PSA: The Story of My Hacked Blog

by Kim on September 25, 2012 · 37 comments

Three months ago, Sophisticated Dorkiness was hacked… and I didn’t know it.

Someone, somewhere, managed to exploit a loophole in my website security and insert malware that took over the search results to this site, hijacking my traffic and putting my work at risk.

I’m writing this post because what happened to me and my site was likely preventable. Had I paid more attention to some early signs of a problem or taken basic website maintenance and security seriously, I probably wouldn’t be writing this post. I don’t want to scare anyone, but I think it’s important to share this information and remind other bloggers who self-host their sites to be vigilant.

Finding the Hack

First of all, I think it’s also important to mention that I am NOT an expert in website security or the intricacies of being hacked. I’m a hobby blogger that self-hosts this website. If you think your site has been hacked, DO NOT take this an expert advice or expect this post to offer a fix. This is just my personal experience and a few lessons learned.

My first clue that something was wrong with my site should have come several months ago when I noticed a steep drop in my traffic on Google Analytics. This is a look at my traffic, starting in April 2012:

As you can see, I had pretty regular traffic pattern (high traffic during the week, lower on the weekends) until about June. Then, traffic dropped of dramatically. I was a little concerned about this, but given the quirks that can come with analytics I figured it was just an error and ignored it. In hindsight, I’m pretty sure the drop in June is from when my site was hacked and all of traffic from search engines got diverted.

I finally realized I had a serious problem earlier this month when I went to do a Google search for my blog. This is what came up:

If you can’t read it, the image shows that the titles for many of my posts show up, but the text underneath is for an online drug store. When you clicked on the links, it took you to the pharmacy site… not my blog.

When I first discovered this issue, I didn’t know what to do and ignored it for a couple of days (bad decision). When finally took my head out of the sand, I got some help from my friend Erin, a Google ninja, to figure out what was going on. As we soon discovered, this type of website hack is common enough to have a name — the Pharma Hack — and it is viciously complicated.

Basically, the hackers find a way into your site and insert code that gives them a backdoor into your system, a backdoor into one or more of your plugins, and a backdoor into your database to hide the spam. You have to find and get rid of all three to have a hope of protecting your site. It’s also tricky because the hack doesn’t show up to you as the site administrator unless you are in the habit of searching for your site… which I’m not. Ugh.

When Erin and I figured out the hack, I went around and did my best to secure my blog following some of the recommendations I found online. And for awhile, it appeared that I did a decent job. If you look at my traffic again, you see a jump in September before it trails off again — I’d caught the hack, sort of, but it came back.

Fixing the Hack for Good, I Hope

At this point, I knew that I was in over my head. In my initial searching for fixes, I came across multiple sites that recommended an online security company that had helped them fix and secure their sites — Sucuri. It’s not exactly cheap (signing up with one site is $89.99 for one year), but so far I’m really, really pleased I made the investment.

Getting help is easy and quick. I signed up with the site Sunday morning, submitted a support ticket for the problem, and had an initial round of fixes by early afternoon. They also sent a link to instructions for how to better secure my site and offer a WordPress plugin to make it easy to see what is going on. I had a second malware incident Sunday afternoon, and that one was addressed within an hour. Since Sunday, Sucuri has also blocked my site from over 150 IP addresses that have tried to access my site. That’s scary.

Admittedly, I didn’t look into many other security websites, but I’m ok with that decision because Sucuri has some expertise dealing with this particular hack. I’m comfortable with the choice, but if you’re going to look into website security for the first time I’m sure there are other options.

Lessons I’ve Learned

Getting your website hacked is not fun, but I think on the whole this hack is probably on the minor side. My site never got blacklisted and I don’t think it caused problems outside killing my SEO ranking. But it also taught me some good lessons about website security that I’m working to implement going forward.

  1. Do not ignore announcements to make website updates. WordPress frequently comes out with small updates, and before this incident I was notoriously bad at making them in a timely manner. It’s possible my blog was hacked because I left a security loophole in WordPress installation or one of my plugins. This is often how hackers will get inside sites.
  2. Uninstall and delete plugins/files you don’t use. I like to experiment with plugins for WordPress, but normally don’t bother to update them or get rid of plugins I decide I don’t like. It’s also possible one of those plugins left my site vulnerable to an attack. I’ve since uninstalled plugins I don’t use and deleted old files on my FTP site that aren’t being used.
  3. Pick good passwords. My passwords were lazy, and I didn’t change them very often. Since getting my site fixed, I’ve changed every password related to the blog using a password generator. I enter most of them so infrequently anyway, I doubt it will be very annoying.
  4. Be vigilant. If you notice something weird, don’t ignore it. Sucuri also offers free website scans on their website, so you can check your site once in awhile to make sure nothing is wrong.
  5. Get some help if you feel over your head. Paying for the security service feels a little extravagant, but after my first attempt and fixing the problem failed I knew I was dealing with a problem beyond my expertise. Ultimately, I think the money will be a good investment in fixing the problem and teaching me how to secure my site better.

You can learn more about website security with these posts, which I highly recommend:

I guess in conclusion I’ll leave you with this this — website security is not a joke. Even if you’re a small scope blogger, there are basic steps you can take to protect the time and investment you’ve made in your website. Please, take a few minutes to secure your site before something frustrating and damaging happens.

Previous post:

Next post: