Not too long ago, the website you’re reading this on was hacked.
Sometime in late December, I became aware that two of my websites, Otaku Journalist and Gunpla 101, had been hacked. A reader notified me on Facebook that he’d attempted to visit Gunpla 101, but had been redirected to a different site instead.
Logging into Bluehost, it was clear something was not right. Aside from my own and Crimm’s FTP profiles, there were more than 20 additional FTP accounts made out of letter strings that looked like they had been randomly generated. Running Exploit Scanner led to two odd looking files in the Gunpla 101 folder:
- pomo/bo.php, a WordPress-specific opening for an attack vector since at least 2011, which is the earliest I saw a post about it.
- takeover/metasploit.py, which sounds nasty even if you don’t know much about computers at all! Here’s a helpful (and illegal) tutorial about how to use it, which was a big help to me in figuring out how the hacker got in.
At first, Crimm and I only saw the Gunpla 101 issue. He worked first to quickly resolve the hack by installing fresh WordPress core files and then to teach me how to fix things in the future. But in the end, my friend Mike, who works as an engineer when he’s not running Anime Herald, pinpointed the point of entry. He found a French IP address (definitely not me!) accessing both Otaku Journalist and Gunpla 101 through the base theme I use for both, Impreza, which apparently has a vulnerability. (I paid $60 for each theme, so I paid $120 to get hacked, unfortunately.)
If you’re curious, here’s a paste of pomo/bo.php, and here’s a paste of the redirect that some users were seeing on Gunpla 101. What these scripts mean is that things weren’t as bad as they could have been—this was not a malicious hack. It was somebody using exploit scripts to make a quick buck.
When I talked to my hosting provider, Bluehost, a technician told me that it’s very common for people to discover a hack, as I did, right after upgrading to a virtual private server. When I was on a shared hosting plan, sharing my server with hundreds of other bloggers, people were logging in and out all the time. If somebody got access and started injecting scripts, it’s unlikely we’d notice. But when my VPS logs, which should show my activity and my activity alone, revealed IP addresses that weren’t mine, it was easy to see something was up. In other words, that exploit may have been on my sites for a long time. It reminded me that hacks are incredibly common, and I need to do more to protect myself from now on. Relatedly, you’ll notice that Gunpla 101 is now an HTTPS site, and I have Crimm entirely to thank for that.
Here’s what I did to get un-hacked after finding and removing the exploit:
Installed security plugins.
Aside from Exploit Scanner, Gunpla 101 is rocking several new security plugins. It’s insecure to name everything my site is using, but the one I want to tell you about is Shield, a completely free firewall for WordPress. Shield has several levels of protection culminating in “Lockdown” mode, so you can adjust how severely you want it to protect the site.
After Crimm removed the first exploit, but before Mike found the point of entry, Shield caught and reversed several attempted hacks. It acted like a second level so that even though we weren’t sure how the hacker was getting in yet, they still couldn’t alter the site.
Removed everything I wasn’t using.
Did you know that even inactive themes and plugins can be a point of entry for an attack vector? Even if you make sure to keep them totally updated at all times. After finding out about the hack, I went through all of my WordPress sites and deleted all themes and plugins I wasn’t using.
Since base themes like Twenty Seventeen are automatically installed on WordPress sites, hackers know they’re a likely point of entry for most blogs. Of course, anyone can use What WordPress Theme Is That to figure out what you’re using, and it’s not exactly a secret I use Impreza. But since I wasn’t using the snippet of code associated with Impreza’s vulnerability, I just deleted it. It’s a good idea to research your theme and see where its weak points are.
I also removed old passwords and accounts. Even though this particular exploit didn’t give the hacker control of my login or the database, it never hurts to have a stronger password.
Asked Google to reindex my sites.
The hack rewrote my metadata for Gunpla 101. So when people searched the term “Gunpla” on Google, my site came up looking like this:
Ugh. If this kept up for long, Google would rank it increasingly lower in searches because it doesn’t appear to be relevant. So I had to tell Google to recrawl the site and get the correct metadata to show up in searches again. Even if your site hasn’t been hacked, it’s good to remind Google to do this every now and then. You can use the Google Webmaster Tools wizard to walk you through adding a site and making sure its pages show up in searches.
Finally, I considered myself lucky.
When a site is hacked for a long time, Google starts to penalize it. Since I make a big chunk of my income from Gunpla 101, I already have been losing money from it showing up lower in search rankings. If I didn’t know a hack was behind that, I may have even had to start again from square one building up relevance and reputation.
Though this was stressful, I didn’t panic. There was one bad actor, but at least three people who helped me fix the site—Crimm, Mike, and the Gunpla 101 reader who spotted the hack. I sent all three of them Amazon gift cards, my go-to way of saying “I appreciate what you did.” It was definitely easier to have help and guidance than to do all of this alone!
Getting hacked is surprisingly common and it doesn’t necessarily mean you are a bad webmaster, because new exploits pop up all the time. Even if it happens, it isn’t the end of the world. A week after the discovery, my site is safer and more secure than ever. Don’t panic, remain vigilant, and know that plenty of people have been there before.
Photo by Serena Epstein