December 20, 2014

Hacked: It Could Never Happen to My Site (Famous Last Words)

Small business website hackingWith the millions of websites out there, you think you’re safe. You think the statistics are in your favor. That your website would never get hacked.

Well, I’m here to tell you it CAN happen to you.

This website was hacked this past Christmas Eve. What happened is part of a larger and disturbing trend in which small-business websites and blogs are being attacked and compromised. WordPress sites seem to be a particular target.

I’ve decided to share my story, in the hopes that it will help you avoid a hacking or if one does happen, recover quickly.

The Ugly Details

On Christmas morning, I tried to open this site as I normally do first thing in the morning, just to do a quick check.

The home page of the site was completely blank! Nothing. Nada. I could not post anything new, either. I realized that a cracker had hacked the site. As I investigated later that day I discovered quite a bit of damage to the site, including:

  • All WordPress plugins had been deactivated
  • A number of pages had been deleted, including the Experts directory, Newsletter page, About page and others.
  • The blogroll had been compromised, with about a dozen links inserted to adult sites and pharma sites.
  • Almost 50 hidden links to adult sites, pharmaceutical sites and other junk sites had been scattered in the header and in the footer. You could not see the links from looking at the site through a standard browser like Internet Explorer, because they were intentionally hidden using HTML code. However, search engines could “see” the links, of course.

With it being a holiday, I did what I could on my own to restore the site, and the next day got help.  Luckily I use a professional hosting company with excellent telephone support. And our contract webmaster, Tim Grahl, was super and dropped everything to respond.

Working as a team, we managed to get the site functioning and looking presentable again by end of business December 26.

However, little did I know that the ordeal was not yet over. I had just seen the tip of the iceberg the first day.  I soon discovered what the hackers REALLY had done.

Hackers Gaming the Search Engines

From the start I kept wondering, ‘Why would somebody hack this site?’ There is nothing of value (to a hacker) in it. No credit card numbers. No confidential data. No customer information.

At first I chalked it up to vandalism.

But as the situation unfolded and I discovered more damage, I realized this wasn’t mere vandalism.  Rather, this hacking activity is all about hijacking small-business websites and blogs, and using them to generate links to other sites to game the search engines.

The hackers find a security hole and get inside your site.  They take control through scripts that turn your site into a link-generating drone.   The links generated on your site (without your knowledge) are pointed at other sites, in an effort to get those other sites to the top of the search engine results.

Snared in a Splog Ring

A day after I discovered the hacking, I learned the worst part: the hackers had hijacked part of this site into a splog (spam blog) ring.

The first clue came from Technorati.com when I saw the inbound link count to Small Business Trends had jumped by a couple thousand links overnight. “Oh how nice,” I thought — for about 3 seconds!  My pleasure turned to disgust when I saw that all the links used anchor text such as “viagra”, “cute ringtones” and other assorted junk. 

The links were from “splogs.”  Each splog consisted of lists of thousands — literally thousands — of links pointing to pages on other websites, including hundreds of fake pages that had been set up on the tmp directory of this site.

That’s when I realized what the hackers really had done.  They had left behind a script that auto-generated hundreds of fake pages on this site. Those fake pages in turn were redirected to pharma, adult and ringtone sites. You could not see the fake pages from looking at this site, but they were there.

Then the hackers had created rings of other sites, mainly blogs, to link to the fake pages on Small Business Trends. Everything was designed to ultimately send combined link weight to the pharma, adult and ringtone sites they wanted to rank high in the search engines.

Here’s how it works:

Splog A  >>>  links to fake page on hijacked site B  >>>  which fake page has been redirected to a pharma site selling OxyContin. 

Rinse and repeat.  Thousands of times. 

Result = quick increases in search engine rankings for the site selling OxyContin.

As you can see, this was not an isolated attack on a single site.  This was an orchestrated scheme involving hundreds if not thousands of sites.  Mine just happened to be one of many sites snared.

How the Hackers Got In

We think the hackers got in through an insecure version of WordPress via the server. Beyond that I won’t say more, so as not to give a roadmap for how to crack other sites. The attack appeared to come from a Russian IP address.

