With the millions of websites out there, you think you’re safe. You think the statistics are in your favor. That your website would never get hacked.
Well, I’m here to tell you it CAN happen to you.
This website was hacked this past Christmas Eve. What happened is part of a larger and disturbing trend in which small-business websites and blogs are being attacked and compromised. WordPress sites seem to be a particular target.
I’ve decided to share my story, in the hopes that it will help you avoid a hacking or if one does happen, recover quickly.
The Ugly Details
On Christmas morning, I tried to open this site as I normally do first thing in the morning, just to do a quick check.
The home page of the site was completely blank! Nothing. Nada. I could not post anything new, either. I realized that a cracker had hacked the site. As I investigated later that day I discovered quite a bit of damage to the site, including:
- All WordPress plugins had been deactivated
- A number of pages had been deleted, including the Experts directory, Newsletter page, About page and others.
- The blogroll had been compromised, with about a dozen links inserted to adult sites and pharma sites.
- Almost 50 hidden links to adult sites, pharmaceutical sites and other junk sites had been scattered in the header and in the footer. You could not see the links from looking at the site through a standard browser like Internet Explorer, because they were intentionally hidden using HTML code. However, search engines could “see” the links, of course.
With it being a holiday, I did what I could on my own to restore the site, and the next day got help. Luckily I use a professional hosting company with excellent telephone support. And our contract webmaster, Tim Grahl, was super and dropped everything to respond.
Working as a team, we managed to get the site functioning and looking presentable again by end of business December 26.
However, little did I know that the ordeal was not yet over. I had just seen the tip of the iceberg the first day. I soon discovered what the hackers REALLY had done.
Hackers Gaming the Search Engines
From the start I kept wondering, ‘Why would somebody hack this site?’ There is nothing of value (to a hacker) in it. No credit card numbers. No confidential data. No customer information.
At first I chalked it up to vandalism.
But as the situation unfolded and I discovered more damage, I realized this wasn’t mere vandalism. Rather, this hacking activity is all about hijacking small-business websites and blogs, and using them to generate links to other sites to game the search engines.
The hackers find a security hole and get inside your site. They take control through scripts that turn your site into a link-generating drone. The links generated on your site (without your knowledge) are pointed at other sites, in an effort to get those other sites to the top of the search engine results.
Snared in a Splog Ring
A day after I discovered the hacking, I learned the worst part: the hackers had hijacked part of this site into a splog (spam blog) ring.
The first clue came from Technorati.com when I saw the inbound link count to Small Business Trends had jumped by a couple thousand links overnight. “Oh how nice,” I thought — for about 3 seconds! My pleasure turned to disgust when I saw that all the links used anchor text such as “viagra”, “cute ringtones” and other assorted junk.
The links were from “splogs.” Each splog consisted of lists of thousands — literally thousands — of links pointing to pages on other websites, including hundreds of fake pages that had been set up on the tmp directory of this site.
That’s when I realized what the hackers really had done. They had left behind a script that auto-generated hundreds of fake pages on this site. Those fake pages in turn were redirected to pharma, adult and ringtone sites. You could not see the fake pages from looking at this site, but they were there.
Then the hackers had created rings of other sites, mainly blogs, to link to the fake pages on Small Business Trends. Everything was designed to ultimately send combined link weight to the pharma, adult and ringtone sites they wanted to rank high in the search engines.
Here’s how it works:
Splog A >>> links to fake page on hijacked site B >>> which fake page has been redirected to a pharma site selling OxyContin.
Rinse and repeat. Thousands of times.
Result = quick increases in search engine rankings for the site selling OxyContin.
As you can see, this was not an isolated attack on a single site. This was an orchestrated scheme involving hundreds if not thousands of sites. Mine just happened to be one of many sites snared.
How the Hackers Got In
We think the hackers got in through an insecure version of WordPress via the server. Beyond that I won’t say more, so as not to give a roadmap for how to crack other sites. The attack appeared to come from a Russian IP address.
The attack took advantage of the holiday timing, as my host had a skeleton staff working Christmas Eve. Amazingly, less than 2 days after the first attack, while we were in the midst of fixing the carnage, the hackers came back! This time, the hacking attempt was prevented by quick action on the part of the hosting company, blocking the IP address which was madly spidering the site.
As I researched other hackings, I was stunned to discover that there are over a dozen versions of WordPress with known vulnerabilities. With an estimated 2 to 3 million blogs using WordPress, that means a lot of blogs potentially at risk. Websites and blogs that have been around a while, and trusted sites, are the ones likely to be attacked.
Furthermore, my research has uncovered at least a half dozen ways to compromise WordPress blogs. And for every method I’ve seen, I’m sure bad guys know 2 dozen others.
We took a number of steps to secure the site, including:
- Upgraded to the latest version of WordPress.
- Eliminated one plugin which research suggested might have security vulnerabilities, and updated all the remaining plugins if new versions existed.
- Cleaned up all the crud left by the hackers, deleting their scripts and unauthorized links and pages. We not only had to scour our own site code, but needed our hosting company to do it for the entire server.
- Reverted to a clean MySQL database backup from before the attack.
- Blocked self-registration on this site.
- Changed passwords; reviewed server logs for suspicious IP addresses and blocked them; and changed a number of other things that I don’t want to call attention to.
Someone asked if I planned to switch from WordPress to another software. No, I plan to stick with it. WordPress is a good software package and has been headache-free 99% of the time. I understand that the WordPress development community is working to address the security issues — let’s hope they do so before WordPress develops an irreversible bad rap.
However, I have kicked up security measures a couple of notches. I believe a determined hacker can find a way to get in any site, if they really want to. But why make yourself an easy target?
So, right about now you’re probably wondering what you can do to protect your blog or website. I have some pointers for you. But since this article is already long, I’ve put them in a separate article: How to Protect Your WordPress Site.