10 Things I learned from surviving a website hack
Ack! Your stomach sinks during that dreadful moment when you receive an email from Google Webmaster Tools alerting you that your website may have been hacked. My first gut reaction wasn't that of survival; it was one of denial.
Having been recently diagnosed with pregnancy-induced hypertension and gestational diabetes during my third trimester of pregnancy, my inner voice had me convinced that Google must be sending these emails all the time and that it was probably just something benign. A few minutes later, another gut-wrenching email arrived. From a point of denial, I had to jump right into survival mode. It was time to take action. Shortly after the clean-up, I continued to receive a few more alarming emails, which I considered to be an aftershock. Such "deep cleaning" on the internet can be a lengthy and arduous process, and I'm here to share with you how I managed to survive the catastrophic digital event despite my medical condition.
10 Lessons learned in surviving a WordPress blog hack
1. Don't panic: find something — or someone — to help you calm down
Don't be afraid to momentarily step away from the situation. If you're all worked up, find something that will help you calm down. Grab a cup of coffee. Call somebody. Pray. No matter what, do your best not to panic. It's counterproductive.
2. Communicate: contact your web host
Communicating with your web host allows you to assess the situation much quicker and to know your options. Inform your web host about the hack, and see if they can help with quarantining the infected files. Check if they can help with assessing how bad it is and if they can help with a complimentary site restore from a clean backup.
3. Be prepared: have a good backup
Sometimes, there's only so much your web host can do, especially if they don't have any clean backups available to them. With that said, consider having a third-party backup provider like VaultPress that would allow you to keep a 30-day or full backup. As with any crisis management scenario, it always helps to be prepared.
4. Be honest: inform and protect your readers
Depending on the damage, consider taking down parts of your site — or all of it. You wouldn't want to infect your readers' computers with whatever may have been maliciously injected into your hacked site. Customize your 404 (File Not Found) page with a message that says your website (or page) will be back shortly.
5. Be on guard: tighten up security
With the increasing number of blogs being born each day, hackers have found the perfect platform to exploit by brute force, spam injection, malware, defacement and more. Typically, blog owners are a part of a shared web hosting service where their blogs "reside" on the same server along with many other blogs. If the hacker is successful at breaching the weakest link on that server, all other blogs become at risk — that's just one scenario. Tighten up your security by switching to a managed WordPress host or signing up with other security-related services like Sucuri Security. If you're on WordPress, even something as little as activating the "Limit Log-in Attempts" plug-in may help. This usually comes with a standard WordPress installation — you will need to check the box.
6. Protect your admin account: check if you're giving away your username
Protect your admin account as you would your checking account. Your author profile link is usually a dead giveaway when it comes to cracking your WordPress username. Now, all the hackers need to figure out is your password, and they have programs to do just that. Shortly before I was notified of the hack, I noticed some suspicious activity on my author profile link. When I looked at the URL, I realized that I had been easily giving away my WordPress username. The solution? I now have at least two admin accounts associated with my blog, and the one that's publicly available on my author profile link has contributor-only access.
7. Limit the information you provide: secure the footer section
Going back to the checking account analogy above, another lesson I learned long ago was to customize my blog's footer, particularly the section that said, "Powered by WordPress." If you don't want certain people to know your bank account number, chances are, you also wouldn't want them to know where you bank. While additional security measures are already in place in both the banking and the blogging worlds, it's just good practice to limit the information you provide anyway. Plus, customizing your blog's footer comes with an added benefit of strengthening your own brand. On that note, if you have a WordPress log-in link on your footer or sidebar, consider removing it, just in case.
8. Maintain good housekeeping: keep your themes and plug-ins updated
Just like having to do your own housekeeping at home to keep things running and functioning smoothly, the same is true when it comes to maintaining and updating your blog's themes and plug-ins. We may not like it, but it has to be done. Good housekeeping means staying on top of updates as soon as they become available. Hackers are on top of things too, so make sure you always vet what you download. Even the most popular themes and plug-ins are not exempt from security breaches, so it's best to keep only the ones you absolutely need in order to reduce your blog's security vulnerabilities.
9. Change your locks — and keep changing them
Change your password from time to time and use strong passwords, if you aren't doing so already. Just as you would with your financial accounts, don't use the same username and password across the board. Have a different password for your admin and contributor accounts as well as for the email address associated with your blog.
10. Don't let the hackers get your spirits down: revamp and revive your blog.
One of the best things I experienced following the blog hack was the opportunity to revamp and revive my blog. The hackers kept on coming back — without any success, thankfully — and they were targeting a specific section of my blog: the one that received the most traffic. This made me think even more strategically and I started to diversify a little better. I also started joining more groups and networks and found other ways to meet like-minded bloggers and drive new traffic to my blog since my Google rankings plummeted after the hack.
Despite the challenges, I have grown a lot as a blogger in 2015. I've met new friends, gained new skills and sharpened my creativity. My blog will be celebrating its first birthday in 2016, and I can't wait to do another year-in review when that time comes.