The attack took advantage of the holiday timing, as my host had a skeleton staff working Christmas Eve. Amazingly, less than 2 days after the first attack, while we were in the midst of fixing the carnage, the hackers came back! This time, the hacking attempt was prevented by quick action on the part of the hosting company, blocking the IP address which was madly spidering the site.

As I researched other hackings, I was stunned to discover that there are over a dozen versions of WordPress with known vulnerabilities. With an estimated 2 to 3 million blogs using WordPress, that means a lot of blogs potentially at risk.  Websites and blogs that have been around a while, and trusted sites, are the ones likely to be attacked

Just do a search in Google and you will find reports of other WordPress blogs being hacked, including some of the best and brightest.  Even Al Gore’s blog was hacked

Furthermore, my research has uncovered at least a half dozen ways to compromise WordPress blogs.  And for every method I’ve seen, I’m sure bad guys know 2 dozen others.

Corrective Action 

We took a number of steps to secure the site, including:

  • Upgraded to the latest version of WordPress.
  • Eliminated one plugin which research suggested might have security vulnerabilities, and updated all the remaining plugins if new versions existed.
  • Cleaned up all the crud left by the hackers, deleting their scripts and unauthorized links and pages. We not only had to scour our own site code, but needed our hosting company to do it for the entire server.
  • Reverted to a clean MySQL database backup from before the attack.
  • Blocked self-registration on this site.
  • Changed passwords; reviewed server logs for suspicious IP addresses and blocked them; and changed a number of other things that I don’t want to call attention to.

Someone asked if I planned to switch from WordPress to another software.  No, I plan to stick with it. WordPress is a good software package and has been headache-free 99% of the time.  I understand that the WordPress development community is working to address the security issues — let’s hope they do so before WordPress develops an irreversible bad rap.

However, I have kicked up security measures a couple of notches.  I believe a determined hacker can find a way to get in any site, if they really want to.  But why make yourself an easy target?  

So, right about now you’re probably wondering what you can do to protect your blog or website.  I have some pointers for you.  But since this article is already long, I’ve put them in a separate article: How to Protect Your WordPress Site.

56 Comments ▼

Anita Campbell - CEO


Anita Campbell Anita Campbell is the Founder and Publisher of Small Business Trends and has been following trends in small businesses since 2003. She is the owner of BizSugar, a social media site for small businesses, and also serves as CEO of TweakYourBiz.com.

56 Reactions

  1. Hello! I don’t have a website up and going as of yet. After reading about this site being hacked makes a peron sidk and it also makes a person wonder about setting a site up? I’m just getting into the internet business. OOOOOH Boy! I think I’m going to have a few headaches..

    I can’t understand why people do this and what fun/enjoyment they get out of it. Just like personal computers. All the money and time we put into the business website/computer and those people got to take all the enjoment out of it and make it a real BIG headache.

    I’ve gotten a virus of some sort a few times. Luckily, I caught it soon enough where I could save everything. Now, I’ve got 3 personal hard drives (thinking about getting a 4th) where everything important is saved. So, when it happens all I’ll lose is a few emails from Outlook—no biggie.

    You did a great job on the article. Has alot of great info. Haven’t read about “How
    To Protect Your WordPress Site” but plan on to. All of us that read this new and old biz owners will greatly appreciate all your info. A big THANKS goes out to you

    ————-LaVonne

  2. Our team here at Vertical Leap has also been noticing this – and not just limited to WordPress sites.

    There is an incresing trend in hackers using their skills to hijack web sites with reasonably high authority (high pagerank) and embed links to dubious websites. Often, these incidences are going un-noticed as the links are hidden using CSS.

    We’ve writtent about it on our site and are also doing our best to raise the awareness of this is an issue.

    One thing that we are advising business owners and webmasters to do is to regularly check the outbound links on their live server to look for anything out of sorts. We provide a tool on our site – but it can also be done by downloading your live site locally and checking the files (if your site has been hacked, then your local copy will not have the issues).

