything in the event of a compromised WP site

    • I prefer to use something at the hosting level so I have my dedicated host back up regularly and I do my own. For some reason I hate relying on plugins and some of these tools.

  48. thanks for the nice reminder . Perhaps everybody know about risk in online working but feel save upto the movement when not anymore. We should take backup of all our work which we did in past year so incase if something happened unusual so we can relay on it.

  49. thanks for the valueable sharing, I got hacked too, but just changed themes and that seemed to get rid of the compromised code. I was updated to the latest version too. 3.5.1 What I’m wondering is how often to backup.

Speak Your Mind