Lessons learned from being hacked

A few months ago, I noticed something strange at the top of my inbox: "[New Post from Pippa Says]" - sent only 10 minutes beforehand. I hadn't posted in a three days. Within seconds of opening the email, I was quickly drawn into a state of panic: someone else had posted on my site.

As I came out of the email and into my inbox again, I noticed 5 emails coming through - each telling me that my site had a new post. Reality sank in fast: I'd been hacked.

Before I go any further, I feel I should say that I wasn't going to write this post. I was worried that it would make myself even more of a target. But I don't want anyone to go through what I've experienced over the last few months. For what started as six posts, ended in me having to redesign my entire site.

The first time I got hacked, I noticed that someone had logged onto my site and created a user profile for themselves so that they could keep getting in. I immediately deleted the content, the user profile and changed my password.

I thought that would be the end of it, but that was pretty naive of me.

One month later, the same thing happened again. Then again after another month. Then the next day and the day after that. At this point, I was in a state of panic. I had no idea what to do or how to stop them. They even put big files onto my server. It was a total nightmare.

Then came the first lesson - a move that I WISH I'd made sooner. I called my host and asked for help. They gave me the first basic list of Wordpress security rules.

  1. Never have your username as 'admin'.
  2. Update all plugins and themes
  3. Download the Wordfence plugin

Wordfence changed everything. It's the best plugin I've ever downloaded. It allows me to see who's trying to log in, who's browsing or crawling through my site and what they're looking at, and block IP addresses that I don't trust. It also tells you when files have been modified or created and gives you the option to change them back or delete them.

The only trouble with Wordfence is that you feel like you're trapped in a box, surrounded by people trying to smash their way through. At times I felt like I was on the verge of the Battle of Helm's Deep in the Lord of the Rings. Except I didn't have Aragorn, Gandalf or Éomer fighting for me, it was just me against the Orcs. A nerdy reference, but the best way to describe it.

Although Wordfence is a great defensive tool, I knew it wouldn't be enough. One day an Orc would break through the gate, or climb over the Deeping Wall, or fake their own death then knock me to the ground. (Sorry, I love that film.)

I started extensively reading about Wordpress code: what each file means and what it should contain. I read up on each of my plugins, after learning that plugins can be major vulnerabilities to websites. Having spent over 10 years of using Wordpress on multiple projects, I can't believe how little I really knew about it.

This research lead me to identify vulnerabilities on my site, which lead to another hack last week. This orc played dead, then knocked me to the ground and let the rest of the army in - one post on the site and malicious files on my server.

I needed to strengthen my armour - and with that came saying goodbye to my old theme. I culled a tonne of pluginstrailed through every post and page every published (500+) looking for vulnerabilities and reached out to experts for help.

I know it may sound bizarre, and terribly cliché, but I never believed that this would happen to me. I'm not a "force to be reckoned with". I don't have any enemies. I just go about my own business.

I can't speak for the motivation of all hackers, but from what I've read, most hackers don't tend to do it for personal vengeance. I just convinced myself that they did. Maybe I watch too many Sci-Fi films.

These hackers didn't shut down my whole website. They just posted content filled with links to other sites and used my server as a place to store dodgy content. However, it didn't stop me from feeling like my personal space had been violated.

The place where I go to escape, the place that I go to feel safe, the place that's been the most stable over the last 6 years suddenly made me feel vulnerable and weak. I don't want any more bloggers to feel like this.

We're in a changing world. Our battle with hackers has only just begun. As our world becomes more digitally driven, the hacking community will become stronger. But, in the name of Arwen: "Your time will come, you will face the same evil and you will fight it." 

I know that this stuff is scary and something that bloggers don't like to talk about, but I wish more of us would. Perhaps this post will encourage others to speak out too.

If you take anything away from this post, please let it be this: protect yourself, learn more about the back-end your website and watch the Lord of the Rings trilogy for battle motivation.

Where's the best place to start if you're using Wordpress? You need to read this post by Wordpress themselves.

Please comment below with any advice for improving website security.

Pippa Says