    Nice article Anita.

  3. Anita — Thanks for taking the time to share your experience with us. We should start a “Lessons Learned” segment on your site but fully protected of course!

    Warm regards,
    Laurel

  4. What a scary experience. I am always worried about this happening to me. Thank you for pointing out some of their tricks.

  5. Oh no… Is blogspot also unsecure for newbie or beginner ??
    I had been using my blogspot about 1 month ago.

  6. Hi Lavonne,

    Thanks for sharing your attention to backups. When you get your website up and running, you’ll also need to do backups of your site code and any databases that feed your website. You never know when you’ll need to revert to a backup (as I discovered).

    Anita

  7. Hi Matt,

    Thank you for pointing out Vertical Leap’s experience. Perhaps you can share the link to the tool you mentioned? That sounds like a valuable resource for our readers. :)

    Anita

  8. Wow. Makes you wonder what else they’re capable of if they put their minds to it. WordPress better get on the ball with this. I’ll bet this article is going to help a lot of others repair simliar damage they may have suffered.

  9. Hi Henry,

    while I am not an expert in website security, in my research I did not see widespread references to hackings of blogspot-hosted blogs.

    Because the hosting is handled by Google (which owns Blogger and blogspot) I expect they would have heightened security in place. But that’s just my guess. Perhaps someone reading this can shed more light on Henry’s question?

    Anita

  10. this is certainly a growing issue and concern in the ever increasing online world we live in. For eCommerce merchants addressing and communicating security it vital, but the concern and threat (as we learned from Anita) is also very real on blogs and info driven websites. The number of threats and severity of threats continues to increase each year.

  11. I even see hacking on a lot of .edu’s very ugly stuff. thanks for sharing your story and some tips.

  12. Two of my WordPress blogs were hacked into 10 days ago and, as Vertical Leap commented, without leaving any clearly visible sign. My suggestion is to check the source code of your blog regularly. You may find as I and many others will find that you have some parasite code in there. If your blog is well-known, as yours is Anita, you must keep your defences strong.

  13. Thanks, Barry, that’s wise counsel.

    We’ve been monitoring things very very closely. And we’ll keep looking.

    I feel like that old saying, “Just because you’re paranoid, doesn’t mean they aren’t out to get you.”

    Anita

  14. I guess that just keeping a regular check on traffic count would be the first stage alert that something is fishy. Since typically they want to create links there has to be increased activity. I am running the current versions of WP and most of the plugins but your article just brought into focus that it is a never ending process.
    Thanks for the post.

  15. Anita: What a scary experience. I am glad to hear that you could handle it in a good way with help from your web team.

    WordPress is a great tool. We use it for our business blog. Personally, I think that Blogger is a safe bet due to the reason Anita stated. Google has huge resources, security wise. Here is one example of an attack by a hacker: http://googleblog.blogspot.com/2006/10/about-that-fake-post.html

  16. Anita,

    You might be interested in one more layer of security, which helps prevent the “brute force” style of attacks on your admin login. It’s a plugin called Login LockDown:

    http://www.bad-neighborhood.com/login-lockdown.html

    Peace.

  17. Michael,

    That sounds like a very good function to install. Thank you for including the link for others.

  18. Almost anything can be hacked if the “right guys” are on it. If you have critical systems, the best way is to have someone watching over all the time.

  19. Anita,

    A standing ovation for this article, but especially for the sequel, How to Protect Your WordPress Site.

    http://www.smallbiztrends.com/2008/02/how-to-protect-your-wordpress-site.html/

    I give you credit for going public with your hacking story. I imagine that hacking might feel similar to having your home or office broken into. It’s a violation of privacy and destruction of personal property to say the least.

    Several years ago, I got the feeling that my computer (then outdated) was hacked, but I wasn’t sure. So I went on a rampage for information and then took what I learned and posted it in an article on my site, just as you have here.

    The bottom line with technology is this: the more things become integrated – with the internet, and with other users – the more “holes” open up and invite malicious activity.

