Me: “Dude, what’s up with this weird error message when I try to pull up my site?”
Him: “Can you Skype, like NOW?”
Two hours earlier…
It was a wonderful day, I was getting ready to make dinner for my husband. This isn’t unusual. I was wrapping updates to my membership site, making some much needed improvements. I was about to close shop for the day, and enjoy the evening. This day was special, because it’s my husband’s birthday, so this night was all about him. Then the white screen of death comes up.
The short hacked story:
I called my hosting company in a cold sweat. They helped me sort some things out. Thought it was fixed. Then I get an email from a member of my site, which gives me pause. I shoot off an email to my web developer asking a little question. He tells me to Skype him. NOW. I was hacked. Big, bad, hairy malware… basically jacking up my websites and putting my visitors at risk. #ohnoyoudidn’t
Not my fault, he says. I want to blow chunks, and throw a screaming fit on the floor. Instead, I call my hosting company again, they restore all my websites, and I go to work to plug the holes. I spend the majority of the evening being furious, frustrated, and generally stressed. And majorly ticked off.
What I wanted to do? I wanted to spend that time with my husband. #fail
Here’s what I learned from being hacked:
1. Hackers can happen to anyone. I’m assured it’s not anything I did, nor could I have done much more to prevent it. Someone with evil intent wanted to, and succeeded, in getting in and wreaking havoc on my websites.
2. I am thankful for such an outstanding support team. I have a web developer who helps me when I get stuck. He’s SO WORTH having around, and I worship the techie ground he walks on. Not only is he super helpful (and very understanding and kind to me), but he knows his stuff and is willing to help me. I don’t know where I would be without him. He rocks.
I’m also thankful that my hosting company could (and did help me) at all hours of the night. They talked calmly to me, and made me feel better.
I am also thankful for my husband, who was super understanding about this crappy night. #win
3. Smart people make bad choices sometimes. I am awed at the talent these hackers exhibit. Seriously. Several uber-smart techie people I know were also hacked in this same way. ALL small business owners.
What if those hackers took this power, incredible intelligence and passion… and instead of ruining my family time (and bringing my business to it’s knees late at night) turned it into a powerful force for good?
First, congratulations Brandie for being chosen an Evernote Ambassador. That’s how I found your site.
Since your post did not give anywhere near enough information for me to make a determination of how the hack occurred (a good thing), I’m not going to make any assumptions – assumptions are very bad things indeed, they get people into real trouble and make them look silly. But maybe I can offer some advice… that and $2 will get you some coffee at Starbucks, so read on if you are so inclined. I apologize if this is a bit disjointed, I’m just going to throw some stuff out here for anyone who wants to read it. I’m not great at off the cuff – maybe not even on the cuff for that matter ;-)
1. Passwords are of course very important. I suggest using either 1Password (my personal favorite) or Last Pass (which I haven’t used but many people like) to create and store really secure passwords. This is something everyone could do to make all their online accounts more secure. You will notice I said “more secure” not “completely secure”. Both of these work on Mac and Windows machines although 1Password started life as a Mac app.
2. Regular patching especially of blog software is critical. Blog platforms like WordPress are a magnet for hackers looking to try out their mad hacker skilz, most times using automated software. WP has had some holes large enough to drive semi trucks through in the past. While they keep patching the holes, there are always more. Every time a new and improved version comes out – it comes with new and improved holes.
Add to that, the fact that patches will often break things on the site in question and you can see that it’s very easy to just let a patch go because, if you use it, now “x” won’t work on the site. Very frustrating. My opinion, it’s better to have something broken and use the patch than to leave a site unpatched. However, if the patch breaks a mission critical item that could be a really difficult decision. Try to have workarounds for any automated process on a website – that’s difficult, but it’s the only thing I can think of. (some people keep a backup site in case their primary site goes down, this is one way to get the word out to your readers during an outage especially if you are able to temporarily redirect your url)
3. Next there are the “ready to go” themes and widgets which can also be insecure and allow unwanted malware through the back door as it comes fully loaded in the code… lovely. One must be very very careful about any pre-coded extras added to a site. Research them carefully to see if people have had problems. You think “what a cool thing to put on my site”. What you get is a nice backdoor for a hacker to get on the system.
