You know you’re in trouble when you’re hoping the email you’re staring at is spam.
I woke up on December 24 to a notice from Google’s Webmaster Tools that my site was infected. It read, in part:
Unfortunately, it appears some pages on your site may infect visitors with software designed to access confidential information or harm their computers. You may not be able to easily see these problems if the hacker has configured your server to only show malicious content to certain visitors. To protect visitors to your site from malware, Google’s search results now display a warning when users click a link to your site.
I immediately opened a browser tab in incognito mode and ran a Google search for my name. Yes, the warning about my Web site was there. The email with its many links was legit.
There are instructions for a reason.
The first thing I did was scan my computer to make sure it wasn’t infected. (It wasn’t.) While I was doing that I was trying to figure out who to call—since the Geek Squad and all the computer techs I know deal with computers—not Web site issues.
I clicked through to Webmaster Tools to find out what to do next. Their next steps instructed me to immediately call my hosting company, because if my site was infected it was possible that it was infecting other sites on that server as well.
Kyle at One World Hosting immediately went into my site, ran a check, and quarantined a bunch of files. (And he discovered that my site wasn’t the only one with a problem—so he was really glad I’d called so promptly. I learned later from multiple sources that there was a massive attack on WordPress sites over the holiday.) He then gave me the “all clear.”
Get Google to declare your site safe.
Once Kyle gave me the all-clear sign, I went back into Webmaster Tools and filed a request with Google to recheck my site. The reason: the files had been quarantined. Within a couple of hours, Google had declared my site safe again.
There’s more work to be done.
Change your passwords.
This is a no brainer, except when it’s not. After all, Sony kept a list of passwords in a master file on its server called “Passwords.”
With the most immediate threat resolved, and my passwords updated, my next step was to figure out how the hackers got in.
My friend Karen Swim had two sites hacked a couple of years ago, so she’s done a lot of homework on this topic. She recommended I sign up with Sucuri, a company that cleans up sites and monitors for malware.
Sucuri did more clean-up work and identified two things that I needed to address:
- Updating a plugin ASAP (which they said was the point of entry for the attack)
- Updating two old WordPress installs
Check your old files now.
I had no idea there were two old versions of WordPress hanging around—they were never updated because neither one was showing in the content management side of my current Web site. I reached out to my developer, and he deleted them both.
Similarly, I didn’t know that the slider plugin was out-of-date because I never received any alerts to update it. It is a premium plugin, used on just one page, that my developer had installed as part of the last Web redesign. He updated it, and the currently iteration is supposed to prompt me when there are updates to be installed.
The key takeaway here is that there are likely files at the back end of your server that you don’t even know are there.
Don’t panic. Just solve it.
Because of the long holiday weekend, it took almost a week to get everything resolved. This isn’t atypical, because a lot of attacks happen during holidays when hackers are hoping we’re all napping. (Swim’s troubles happened over a Fourth of July holiday.)
This is a long post to start 2015, and not really the content I’d planned to share to start off the new year. But I wanted to pass along my lessons learned in hopes of saving the next person some aggravation. Hacks will happens. But if you make it harder to hack your site, just maybe they’ll skip you and go break in somewhere else.