    I learned that a “broken” computer or corrupted program does not need replacement. It just needs to be reinstalled. When computer tech guys come in to rid your computer of viruses, all they’re really doing is installing the Operating System that came with your computer when you bought it.

    So many people just toss the CD’s aside that come with their computer purchases and that’s such a bad idea!

    The most time-consuming part of the re-install is having to go back and reinstall all the applications you use such as MS Office, Dreamweaver, Quark, Quickbooks and so forth. But I’m really going off on a side tangent now.

    My general point is that even if you pay others to manage your technology, it’s so smart to stay informed. Once you get your hands in it, technology is not so mystifying. I know that you’ve experienced this firsthand. Again – very awesome.

    Some more good tips:

    Don’t permit your computer’s programs, or your browser, to store passwords. You’re just better off memorizing, using them regularly, and having a hard copy of your most recently updated passwords. And yes, I agree with you Anita – they should be updated frequently.

    Don’t use online banking.

    In your system configuration, uncheck the box that permits remote users to connect with your computer.

    Steer clear of IM – don’t leave yourself logged in to community chats. Hackers can sneak in this way, “ping” your computer to give them access, and your data is as good as gone.

    Great post, thank you for empowering so many as you’ve done for yourself.

  20. Dina,

    More good tips to consider. I have always been hesitant to have my computer remember passwords.

    One of my husband’s friends had a virus spreading itself thru Yahoo messenger. It sent a link to everyone in his address book and once they opened it, the virus took over. Tricky, tricky.

  21. LOL. I blogged about this same issue the same day this post was published.

  22. Thanks for sharing your story.

    It’s always unfortunate when your business is violated and compromised due to hackers.

    I checked out your How To Protect Your Word Press Site. Thanks for the thorough presentation of the steps to go through to ensure that we keep ourselves protected.

    Also, Kudos to Tim Grahl for his swift response. It always helps to have a webmaster that can respond quickly to a pressing need.

    Thanks for sharing your story. My fave piece advice from your How To Protect Your Word Press Site was when you advised: “Forewarned is forearmed. Educate yourself”

  23. Great article – it’s my first time at your blog but I have to tell you this is always timely. Over four years working online I’ve had two sites, one blog and two online stores hacked. One was seriously compromised and linking to a major online retailer so I had to shut all my sites down to keep these hackers from bilking money from others from my hijacked store that I couldn’t access but they could. Absolutely devastating. It’s better to learn something before it actually happens to you.

    Very thoughtful and informative post on a taking back our sites from the unscrupulous.

  24. I wonder if it was wiser to just rollback to the last backup you made? You might lose a few posts but less headache and the whole blog would be clean again. I’m updating and making backups frequently to reduce the damage.

  25. Hi David (MarketingDeviant),

    Yes, we did rollback to the last MySQL database backup. That restored the pages that had been deleted. (Phew!) The only thing we lost were a couple of days of comments and trackbacks.

    However, we needed to upgrade to a new release of the WordPress software, because that was the root cause of the hacking in the first place.

    Also, some of the sneaky scripts and junk pages installed by the hackers were not even accessible by us but were on a different part of the server. Simply overwriting the WordPress software would not have eradicated the crud already there — at least that’s the way I understood it.

    Best,
    Anita

  26. Hi Anita, Can u please let me know what plugin had this security vulnerability and also you were really lucky to have this daily backup’s enabled on your server.

  27. Hi Quit Smoking,

    The plugin was wp-Table. We were not even using it — had downloaded it but found it did not meet our needs. However, I do not think that plugin was the cause of the problem.

    Still, when I saw it on this list of vulnerable plugins (scroll down toward the bottom of the list), I decided not to take chances:

    http://blogsecurity.net/wordpress/blogwatch/blogwatch

    Recommendation: take a look at your plugins list right now, in your WordPress admin dashboard. If you no longer use a plugin, delete the code — don’t just “deactivate” it. And compare your plugins to the above list of vulnerable plugins. If you are using a plugin version that appears on the vulnerable list, get rid of it. Or upgrade to the fixed version.

