My website has been hacked!
This realisation hit me just a couple of days a go and it made me sick to my stomach.
I found that I couldn’t login to my site and then I noticed that the hackers had changed the favicon on my login page.
My immediate reaction was panic and to ask myself ‘what do I do now’.
I had my first website hacked some years ago and I immediately deleted it from the server, even though I had literally put several years work into the site.
It felt like I was just about to revisit this experience.
I immediately checked whether I had a backup of the site, only to discover that the auto-backup system had not worked and there was no current backup of the site available. My brain began to boil at that stage.
I just don’t know what the hackers gain from their behaviour. It seems such a pointless exercise.
This time I managed to calm down sufficiently to create a ticket with my hosting company, Hostgator…
After around 30 frustrating hours of waiting for a response, I decided to contact them on their Chat support.
Hostgator Chat Support enabled me to once more login to my website and I changed the password immediately.
I was then in a position to start deleting the malware from my site and to start making some new security precautions.
I started off going through the files on File Manager in my cPanel and immediately spotted a lot of erroneous files which I started to delete.
I soon realised that, whilst I could probably delete most of the files, I was in danger of missing some of the malware.
I therefore installed one of the security scanning plugins – there are a number in the free WordPress Plugin library. I tried two – Wordfence and Quttera. These helped me to find and delete the remaining bad files. I carried out another scan to check that they had all been deleted.
These two plugins provide additional security for the site – I now have 3 security plugins installed, which is a bit over the top but understandable in the current circumstances, don’t you think?
I was already running a security plugin called WP Sonic Defender which protects against brute-force attacks but clearly this was not enough to defend against all malicious attacks.
I still do not know whether I have done enough!!!
There are plenty of firms willing to help you clean your site and keep you protected but they mostly want a monthly subscription – the ones I looked at wanted to charge in excess of $100 per month and required a commitment of 6 or 12 months upfront! (Talk about profiting from other peoples misfortune!)
My next move was to create a new backup of my website.
I normally use a plugin called Backup Creator to automatically back my websites up to Amazon S3 but it appears that Hostgator have changed the server settings so that my plugin will not work. I was back to Hostgator Chat Support! It turns out that they couldn’t help me.
Backup Creator is my insurance policy against my websites being hacked so my confidence in this software has been shaken by this major failure in my systems!
Just at the time I needed my backup, the cupboard was bare!
I’ve therefore raised a ticket with the support team at Backup Creator to see if they can identify the problem. It is $49 per month to access the support at AWS Amazon.
In the meantime, I am doing manual backups of each site and uploading manually to Amazon S3 for storage purposes. I have over 30 websites, so this is very time-consuming but I will sleep easier knowing that I have a backup copy of each site.
As I am reaching the capacity with my current hosting package at Hostgator, I think strategically I would be better off trying another host like Bluehost or Liquid Web for any future web development because the support at Hostgator is not as good as it once was. i.e. I will spread my hosting across two companies to compare their performance.
I have written this post to document the process that I have gone through in the hope that it will help you.
I guess the lesson is to ensure that you have a system for backing up your websites and that you check to make sure it is working.
Also, spend time and/or money on securing your website as far as possible because, quite apart from the investment in time trying to rectify problems, you will save yourself a lot of stress.
Believe me, the realisation that ‘my website has been hacked’ is not something that I would wish on anyone else but they do say that, if it doesn’t kill you, it makes you stronger and, hopefully, this experience will do that for me.