4. And better still! There is what is known as a “zero day exploit”. This is when there is a hole, but it is either not known to the world at large as yet or it’s known but there’s no patch available and maybe not even a workaround. Until a patch is issued, anyone using the software involved is open to being exploited. As an example of software that is well known, this has been a problem with Adobe pdf software for years and years. I often tell people to get a different pdf reader if possible, something like Foxit. Just don’t put it on your computer unless you really need to be using it for some reason.
5. Then there is the hacker who gets onto the server itself and doesn’t hit your site in particular. That would definitely not be something you would have any control over, that’s in the court of the hosting company. All of the above items apply to them in regard to their backend software.
That is a very very brief overview and doesn’t even cover half of everything. But since this is becoming an epically long comment, I’ll stop there.
Obviously your providers had a good backup available as your site is up and going. I don’t know the size of your website, but you may want to look into your own backup strategy so your provider has a copy and you have a copy. Double protection.
Your web developer should have an RSS feed that is specifically pulling in info from sites that talk about the latest security issues with your web platform. Even better and faster is to follow some of the people who are into this platform on twitter as that’s the generally the first heads up.
As I keep telling people it’s the Wild Wild West out there and the sheriff is a 2 days ride away. So keep your eyes open and stay safe. I hope I didn’t put too many people to
sleep.
Wow! Thanks for your in depth comment. Lots of great info in there. Thanks for taking time to educate those who may not have thought about all of this. Managing a website takes work! Be safe out there. :)
I think it’s difficult to ascribe a moral compass to hackers. Many times, the hack is committed by automation that exploit holes in software or user configuration. It’s not a moral decision made by a person – it’s a vulnerability that was exploited because the risk was not managed, and it was committed by a program.
This is the nature of computing today and is unavoidable. It’s not a moral issue. It just is. And clearly, the hack is your fault and the fault of the host to not adequately manage those risks: any court of law would look at a failure to manage risks as a problem of negligence. Therefore, the degree to which you and/or your host managed that risk is at issue.Brandie, in your situation, did you:1. Regularly patch your platform; did your host?2. Frequently rotate your password? Create a complex password?3. Regularly update your modules, widgets, and plugins?4. Conceal PPI (Personal Private Information) and passwords from others?5. Run a security audit on your platform using an auditing tool?6. Did you have adequate backups and redundancy?We can look at this problem and there’s a clear danger. We may think, yes, this can happen to anyone and so I shouldn’t change my behavior. That’s dismissive and negligent. Or, yes, this can happen to anyone: what can I do better to best manage my risk factors?What are you doing now that better manages your risk factors? And how are you holding your vendor/host accountable to do the same? R
What I can say is that hacking doesn’t necessarily just happen to successful sites. I distinctly remember a time when you could google for a certain phrase that hackers would put up when they broke into a site, and you’d see thousands of results. Many times, they were on sites that had long been abandoned, or were owned by people who were clearly not involved with great support teams or anyone who knew how to tell them to fix it.
I remember one person once said they’d rather rip it all down and start over, than try to fix it, which is just so sad.
My advice would be for people to be sure they’re with a well-established, reputable hosting company, and make sure they either know how, or have someone who knows how to monitor and support the site. Make regular backups (some people I know do them DAILY) and make sure you touch on your site at least once a day to show it’s not dead in the water.
I’m sorry this happened to you, and you weren’t able to hang with your hubby, but I’m happy you got it resolved in a relatively short time! :)
Wow… thanks for this fab comment! I totally agree with the backups. I have two backups, in addition to the one my host runs (which is what saved my bacon this time around.) I use a backup plugin and also VaultPress (recently set this up). Do you have anotoher you recommend?
The only two reasons that humans choose evil over good is that:
1.they’re the worst forms of sick sociopaths, or,
2. as is always the case, there is a tremendous reward, and that plays to their tremendous greed factor.
Remove the payoff for doing such evil deeds, and reward instead for doing good/positive/productive things toward society, and the bad stuff usually goes away. If not, then find a way that they spend the remainder of their lives contemplating their crimes — from under the jail.