    If you don’t know how to delete a plugin you’ve downloaded by yourself, you’ll need to get some tech help — a contract webmaster, or whatever. That’s why I pay a contract webmaster, to do the things I don’t have enough knowledge or time to do on my own. It’s worth it.

    Best,
    Anita

  28. Thanks Anita, for the nice tip there. I will do a check on all my plugins now.

    The BlogSecurity Link is really cool.

    Amit

  29. Keeping a full backup of your site makes cleaning up after an intrusion easy. If your site gets hacked, take your website offline, and find out how they got in. Then, wipe everything out and restore your backup. Good to go.

  30. Hamlet,

    I read your post and found it vey helpful. For anyone interested in reading what Hamelet wrote, go to:

    The Unsuspecting Recruit: Why every SEO MUST learn Internet security

    Thanks for mentioning it.

    Anita

  31. Wow, I had no idea that even deactivated plugins can be exploitable. Time to clear out some plugins!

  32. It happened to me last summer on my main business site (not my blog). It was a little different, in that most everything was left as-is, but the hackers added some very icky porn. I figured out it was happening when I noticed some, ahem, new search strings in my Google analytics. Very unpleasant. FWIW, this isn’t a WP site — tho I’m developing one right now. Thanks in advance for the tips on how to protect that one.

    -Sally J.
    The Practical Archivist

  33. Yep, one of my blogs I don’t post at as often as I should got links inserted into its blogroll due to a security hole, which led me to update all my WordPress blogs. It’s insidious. I don’t think there was any hidden stuff, but perhaps I should double check…

  34. It’s a double edged sword. WordPress powers the vast majority of blogs and therefore it becomes a huge target for hackers. However, since there is a huge WordPress community able to fix vulnerabilities, the flaws get fixed so much faster than they would in something that is not open source.

  35. We were also hit on our search network the same week. They somehow got access to our server, build out these fake pages and on the index as an added bonus installed trojans on everyone hitting our index page. The problem has been fixed but a mess to clean-up.

  36. Hi Anita,
    Thank you so much for the info! I recently started a new blog on WP. I like most of the way it works {WP} and it is certainly permitting me to learn more internet/web/blog related things, technically. However… upgrading things to the “latest” version of WP is ridiculously complicated. As much as I get aggravated with Typepad, and the hoops they put me through to get tech help {20 hour turnarounds}, it IS simpler to use, most of the time.
    Joel Libava

  37. Hi Joel,

    I know what you mean.

    But, there may be a solution. There is a WordPress plugin that will automatically upgrade to the latest version of WordPress. It can be found here:

    http://wordpress.org/extend/plugins/wordpress-automatic-upgrade/

    Anita

  38. Anita,
    Thank you so much!
    I did it!
    And…it worked.
    Joel Libava

  39. Your post is old enough but running great with good information. I should be thinking how big headache is this hacker making to bloggers like us. Thnaks for the great article.

  40. Hi Anita, I’m getting ready to do a post on hacking of a friends’ blog. I did several searches and came across Barry Welford and then he mentioned your name in his article, then I came to you! I can’t believe how little I still don’t know about all of this(as well as our fellow bloggers) hacking. I especially am not sure of how to be on the look out for coding that we don’t recognize in our wordpress. Please….I don’t know anything about html (coding) so I feel like I’m really behind the 8 ball. I think I will have to do a follow up post on some of what you touched on here in your article. I’m sorry for your loss and can only imagine what I’d do if this should ever happen to me” knock on wood”
    When I do a follow up on how to prevent or something to that effect I’m hoping I could use some of your information or your input…? Thanks for a great post!!

  41. Can you provide more information on this?

  42. Hi Anita,
    It’s more than a year has passed since that dreadful accident. Did you register any hacker activity, after the all security measures hava been undertaken?

  43. Great advice, Anita.

    Many people do not think that something nasty can happen to the website/blog – until it actually happens.

    Great reminder, thanks.

    2 months a go one of my websites was hacked – and I learnt the importance of security and backups, the hard way.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>